FwdSh3ll: Forward shell generation framework


FwdSh3ll is a tiny open source framework for crafting forward shells. What is a forward shell? Have you ever been caught in a situation when performing a pentest you discover an RCE vulnerability in a web app but despite that you can’t get a reverse shell no matter how hard you try due to strictly filtered outbound traffic? A forward shell is a scheme of shell interacting with a vulnerable Linux machine based on the named pipes mechanism.

LEGAL DISCLAIMER: FwdSh3ll was written for use in educational purposes only. Using this tool for attacking web servers without prior mutual consistency can be considered as an illegal activity. It is the final user’s responsibility to obey all applicable local, state and federal laws. The author assume no liability and is not responsible for any misuse or damage caused by this tool.

This method of getting a shell is described in a couple of IppSec’s youtube write-ups (Sokar and Stratosphere). The main idea here is to create a named pipe with mkfifo command and tail -f its input to a bash process. The output would go into a regular text file which could be simply cat‘ted. Here is how it looks like:


git clone https://github.com/snovvcrash/FwdSh3ll.git
virtualenv -p python3 venv && . venv/bin/activate
python3 -m pip install -r requirements.txt


pipenv install && pipenv shell


usage: FwdSh3ll.py [-h] [-pp PIPES_PATH] [-b64]

non-interactive mode

optional arguments:
  -h, --help                               show this help message and exit
  -pp PIPES_PATH, --pipes-path PIPES_PATH  set remote path of the named pipes to PIPES_PATH (default: "/dev/shm")
  -b64, --no-base64                        do NOT wrap the final command into Base64 encoding

interactive mode

* Target URL:
    Specify the vulnerable URL to attack.
* Proxy URL (optional):
    Specify proxy if needed.
* Payload:
    Choose required payload from the list.
* Mode (single command vs forward shell):
    Choose required action.

To successfully spawn the forward shell the following stuff should be reachable on the target host:

  • /bin/sh
  • /usr/bin/mkfifo
  • /usr/bin/tail
  • /usr/bin/base64


List of RCE vulnerabilities for which payloads are available (will be expanding):



Copyright (C) 2018 snovvcrash

Source: https://github.com/snovvcrash/