Home > Blockchain >  How can I see the same as the client in a socat reverse shell?
How can I see the same as the client in a socat reverse shell?

Time:06-11

I am serving an interactive program to a remote terminal using socat. To start simple I used script.sh below, but it also works fine for the client with bash (for reverse shell), python, vim, irssi, etc.

I want to monitor the client's activity, so I tried the -v option for verbosity on the server side.

Program script.sh:

#!/bin/bash

while read -p 'Tell me something: ' MSG;
do 
    echo "I got $MSG";
done

Server:

socat -v tcp-listen:9099,reuseaddr exec:script.sh,pty,stderr,setsid,sane

Client:

socat tcp-connect:IP:9099 file:$(tty),rawer

It works, but the results are unreadable because of the way how socat generates the verbose output.

What the client sees:

Tell me something: hello
I got hello

socat verbose output on the server side:

< 2022/06/06 00:17:59.920945  length=19 from=0 to=18
Tell me something: > 2022/06/06 00:18:01.716074  length=1 from=0 to=0
h< 2022/06/06 00:18:01.716317  length=1 from=19 to=19
h> 2022/06/06 00:18:01.935165  length=1 from=1 to=1
e< 2022/06/06 00:18:01.935401  length=1 from=20 to=20
e> 2022/06/06 00:18:02.176460  length=1 from=2 to=2
l< 2022/06/06 00:18:02.176874  length=1 from=21 to=21
l> 2022/06/06 00:18:02.303743  length=1 from=3 to=3
l< 2022/06/06 00:18:02.304001  length=1 from=22 to=22
l> 2022/06/06 00:18:02.454156  length=1 from=4 to=4
o< 2022/06/06 00:18:02.454555  length=1 from=23 to=23
o> 2022/06/06 00:18:03.693822  length=1 from=5 to=5
\r< 2022/06/06 00:18:03.694050  length=2 from=24 to=25
\r
< 2022/06/06 00:18:03.694373  length=32 from=26 to=57
I got hello\r

When using with programs with colours and UI - like vim - things get really unusable because of colours and interactivity:

This is vim welcome message on the server side:

                                  .[21;1H~
                    .[22;1H~
      .[m.[38;5;253m.[48;5;234m.[23;1H.[38;5;247m.[48;5;235m[No Name]
                     0,0-1          All.[m.[38;5;253m.[48;5;234m.[6;32HVIM - Vi IMproved.[8;33Hversion 8.1.3741.[9;29Hby Bram Moolenaar et al..[10;21HModified by team [email protected].[11;19HVim is open source and freely distributable.[13;26HBecome a registered Vim user!.[14;18Htype  :help register.[38;5;238m<Enter>.[m.[38;5;253m.[48;5;234m   for information .[16;18Htype  :q.[38;5;238m<Enter>.[m.[38;5;253m.[48;5;234m               to exit         .[17;18Htype  :help.[38;5;238m<Enter>.[m.[38;5;253m.[48;5;234m  or  .[38;5;238m<F1>.[m.[38;5;253m.[48;5;234m  for on-line help.[18;18Htype  :help version8.[38;5;238m<Enter>.[m.[38;5;253m.[48;5;234m   for version info.[1;5H.[?25h> 2022/06/06 01:59:24.565253  length=6 from=0 to=5
.[2;2R> 2022/06/06 01:59:24.565700  length=10 from=6 to=15
.[>0;10;1c

How can I see on the server side something as close as possible to what the client see? I prefer using socat because the next step will be to encrypt it with SSL.

I have tried to pipe it to grep -v "<", mess around with icanon as socat parameter and doing stty -icanon && socat -v tcp-l..., use cut -c 1 and sed 's/\(.\).*/\1/' to extract the first char, but still can't figure a solution.

CodePudding user response:

From Socat version 1.7.4.2 on, there are reasonably working options to get 1:1 copies of the data streams:

-r /path/to/file1  # copy of left-to-right
-R /path/to/file2  # copy of right-to-left

Appearently they did not find their way into the man page, but are shown with socat -h

You still might need to strip the terminal control sequences, or try to pipe the data to less -R or less -r

  • Related