Fix shell designation for linux

Author: NHAS

internal/client/handlers/session.go

@@ -5,6 +5,7 @@ import (
 	"io"
 	"os"
 	"os/exec"
+	"runtime"
 	"strings"
 
 	"github.com/NHAS/reverse_ssh/internal"
@@ -13,9 +14,9 @@ import (
 	"golang.org/x/crypto/ssh"
 )
 
-//Session has a lot of 'function' in ssh. It can be used for shell, exec, subsystem, pty-req and more.
-//However these calls are done through requests, rather than opening a new channel
-//This callback just sorts out what the client wants to be doing
+// Session has a lot of 'function' in ssh. It can be used for shell, exec, subsystem, pty-req and more.
+// However these calls are done through requests, rather than opening a new channel
+// This callback just sorts out what the client wants to be doing
 func Session(user *internal.User, newChannel ssh.NewChannel, log logger.Logger) {
 
 	defer log.Info("Session disconnected")
@@ -65,48 +66,28 @@ func Session(user *internal.User, newChannel ssh.NewChannel, log logger.Logger)
 					return
 				}
 
-				//Set a path if no path is set to search
-				if len(os.Getenv("PATH")) == 0 {
-					os.Setenv("PATH", "/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/sbin")
-				}
-
-				cmd := exec.Command(parts[0], parts[1:]...)
-
-				stdout, err := cmd.StdoutPipe()
-				if err != nil {
-					fmt.Fprintf(connection, "%s", err.Error())
-					return
-				}
-				defer stdout.Close()
-
-				cmd.Stderr = cmd.Stdout
-
-				stdin, err := cmd.StdinPipe()
-				if err != nil {
-					fmt.Fprintf(connection, "%s", err.Error())
-					return
-				}
-				defer stdin.Close()
-
-				go io.Copy(stdin, connection)
-				go io.Copy(connection, stdout)
-
-				err = cmd.Run()
-				if err != nil {
-					fmt.Fprintf(connection, "%s", err.Error())
+				if user.Pty != nil {
+					runCommandWithPty(parts[0], parts[1:], user, requests, log, connection)
 					return
 				}
+				runCommand(parts[0], parts[1:], connection)
 			}
 
 			return
 		case "shell":
-			// We only accept the default shell
-			// (i.e. no command in the Payload)
-			req.Reply(len(req.Payload) == 0, nil)
+			//We accept the shell request
+			req.Reply(true, nil)
+
+			var shellPath internal.ShellStruct
+			err := ssh.Unmarshal(req.Payload, &shellPath)
+			if err != nil || shellPath.Shell == "" {
 
-			//This blocks so will keep the channel from defer closing
-			shell(user, connection, requests, log)
+				//This blocks so will keep the channel from defer closing
+				shell(user, connection, requests, log)
+				return
+			}
 
+			runCommandWithPty(shellPath.Shell, nil, user, requests, log, connection)
 			return
 			//Yes, this is here for a reason future me. Despite the RFC saying "Only one of shell,subsystem, exec can occur per channel" pty-req actually proceeds all of them
 		case "pty-req":
@@ -130,3 +111,41 @@ func Session(user *internal.User, newChannel ssh.NewChannel, log logger.Logger)
 	}
 
 }
+
+func runCommand(command string, args []string, connection ssh.Channel) {
+	//Set a path if no path is set to search
+	if len(os.Getenv("PATH")) == 0 {
+		if runtime.GOOS != "windows" {
+			os.Setenv("PATH", "/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/sbin")
+		} else {
+			os.Setenv("PATH", "C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\v1.0\\")
+		}
+	}
+
+	cmd := exec.Command(command, args...)
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		fmt.Fprintf(connection, "%s", err.Error())
+		return
+	}
+	defer stdout.Close()
+
+	cmd.Stderr = cmd.Stdout
+
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		fmt.Fprintf(connection, "%s", err.Error())
+		return
+	}
+	defer stdin.Close()
+
+	go io.Copy(stdin, connection)
+	go io.Copy(connection, stdout)
+
+	err = cmd.Run()
+	if err != nil {
+		fmt.Fprintf(connection, "%s", err.Error())
+		return
+	}
+}

