search

Gallopsled / pwntools

CTF framework and exploit development library
http://pwntools.com
Other
12.09k stars 1.71k forks source link

Supports SSH connection on remote Windows 10 machine #1885

Open gpillot opened 3 years ago

gpillot commented 3 years ago

I tried to run a windows executable through SSH and it does not work well. I'm wondering if pwntools supports SSH connection on remote Windows 10 machine?

heapcrash commented 3 years ago

It's not something I've ever tried before.

Can you try running your script with DEBUG on the command line and attaching the output?

e.g. python3 myscript.py DEBUG

gpillot commented 3 years ago

Following, my python script:

#! /usr/bin/python3
# -*- coding: utf-8 -*-

from pwn import *

s =  ssh(host='192.168.0.21', user='myusername', password='mypass')
p = s.run('python -i')

print(p.recvall())
p.interactive()

Following, the output returned by the script.

[+] Opening new channel: 'python -i': Done
[+] Receiving all data: Done (159B)
[*] Closed SSH channel with 192.168.0.21
b'\x1b[2J\x1b[?25l\x1b[m\x1b[H\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\x1b[H\x1b]0;c:\\windows\\system32\\cmd.exe\x07\x1b[?25h\x1b[?25lThe system cannot find the path specified.\r\n\x1b[?25h'
[*] Switching to interactive mode
[*] Got EOF while reading in interactive

With the DEBUG mode

[+] Opening new channel: b'stty raw -ctlecho -echo; cd . >/dev/null 2>&1;python -i': Done
[o] Receiving all data: 103B
[DEBUG] Received 0x67 bytes:
    00000000  1b 5b 32 4a  1b 5b 3f 32  35 6c 1b 5b  6d 1b 5b 48  │·[2J│·[?2│5l·[│m·[H│
    00000010  0d 0a 0d 0a  0d 0a 0d 0a  0d 0a 0d 0a  0d 0a 0d 0a  │····│····│····│····│
    *
    00000030  0d 0a 0d 0a  0d 0a 0d 0a  0d 0a 0d 0a  0d 0a 1b 5b  │····│····│····│···[│
    00000040  48 1b 5d 30  3b 63 3a 5c  77 69 6e 64  6f 77 73 5c  │H·]0│;c:\│wind│ows\│
    00000050  73 79 73 74  65 6d 33 32  5c 63 6d 64  2e 65 78 65  │syst│em32│\cmd│.exe│
    00000060  07 1b 5b 3f  32 35 68                               │··[?│25h│
    00000067
[DEBUG] Received 0x38 bytes:
    00000000  1b 5b 3f 32  35 6c 54 68  65 20 73 79  73 74 65 6d  │·[?2│5lTh│e sy│stem│
    00000010  20 63 61 6e  6e 6f 74 20  66 69 6e 64  20 74 68 65  │ can│not │find│ the│
    00000020  20 70 61 74  68 20 73 70  65 63 69 66  69 65 64 2e  │ pat│h sp│ecif│ied.│
    00000030  0d 0a 1b 5b  3f 32 35 68                            │···[│?25h│
    00000038
[*] Closed SSH channel with 192.168.0.21
b'\x1b[2J\x1b[?25l\x1b[m\x1b[H\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\x1b[H\x1b]0;c:\\windows\\system32\\cmd.exe\x07\x1b[?25h\x1b[?25lThe system cannot find the path specified.\r\n\x1b[?25h'
[*] Switching to interactive mode
[*] Got EOF while reading in interactive
heapcrash commented 3 years ago

Getting this to work will likely require a fair bit of development, as well as require that the user specify context.os = 'windows' (which we already have support for, but we'll need custom logic in the SSH class to support this).

Moreover, much of the existing code for e.g. ssh.process() will require a re-work in order to work at all, as we shell out to Python to get it to work.

Windows users may have to fall back to ssh.run('your program arguments here') since it's unlikely that a Python installation is in %PATH% on a given Windows installation.