لطفا منتظر باشید ...
Hack 69 Get a Remote Shell
It's great to have remote
access to an operating system. Build such features into your own IRC
bot!
Having remote access to an operating
system is useful, particularly if your IRC bot is running on it. You
can check up on the amount of memory it's using,
keep an eye on the amount of free disk space, delete files, and so
on.
Unix/Linux users can get remote access
to their systems using Telnet, SSH, or even graphical tools such as
VNC (http://www.realvnc.com).
Depending on which version you have installed, you can also telnet to
Windows machines and/or access your desktop
with the Remote Desktop Connection client
(http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp).
But it's not always possible to use these methods to
gain remote access to a system. For example, you may run your IRC bot
from a networked Windows XP machine that doesn't
have Remote Desktop enabled. The solution here is to exploit the fact
that your IRC bot is running on that machine and turn IRC into the
remote access protocol.
If your IRC bot is running on a particular machine, there is no
reason it cannot just start up a local shell process and forward the
output to a remote user on IRC. That remote user could then make use
of the shell by providing her commands as input.
Providing remote access to a machine has serious
security implications, so you should
protect such access with a password at the very least. The bot
detailed in this hack uses a simple password that is stored as plain
text in the source code.
11.3.1 DCC
DCC stands for Direct
Client Connection and falls into two categories: chat and file
transfers. DCC connections are negotiated via the IRC network, but
once established, all data bypasses the IRC network and travels
directly between a pair of clients. This makes DCC suitable for
transferring files of any size or chatting with more privacy, without
having to worry about the flood protection measures imposed by the
IRC network.
The initial negotiation takes place
via CTCP [Hack #85] . A file
transfer request is made by sending a CTCP message containing the
following:
DCC type argument address port [size]
type must either be SEND or
CHAT for a file transfer or chat session,
respectively. argument is a filename for the
SEND type, with address and
port being used to specify the IP address of the
sending machine and the port on which the connection will be made.
[size] is an optional parameter and can be used to
specify the size of the file to be transferred. Extra data can be
present after [size] and should be ignored if it
is not understood.
Data sent via a CHAT connection should be sent one line at a time,
with no prefixes or commands. Each line must be terminated with a
newline character. You can find out more about DCC transfers by
reading the full CTCP or DCC specifications.
11.3.2 The Code
Because this bot is going to allow
remote access to a shell, it will be called ShellBot. The access
password will be stored in the field
password, and it will respond to any private
message that contains only this password.
When a user sends the correct password, the bot will start up a new
ProcessThread in which to handle the shell
process.
Save the following as ShellBot.java:
import org.jibble.pircbot.*;
public class ShellBot extends PircBot {
private String password = "password";
public ShellBot(String name) {
setName(name);
}
public void onPrivateMessage(String sender, String login,
String hostname, String message) {
if (message.trim( ).equals(password)) {
// Password was correct, so create a new thread to handle the shell.
Thread thread = new ProcessThread(this, sender);
thread.start( );
}
}
}
The ProcessThread class
launches the shell process in its own thread so that it
doesn't block the normal operation of the bot. The
thread starts by sending a DCC
CHAT request to the user and waits
for up to 120,000 milliseconds for the recipient to establish the
connection to the bot. If the connection is not made in time, the bot
gives up and the user will have to resend the correct password and
try again.
If the user's IRC client accepts the
DCC CHAT request in time, it will
establish a direct TCP connection to the bot. This connection will be
used to provide the remote shell access, as it is not subject to
flood prevention restrictions like normal IRC messages.
This particular bot is set up to run on Windows, so it executes
cmd.exe to provide shell access. If you are
using an older version of Windows, you may have to change this to
command.com. If you wish to use ShellBot on
Unix/Linux or Mac, you will
need to change it to /bin/sh or suchlike.
Save the following as
ProcessThread.java
:
import org.jibble.pircbot.*;
import java.io.*;
public class ProcessThread extends Thread {
private PircBot bot;
private String nick;
public ProcessThread(PircBot bot, String nick) {
this.bot = bot;
this.nick = nick;
}
public void run( ) {
DccChat chat = null;
try {
// Send a DCC CHAT request.
chat = bot.dccSendChatRequest(nick, 120000);
if (chat != null) {
Runtime runtime = Runtime.getRuntime( );
// Use "/bin/sh" on Linux.
