request for help - curl | bash exploit PoC - something is not working

<p>See the ~130 lines of code here: <a href="https://github.com/sethgrid/exploit">https://github.com/sethgrid/exploit</a></p> <p>Based on a recent HN post and a top comment, you should be able to get two different outputs from `curl $URL` vs `curl $URL | bash`. The idea that the bash script should be executed line by line and have one line &#34;phone home&#34; causing the next chunked output to be different than if you did not pipe to bash.</p> <p>My problem: when I pipe to bash with the attached code, bash seems to wait to collect the total output before running. It does not run line-by-line. Did I do something wrong? Does this exploit just not work?</p> <p>EDIT/UPDATE: thanks to <a href="/u/eggsampler">/u/eggsampler</a> - the issue was not filling the write buffer. This also shows the original exploit based on timing to be far more elegant than the phone-home liveness check.</p> <hr/>**评论：**<br/><br/>eggsampler: <pre><p>So you missed part of the exploit which is filling up the sendbuffer which means the output isn&#39;t being written to bash before the curl call finishes.</p> <p>This seems to work: <a href="https://pastebin.com/pZzPnD1b" rel="nofollow">https://pastebin.com/pZzPnD1b</a></p></pre>sethammons: <pre><p>Interesting. Makes sense. I thought filling the buffer was part of the timing method as opposed to the phone home method. Thanks!</p></pre>eggsampler: <pre><p>Yes you&#39;re right in that the filling of the buffer is part of the timing method in the original post, but it is also the phone home method by signalling that it has executed the delay. The idea is that,</p> <ul> <li>you send a chunk with a sleep in it and then send enough to wrap over into a second chunk</li> <li>wait to see how long the client takes to read that next chunk</li> <li>if greater than an approximate latency and close to the innocent code with the sleep in it, it means that the client is executing each line in bash so you send the bad payload</li> <li>otherwise send a good payload</li> </ul> <p>This means you don&#39;t need any callback like you are doing which could potentially give yourself away.</p></pre>