Real Programmers/ Hack/ SSH/ Upload Code Tunnel Out
Google site:

realprogrammers.com

Upload code to a remote machine & tunnel back out

#!/bin/sh

# This tool runs a program remotely on a server that will need to make a
# network connection back out. It does this under two heavy
# restrictions:
# 1. the target machine is prevented from doing so by for example an
#    external firewall.
# 2. The required program to execute on the target machine doesn't
#    exist. The only route into the machine is through ssh, and we
#    assume it can execute a shell with basic unix tool once it's there.

# The first is quite a common situation and the second is a typical
# situation that is in effect with a heavily change controlled
# environment where "foreign" programs aren't allowed to be installed,
# or where the change management is hindering Getting Real Work
# Done(TM). So in effect this is designed to take advantage of what is
# essentially a flaw in the original security model and use it in a way
# that wasn't intended.

# How it works is essentially this: the program is sent down an SSH
# connection, written to a temporary file and then executed. As part of
# the SSH connection, a listener process is created on the target
# machine at a particular port the program is expecting to communicate
# over which is tunneled through the SSH session to another host:port

# target_host: an ssh address of the machine to run the program remotely on.
# target_port: where ssh will create a listener process on the target host.
target_host=paulm@paulm.com
target_port=8080

# remote_host: the full name of the machine to be connected to from the
# target machine. It doesn't necessarily have to the machine executing
# the ssh session, simply that the machine executing the ssh session can
# connect to it.

remote_host=`hostname -f`
remote_port=80

# program: the code to run on the target machine.
# Normally program would point to a real program compiled for the target
# host's architecture.
program=/tmp/`basename $0`.get
program_name=`basename $program`

# target_bin is the directory the program will reside on the target machine.
# /tmp is world-writeable so we have a guaranteed dropzone.
target_bin=/tmp/bin

# This cat is just to create a test program; it requires lynx to test
# the outgoing connection and leave evidence of success.
cat > $program <<PROGRAM
#!/bin/sh

lynx -source http://localhost:$target_port/ > /tmp/localhost.html
PROGRAM

# . Make a target bin directory; copy the program there; set
#   executable flag.
# . Set up target port forwarding so that a port on the target machine is
#   forwarded over the ssh connection to a port on another (possibly local) 
#   machine. So, from the target machine's point of view,
#     localhost:target_port -> remote_host:remote_port
# . Run the program that's been left in the target bin directory.

# It so happens this is all possible with a single ssh invocation.

ssh -R $target_port:$remote_host:$remote_port $target_host "\
  mkdir $target_bin 2>/dev/null;\
  cd $target_bin               ;\
  cat > $program_name          ;\
  chmod +x $program_name       ;\
  $target_bin/$program_name" < $program &

All non-user content and code Copyright © 2000-2006 realprogrammers.com / Paul Makepeace. Comments & feedback welcome!