Process p = runtime.exec("cmd.exe");
// Start a new thread to handle input from the client.
BufferedWriter writer = new BufferedWriter(
new OutputStreamWriter(p.getOutputStream( )));
ProcessInputThread inputThread =
new ProcessInputThread(chat, writer);
inputThread.start( );
// Return all lines from the shell.
BufferedReader reader = new BufferedReader(
new InputStreamReader(p.getInputStream( )));
String line;
while ((line = reader.readLine( )) != null) {
chat.sendLine(line);
}
}
}
catch (IOException e) {
// Chat session ended unexpectedly.
}
if (chat != null) {
try {
chat.close( );
}
catch (IOException e) {
// Do nothing.
}
}
}
}
The ProcessThread runs the shell process and reads all lines that it
outputs. Each line is then sent down the DCC connection to the
connected client. The shell process is running all the time, so you
must create another thread to handle input from the connected client.
Save the following as
ProcessInputThread.java
:
import org.jibble.pircbot.*;
import java.io.*;
public class ProcessInputThread extends Thread {
private DccChat chat;
private BufferedWriter writer;
public ProcessInputThread(DccChat chat, BufferedWriter writer) {
this.chat = chat;
this.writer = writer;
}
public void run( ) {
try {
// Kludge... write a blank line to shell so path shows up.
writer.write("\r\n");
writer.flush( );
// Pass each line from the client to the process.
String line;
while ((line = chat.readLine( )) != null) {
writer.write(line + "\r\n\r\n");
writer.flush( );
}
}
catch (Exception e) {
// Just let the thread end...
}
}
}
Because DCC CHAT is designed to send and receive
only complete lines, you will not see the
command-line prompt, as it does not end with
a newline character. The kludge fix for this is to enter a blank line
after every input from the user. This is implemented in the
ProcessInputThread class and causes the command-line prompt to appear
each time the shell is ready to receive the next command; it also
causes it to be echoed a second time when each command is processed.
The ShellBot doesn't need to join any channels, as
it responds only to private messages, but it is sometimes useful to
place such a bot in a channel so that you know it's
there.
Save the following as ShellBotMain.java:
public class ShellBotMain {
public static void main(String[] args) throws Exception {
ShellBot bot = new ShellBot("ShellBot");
bot.setVerbose(true);
bot.connect("irc.freenode.net");
bot.joinChannel("#irchacks");
}
}11.3.3 Running the Hack
Compile the bot like this:
C:\java\ShellBot> javac -classpath .;pircbot.jar *.java
Run the bot like this:
C:\java\ShellBot> java -classpath .;pircbot.jar ShellBotMain
The bot will then start up.
11.3.4 The Results
You can start using ShellBot as soon as it's running
by sending the password as a private message:
/msg ShellBot password
ShellBot will then request a DCC CHAT session with you. If you accept
this, your IRC client will connect directly to ShellBot and you will
be presented with a command prompt, as shown in Figure 11-2.
Figure 11-2. ShellBot delivering a Windows XP command prompt
Figure 11-2 shows a DCC CHAT session with ShellBot.
The user has executed the dir command to get a
directory listing, showing the contents of the directory in which the
bot is running. As with a normal Windows command prompt, you can use
the cd command to change to another directory and
del to delete files.
11.3.5 DCC CHAT Limitations
Because of the line-by-line nature of the DCC
CHAT Protocol, ShellBot will not work too well if you run interactive
commands. Any command that requires interactive input is likely to
cause the shell to stop responding, as it will be waiting for input
that will never arrive.
Another interesting "feature" is
that typing notepad on a Windows shell will
cause the Notepad application to start up and surprise whoever
happens to be sitting in front of the computer at the time. ShellBot
won't let you interact with applications like this,
so you'll have to start a new DCC CHAT session or
restart the bot.
