search

calebstewart / pwncat

Fancy reverse and bind shell handler
https://pwncat.readthedocs.io
MIT License
2.58k stars 250 forks source link

SSH connexion cannot parse '@' character in password #281

Open BastienPateyron opened 6 months ago

BastienPateyron commented 6 months ago

Bug Description

The pwncat-cs ssh connexion string with password is not working if the password contains the @ character. It looks like the pwncat-cs parser is splitting the command on the first @ found.

I precise that I also have attempted to submit the password value between simple and double quotes, I also tried by adding backslashes and through environment variable in order to bypass this behavior, without any success.

EDIT : After checking the source code, I figured out that the parsing is made with a regex allowing to escape with a backslash and this can solve my issue. However, I also have a ! character in the password I want to make use of. Since the ! character is breaking any command if not quoted properly, I guess making use of it is adding complexity to this. I suppose that the mix of those both issues seem to break either the parsing, or the content of the ssh login attempt (in the query or in the submitted credentials themselves, this remains unclear to me).

pwncat version

$ pwncat --version
0.5.4

Target System (aka "victim")

None, this can be tested locally.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Create a new local user with a password containing @ like pwncat_user:r00t5P@ssw0rd
  2. Try to perform the following ssh connexion 
    pwncat-cs ssh://pwncat_user:r00t5P@ssw0rd@127.0.0.1

Expected Behavior

The pwncat-cs parser should split on the last @ char found instead of the first one.

Screenshots

pwncat-ssh-connexion-parsing-error