FwdSh3ll is a tiny open source framework for crafting forward shells. What is a forward shell? Have you ever been caught in a situation when performing a pentest you discover an RCE vulnerability in a web app but despite that you can’t get a reverse shell no matter how hard you try due to strictly filtered outbound traffic? A forward shell is a scheme of shell interacting with a vulnerable Linux machine based on the named pipes mechanism.
LEGAL DISCLAIMER: FwdSh3ll was written for use in educational purposes only. Using this tool for attacking web servers without prior mutual consistency can be considered as an illegal activity. It is the final user’s responsibility to obey all applicable local, state and federal laws. The author assume no liability and is not responsible for any misuse or damage caused by this tool.
This method of getting a shell is described in a couple of IppSec’s youtube write-ups (Sokar and Stratosphere). The main idea here is to create a named pipe with mkfifo command and tail -f its input to a bash process. The output would go into a regular text file which could be simply cat‘ted. Here is how it looks like:
git clone https://github.com/snovvcrash/FwdSh3ll.git
virtualenv -p python3 venv && . venv/bin/activate
python3 -m pip install -r requirements.txt
pipenv install && pipenv shell
To successfully spawn the forward shell the following stuff should be reachable on the target host:
List of RCE vulnerabilities for which payloads are available (will be expanding):
- ApacheStruts.py — Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 RCE — CVE-2017-5638 (exploit-db)
- NodejsExpress.py — Node.js deserialization bug for RCE — CVE-2017-5941 (exploit-db)
- ShellShock.py — Bash code injection RCE — CVE-2014-6271
- WebShell.py — Just a web shell
Copyright (C) 2018 snovvcrash