Closed wangyu- closed 1 year ago
Hi @wangyu- ,
thanks for opening this issue and for the detailed explanation.
I haven't tested that much the python shell upgrade, so i can imagine there are still bug on that end in the upgrade function.
I'm going to do some testing by enabling some debugging options in the tool and check if i'm able to reproduce (and fix) the issue.
I'll update this issue once i do some testing.
After some time of debugging it seems the problem occurs only when you use the IWR (Invoke-WebRequest) powershell function combined with the Upgrade function of ConPtyShell. This basically confuses the automatic socket identification and makes the hijacking fails.
The current logic to upgrade the socket is:
current process socket -> parent process socket -> grandparent process socket
Clearly, when you create a new socket in the current process (through IWR) this break some assumptions. A potential fix would be to prefer the parent process as 1st priority to hijack, but that would break other more common scenarios, e.g. starting from a powershell reverse shell instead of a python one.
This will be a won't fix as it's working as expected.
As a workaround, you can download the release version of Conptyshell and run the upgrade from the .NET assembly. Otherwise, if you like powershell, you can download the Invoke-ConPtyShell.ps1 on the machine and then "iex(get-content .\invoke-conptyshell.ps1 -raw); Invoke-ConPtyShell -Upgrade ...", in this way sockets collisions is avoided.
Hi, thanks for the great work.
I think i might have encountered a small bug while using the
-upgrade
option.Reproduce the problem.
get a dump shell
First, I am gettting a dump shell, with
nc -l 5003
as server and with this one liner as client:Now the dumb shell is established successfully.
the suggested command fails
Then I am trying to upgrade the shell using the suggested command in readme.md:
It constantly fails with:
but this hacky command does the upgrade successfully
But I found a trick to make the upgrade successful. If I run the below command (with Invoke-ConPtyShell twice):
Then it succeeds.
Summary
The upgrade fails on this python3 shell with the suggested command.
But it succeds with running
Invoke-ConPtyShell -Upgrade -Rows 49 -Cols 160;
twice.Would you please take a look at the reason?
Other Information
The suggested upgrade command inside readme.md has no problem on this reverse shell (the code in your upgrade demo gif):