internal/client/handlers/shell.go

@@ -55,16 +55,15 @@ func init() {
 
 }
 
-//This basically handles exactly like a SSH server would
-func shell(user *internal.User, connection ssh.Channel, requests <-chan *ssh.Request, log logger.Logger) {
+func runCommandWithPty(command string, args []string, user *internal.User, requests <-chan *ssh.Request, log logger.Logger, connection ssh.Channel) {
 
-	path := ""
-	if len(shells) != 0 {
-		path = shells[0]
+	if user.Pty == nil {
+		log.Error("Requested to run a command with a pty, but did not start a pty")
+		return
 	}
 
 	// Fire up a shell for this session
-	shell := exec.Command(path)
+	shell := exec.Command(command, args...)
 	shell.Env = os.Environ()
 
 	close := func() {
@@ -84,33 +83,17 @@ func shell(user *internal.User, connection ssh.Channel, requests <-chan *ssh.Req
 	var err error
 	var shellIO io.ReadWriteCloser
 
-	if user.Pty != nil {
-		shell.Env = append(shell.Env, "TERM="+user.Pty.Term)
-
-		log.Info("Creating pty...")
-		shellIO, err = pty.StartWithSize(shell, &pty.Winsize{Cols: uint16(user.Pty.Columns), Rows: uint16(user.Pty.Rows)})
-		if err != nil {
-			log.Info("Could not start pty (%s)", err)
-			close()
-			return
-		}
-	} else {
-
-		stdinPipe, err := shell.StdinPipe()
-		stdoutPipe, err := shell.StdoutPipe()
-		shell.Stderr = shell.Stdout
-
-		shellIO = &ReaderWriteCloser{in: stdinPipe, out: stdoutPipe}
+	shell.Env = append(shell.Env, "TERM="+user.Pty.Term)
 
-		err = shell.Start()
-		if err != nil {
-			log.Info("Could not start shell (%s)", err)
-			close()
-			return
-		}
+	log.Info("Creating pty...")
+	shellIO, err = pty.StartWithSize(shell, &pty.Winsize{Cols: uint16(user.Pty.Columns), Rows: uint16(user.Pty.Rows)})
+	if err != nil {
+		log.Info("Could not start pty (%s)", err)
+		close()
+		return
 	}
 
-	//pipe session to bash and visa-versa
+	// pipe session to bash and visa-versa
 	var once sync.Once
 	go func() {
 		io.Copy(connection, shellIO)
@@ -145,26 +128,21 @@ func shell(user *internal.User, connection ssh.Channel, requests <-chan *ssh.Req
 
 	defer once.Do(close)
 	shell.Wait()
-
 }
 
-type ReaderWriteCloser struct {
-	in  io.WriteCloser
-	out io.ReadCloser
-}
-
-func (c *ReaderWriteCloser) Read(b []byte) (n int, err error) {
-	return c.out.Read(b)
-}
+// This basically handles exactly like a SSH server would
+func shell(user *internal.User, connection ssh.Channel, requests <-chan *ssh.Request, log logger.Logger) {
 
-func (c *ReaderWriteCloser) Write(b []byte) (n int, err error) {
-	return c.in.Write(b)
-}
+	path := ""
+	if len(shells) != 0 {
+		path = shells[0]
+	}
 
-func (c *ReaderWriteCloser) Close() error {
-	c.in.Close()
+	if user.Pty != nil {
+		runCommandWithPty(path, nil, user, requests, log, connection)
+		return
+	}
 
-	err := c.out.Close()
+	runCommand(path, nil, connection)
 
-	return err
 }

internal/client/handlers/shell_windows.go

@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"os/exec"
+	"strings"
 	"syscall"
 
