Friday, August 28, 2009

rewrote Port Shell Crypter

I rewrote PSC, a tool to upgrade plaintext and/or
sessions without a tty across networks (even via
multiple hops) to a full crypted pty based session.

It works by doing the handshake and crypto across
the terminal layer instead of using network calls. The whole
code does not need any networking functionality.
If you have a chained session from host A to D like
A -> B -> C -> D and before starting the session you start your
local psc tool on host A and as soon as on host D you start
the other endpoint, the full chain is encrypted and nobody
on B and C can see or modify what you are typing.
Evil administrators on intermediate hosts (B, C) might use
ptrace() or whatever to even sniff SSH sessions. Using psc,
this is not possible anymore.

First, I wanted to make some video (since it seems very hip
these days :) showing how a old gitweb exploit makes a full
pty crypto shell using psc so you could use 'mc' etc.
on it at the end. However, xvidcap has some lib requirements
which I cant give it on my machine yet without hours
of recompilation and so I thought I do the release old-school. :)



2 comments:

Anonymous said...

Awesome! thanks!

huku said...

Hello there,

I finally found some time to read the PSC code. Very nice! I was recently thinking that this idea can be used in a shellcode, but instead of porting all that stuff to ASM, one can spawn /usr/bin/python instead of /bin/bash and then use the python ctypes FFI (described at my blog at http://decepticonpunk.wordpress.com/2009/09/17/python-in-noexec-land/) to create crypto tunnels and pty sessions. Actually, I haven't tested it yet, and probably I won't test it until the next time I'll need a shellcode. This may result in both less forensic evidence (since python is interpreted on-the-fly) and fully private connections.

Keep up the cool posts!
./hk