6

Today I was reading the nc man page and stumbled on this command. I know that:

  • mkfifo /tmp/f is creating a named pipe at /tmp/f.

  • cat /tmp/f is printing whatever is written to that named pipe and the output of cat /tmp/f is been piped to /bin/sh

  • /bin/sh is running interactively and stderr is redirected to stdout.
  • `the output is then piped to nc which is listening on port 1234
  • and the out put is finally redirected to the named pipe again.

when run, connecting to the remote server on that port i.e 1234 opens a shell prompt and the client can execute arbitrary commands. But how does it work that way?

The-null-Pointer-
  • 173
  • 1
  • 5

1 Answers1

7

Such a command is taking advantage of IO redirection and and sh interactive mode which is on by default when attached to a TTY.

Note that cat stays open on a FIFO. Thats your first clue. When sh runs all its ever doing is directing its stdout and strerr to the TTY. Instead sh is not attached to a TTY. Normally sh automatically goes into interactive mode when attached to a TTY but since its not the -i option is added. This means it will continue to take input for new commands. The output of those commands is directed to the stdin of nc and the output of nc (which is the commands coming over the network) is redirected to the FIFO.

The FIFO is essentially being used as a named pipe to complete the ring of redirection.

You can think of it more simply as sh and nc are redirecting to each other in a loop. The rest of the command is just fluff.

jdwolf
  • 4,887
  • 1
  • 13
  • 28