Skip to main content
Unix & Linux

Return to Revisions

3 of 3
Insert prompt that isn't read as a comment, so that entered & outputted lines are distinct
Michael Homer
Michael Homer
  • 78.9k
  • 17
  • 221
  • 239

There are several possibilities, all depending on the exact parameters of your situation right now. I'm going to assume Linux in the following examples where applicable, but similar functionality exists on other platforms in most cases.

  • You might be able to get the dynamic loader to run an executable for you. Assuming cat is dynamically-linked, your platform's equivalent of /lib/ld-linux.so.2 will likely also be in memory and thus usable to run a binary:

     $ /lib64/ld-linux-x86-64.so.2 ./chmod
 chmod: missing operand

You may have multiple of these (32- and 64-bit are likely) and there may be multiple copies available, or symlinks that need resolving. One of those may work.

  • If you have a mounted vfat or NTFS filesystem, or another that treats all files as 777, you can create your executable on there.

     $ cat > /mnt/windows/chmod < /dev/tcp/localhost/9999

  • If you have a mounted network filesystem, even if it's not locally writable, you can create files on the remote system and use those normally.

  • If there's a mounted partition you don't care about the contents of, on a drive that is still mostly working, you can replace the contents with a new image of the same filesystem type containing executables you want - cat should be fine for this in the role people usually use dd for, and you can provide the image over the network.

     $ cat > /dev/sdb1 < ...

This one is plausible, but has a lot of places not to work depending on what exactly is still in memory from that partition.

  • If there is any accessible file that has execute permission on any writable filesystem, you can cat > into it to replace the contents with a binary of your choosing.

     $ cat > ~/test.py < ...

  • Since Bash is still running, you could dynamically load a Bash plugin into the process that exposes chmod. In particular, you could install and load ctypes.sh, which provides a foreign function interface to Bash, and then dlcall chmod ./netcat 511.

  • You could bring in a dynamic library file foo.so of your construction and then have cat load it on your behalf by way of LD_PRELOAD, allowing you to execute arbitrary code.

     $ LD_PRELOAD=./hack.so cat /dev/null

If you intercept, for example, open:

   <!-- language: lang-c -->

    int open(const char *path, int flags, ...) {
        chmod(path, 0755);
        return -1;
    }

then you can do whatever you need to do in there.

My suggestion would be to bring in a statically-linked busybox executable as the first item (or really, only item) so that you've got the full range of commands available without reusing whatever hack got you to that point to exhaustion.

Michael Homer
  • 78.9k
  • 17
  • 221
  • 239