< Day Day Up > |
Hack 69 Get a Remote Shell
It's great to have remote access to an operating system. Build such features into your own IRC bot! Having remote access to an operating system is useful, particularly if your IRC bot is running on it. You can check up on the amount of memory it's using, keep an eye on the amount of free disk space, delete files, and so on. Unix/Linux users can get remote access to their systems using Telnet, SSH, or even graphical tools such as VNC (http://www.realvnc.com). Depending on which version you have installed, you can also telnet to Windows machines and/or access your desktop with the Remote Desktop Connection client (http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp). But it's not always possible to use these methods to gain remote access to a system. For example, you may run your IRC bot from a networked Windows XP machine that doesn't have Remote Desktop enabled. The solution here is to exploit the fact that your IRC bot is running on that machine and turn IRC into the remote access protocol. If your IRC bot is running on a particular machine, there is no reason it cannot just start up a local shell process and forward the output to a remote user on IRC. That remote user could then make use of the shell by providing her commands as input. Providing remote access to a machine has serious security implications, so you should protect such access with a password at the very least. The bot detailed in this hack uses a simple password that is stored as plain text in the source code. 11.3.1 DCCDCC stands for Direct Client Connection and falls into two categories: chat and file transfers. DCC connections are negotiated via the IRC network, but once established, all data bypasses the IRC network and travels directly between a pair of clients. This makes DCC suitable for transferring files of any size or chatting with more privacy, without having to worry about the flood protection measures imposed by the IRC network. The initial negotiation takes place via CTCP [Hack #85] . A file transfer request is made by sending a CTCP message containing the following: DCC type argument address port [size] type must either be SEND or CHAT for a file transfer or chat session, respectively. argument is a filename for the SEND type, with address and port being used to specify the IP address of the sending machine and the port on which the connection will be made. [size] is an optional parameter and can be used to specify the size of the file to be transferred. Extra data can be present after [size] and should be ignored if it is not understood. Data sent via a CHAT connection should be sent one line at a time, with no prefixes or commands. Each line must be terminated with a newline character. You can find out more about DCC transfers by reading the full CTCP or DCC specifications. 11.3.2 The CodeBecause this bot is going to allow remote access to a shell, it will be called ShellBot. The access password will be stored in the field password, and it will respond to any private message that contains only this password. When a user sends the correct password, the bot will start up a new ProcessThread in which to handle the shell process. Save the following as ShellBot.java: import org.jibble.pircbot.*; public class ShellBot extends PircBot { private String password = "password"; public ShellBot(String name) { setName(name); } public void onPrivateMessage(String sender, String login, String hostname, String message) { if (message.trim( ).equals(password)) { // Password was correct, so create a new thread to handle the shell. Thread thread = new ProcessThread(this, sender); thread.start( ); } } } The ProcessThread class launches the shell process in its own thread so that it doesn't block the normal operation of the bot. The thread starts by sending a DCC CHAT request to the user and waits for up to 120,000 milliseconds for the recipient to establish the connection to the bot. If the connection is not made in time, the bot gives up and the user will have to resend the correct password and try again. If the user's IRC client accepts the DCC CHAT request in time, it will establish a direct TCP connection to the bot. This connection will be used to provide the remote shell access, as it is not subject to flood prevention restrictions like normal IRC messages. This particular bot is set up to run on Windows, so it executes cmd.exe to provide shell access. If you are using an older version of Windows, you may have to change this to command.com. If you wish to use ShellBot on Unix/Linux or Mac, you will need to change it to /bin/sh or suchlike. Save the following as ProcessThread.java : import org.jibble.pircbot.*; import java.io.*; public class ProcessThread extends Thread { private PircBot bot; private String nick; public ProcessThread(PircBot bot, String nick) { this.bot = bot; this.nick = nick; } public void run( ) { DccChat chat = null; try { // Send a DCC CHAT request. chat = bot.dccSendChatRequest(nick, 120000); if (chat != null) { Runtime runtime = Runtime.getRuntime( ); // Use "/bin/sh" on Linux. Process p = runtime.exec("cmd.exe"); // Start a new thread to handle input from the client. BufferedWriter writer = new BufferedWriter( new OutputStreamWriter(p.getOutputStream( ))); ProcessInputThread inputThread = new ProcessInputThread(chat, writer); inputThread.start( ); // Return all lines from the shell. BufferedReader reader = new BufferedReader( new InputStreamReader(p.getInputStream( ))); String line; while ((line = reader.readLine( )) != null) { chat.sendLine(line); } } } catch (IOException e) { // Chat session ended unexpectedly. } if (chat != null) { try { chat.close( ); } catch (IOException e) { // Do nothing. } } } } The ProcessThread runs the shell process and reads all lines that it outputs. Each line is then sent down the DCC connection to the connected client. The shell process is running all the time, so you must create another thread to handle input from the connected client. Save the following as ProcessInputThread.java : import org.jibble.pircbot.*; import java.io.*; public class ProcessInputThread extends Thread { private DccChat chat; private BufferedWriter writer; public ProcessInputThread(DccChat chat, BufferedWriter writer) { this.chat = chat; this.writer = writer; } public void run( ) { try { // Kludge... write a blank line to shell so path shows up. writer.write("\r\n"); writer.flush( ); // Pass each line from the client to the process. String line; while ((line = chat.readLine( )) != null) { writer.write(line + "\r\n\r\n"); writer.flush( ); } } catch (Exception e) { // Just let the thread end... } } } Because DCC CHAT is designed to send and receive only complete lines, you will not see the command-line prompt, as it does not end with a newline character. The kludge fix for this is to enter a blank line after every input from the user. This is implemented in the ProcessInputThread class and causes the command-line prompt to appear each time the shell is ready to receive the next command; it also causes it to be echoed a second time when each command is processed. The ShellBot doesn't need to join any channels, as it responds only to private messages, but it is sometimes useful to place such a bot in a channel so that you know it's there. Save the following as ShellBotMain.java: public class ShellBotMain { public static void main(String[] args) throws Exception { ShellBot bot = new ShellBot("ShellBot"); bot.setVerbose(true); bot.connect("irc.freenode.net"); bot.joinChannel("#irchacks"); } } 11.3.3 Running the HackCompile the bot like this: C:\java\ShellBot> javac -classpath .;pircbot.jar *.java Run the bot like this: C:\java\ShellBot> java -classpath .;pircbot.jar ShellBotMain The bot will then start up. 11.3.4 The ResultsYou can start using ShellBot as soon as it's running by sending the password as a private message: /msg ShellBot password ShellBot will then request a DCC CHAT session with you. If you accept this, your IRC client will connect directly to ShellBot and you will be presented with a command prompt, as shown in Figure 11-2. Figure 11-2. ShellBot delivering a Windows XP command promptFigure 11-2 shows a DCC CHAT session with ShellBot. The user has executed the dir command to get a directory listing, showing the contents of the directory in which the bot is running. As with a normal Windows command prompt, you can use the cd command to change to another directory and del to delete files. 11.3.5 DCC CHAT LimitationsBecause of the line-by-line nature of the DCC CHAT Protocol, ShellBot will not work too well if you run interactive commands. Any command that requires interactive input is likely to cause the shell to stop responding, as it will be waiting for input that will never arrive. Another interesting "feature" is that typing notepad on a Windows shell will cause the Notepad application to start up and surprise whoever happens to be sitting in front of the computer at the time. ShellBot won't let you interact with applications like this, so you'll have to start a new DCC CHAT session or restart the bot. |
< Day Day Up > |