 	"github.com/ActiveState/termtest/conpty"
@@ -26,50 +27,67 @@ func shell(user *internal.User, connection ssh.Channel, requests <-chan *ssh.Req
 		return
 	}
 
+	path, err := exec.LookPath("powershell.exe")
+	if err != nil {
+		path, err = exec.LookPath("cmd.exe")
+		if err != nil {
+			path = "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+		}
+	}
+
+	runCommandWithPty(path, nil, user, requests, log, connection)
+
+	connection.Close()
+
+}
+
+func runCommandWithPty(command string, args []string, user *internal.User, requests <-chan *ssh.Request, log logger.Logger, connection ssh.Channel) {
+
+	fullCommand := command + strings.Join(args, " ")
 	vsn := windows.RtlGetVersion()
 	if vsn.MajorVersion < 10 || vsn.BuildNumber < 17763 {
 
 		log.Info("Windows version too old for Conpty (%d, %d), using basic shell", vsn.MajorVersion, vsn.BuildNumber)
+		runWithWinPty(fullCommand, connection, requests, log, *user.Pty)
 
-		winpty, err := winpty.Open("powershell.exe", user.Pty.Columns, user.Pty.Rows)
-		if err != nil {
-			log.Info("Winpty failed. %s", err)
-			basicShell(connection, requests, log)
-			return
-		}
-
-		go func() {
-			io.Copy(connection, winpty)
-			connection.Close()
-		}()
-
-		io.Copy(winpty, connection)
-		winpty.Close()
 	} else {
-		err := conptyShell(connection, requests, log, *user.Pty)
+		err := runWithConpty(fullCommand, connection, requests, log, *user.Pty)
 		if err != nil {
-			log.Error("%v", err)
+			log.Error("unable to run with conpty, falling back to winpty: %v", err)
+			runWithWinPty(fullCommand, connection, requests, log, *user.Pty)
 		}
 	}
+}
 
-	connection.Close()
+func runWithWinPty(command string, connection ssh.Channel, reqs <-chan *ssh.Request, log logger.Logger, ptyReq internal.PtyReq) error {
+	winpty, err := winpty.Open(command, ptyReq.Columns, ptyReq.Rows)
+	if err != nil {
+		log.Info("Winpty failed. %s", err)
+		return err
+	}
+
+	go func() {
+		io.Copy(connection, winpty)
+		connection.Close()
+	}()
+
+	io.Copy(winpty, connection)
+	winpty.Close()
 
+	return nil
 }
 
-func conptyShell(connection ssh.Channel, reqs <-chan *ssh.Request, log logger.Logger, ptyReq internal.PtyReq) error {
+func runWithConpty(command string, connection ssh.Channel, reqs <-chan *ssh.Request, log logger.Logger, ptyReq internal.PtyReq) error {
 
 	cpty, err := conpty.New(int16(ptyReq.Columns), int16(ptyReq.Rows))
 	if err != nil {
 		return fmt.Errorf("Could not open a conpty terminal: %v", err)
 	}
 	defer cpty.Close()
 
-	path, err := exec.LookPath("powershell.exe")
+	path, err := exec.LookPath(command)
 	if err != nil {
-		path, err = exec.LookPath("cmd.exe")
-		if err != nil {
-			path = "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
-		}
+		return err
 	}
 
 	// Spawn and catch new powershell process
@@ -86,7 +104,7 @@ func conptyShell(connection ssh.Channel, reqs <-chan *ssh.Request, log logger.Lo
 	log.Info("New process with pid %d spawned", pid)
 	process, err := os.FindProcess(pid)
 	if err != nil {
-		log.Fatal("Failed to find process: %v", err)
+		return fmt.Errorf("Failed to find process: %v", err)
 	}
 
 	// Dynamically handle resizes of terminal window

internal/global.go

@@ -19,6 +19,10 @@ import (
 
 var Version string
 
+type ShellStruct struct {
+	Shell string
+}
+
 type RemoteForwardRequest struct {
 	BindAddr string
 	BindPort uint32