Re: Server initiated remote shell

Date: 09/22/01

Message-Id: <>
Subject: Re: Server initiated remote shell
Date: Fri, 21 Sep 2001 18:42:04 -0700

What do you mean when you say you can execute a program on an internal host but there is no way in? I'm not clear if you talking about so-called "firewall-piercing", or do you want to lure someone behind the firewall to visit a malicious web site that will provide you with a shell on their box?

In the first case corkscrew (, which tunnels SSH through HTTP proxies, is one of many tools. For the second way, look at the many Microsoft IE and Outlook bugs for windows clients and you should be able to figure something out. Actually many times all you need is a little bit of javascript. If its a unix client, its a little harder. I generally find there really is "another way in". If not, netscape and gdb should give you some ideas, depending on the platform, but you may have to bust out a wee bit of asm. Also try java, see if you can symlink somethink important to a temp file, stuff like that.

Also you use forms to post to URLs using ports other than 80, and craft it in such a way to send arbitrary data to these ports.

----- Original Message -----
>Lets suppose that I can execute a program on an inside
>host on a network protected by a firewall. There is no
>way in. But there is a way out to www browsing on port
>So the client could connect to any Internet address on
>port 80. What program should it execute to provide me
>with a shell? Of course I'm in Internet with a
>listener. What listener?
>The firewall is a real statefull firewall so no TCP
>ACK or ICMP encapsulations.

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see: