Windows ConPTY issues - Githubissues

jm33-m0 / emp3r0r

Linux/Windows post-exploitation framework made by linux user

https://infosec.exchange/@jm33

MIT License

1.25k stars 235 forks source link

Windows ConPTY issues #201

Closed opensesamedoors closed 1 year ago

opensesamedoors commented 1 year ago

Screenshot from 2023-04-17 05-59-12

jm33-m0 commented 1 year ago

You reported this in #199, is this still an issue in the latest release?

jm33-m0 commented 1 year ago

/dev/shm/ is no longer used since this commit.

https://github.com/jm33-m0/emp3r0r/blob/6f838fc270978b003f8d6c9aaa93fea74ec40ced/core/lib/agent/sshd_linux.go#L44

According to your screenshot you are not using the latest version. Can you try with the latest version and see if it works? I did a quick test and no bugs were found.

Which IDE do you use to debug the tmux GUI,now I just use function PRINTF

I don't use an IDE, I'm a vim user. And I believe this bug is already fixed, the root cause of this issue is the self deletion feature and it has been addressed.

opensesamedoors commented 1 year ago

Sorry,it works on ubuntu but still reports error on windows. Screenshot from 2023-04-17 08-43-20

jm33-m0 commented 1 year ago

I can confirm this for Windows platform, thanks for reporting. I will push a fix soon.

jm33-m0 commented 1 year ago

This is weird enough, looks like conhost.exe is invisible to agent process, with or without admin privilege.

SSH shell session fails because currently I use conhost.exe to invoke the shells.

jm33-m0 commented 1 year ago

Further testing shows that conhost.exe is missing for 32 bit agent, if you build it with amd64 option it will pop up shell just fine.

And currently ConPTY buffer size can't be auto resized correctly, the shell is barely usable.

jm33-m0 commented 1 year ago

Thanks, I will try to implement this solution in future releases.

jm33-m0 commented 1 year ago

[x] Fix shell for 32bit Windows program
[x] Support non-ConPTY shells
[x] Fix auto-resizing for Windows ConPTY shell

Matching the console buffer size between C2 and agent side is quite tricky for Windows. There's a mode.com utility that works like stty under Linux, but running it can only change the console buffer of the calling process, and the shell process is a child process thus unaffected.

The ideal way is to execute mode /con:cols=x lines=y command in the shell in real time. Currently the solution I can think of is to implement a go routine that runs in background (along with the elvsh shell, so they live in the same process) and reads buffer size from a environment variable (WIDTH=x) then resizes its console buffer (with mode.com or term package from Go).

jm33-m0 commented 1 year ago

@opensesamedoors Now interactive shell support for both 32bit and 64bit Windows should be working, you should have the same experience as on Linux hosts. I believe this feature supports Windows versions as old as Windows 7 (as stated by winpty.