Index of /~too/sw/revsh

[ICO]NameLast modifiedSizeDescription

[DIR]Parent Directory  -  
[DIR]0ld/24-Nov-2006 21:30 -  
[   ]MANIFEST25-Jan-2006 23:43 92  
[   ]Makefile23-Nov-2006 23:12 5.8K 
[   ]SvnLog23-Nov-2006 23:22 10K 
[   ]SvnVersion23-Nov-2006 23:22 37  
[TXT]copyright21-Jan-2006 13:41 801  
[   ]debian-binary08-Dec-2007 23:26 4  
[TXT]maemo.html23-Nov-2006 23:12 1.7K 
[TXT]revcp29-Jan-2006 23:58 2.7K 
[   ]revsh-1.92.tar.gz02-Feb-2006 21:59 31K 
[   ]revsh-1.93.tar.gz23-Nov-2006 23:22 33K 
[TXT]revsh-tunnel-gui.c23-Nov-2006 23:12 28K 
[TXT]revsh.c23-Nov-2006 23:12 54K 
[TXT]revsh.readme23-Nov-2006 23:12 6.3K 
[TXT]revsh_1.92.dsc02-Feb-2006 21:59 288  
[   ]revsh_1.92_arm.changes02-Feb-2006 21:59 577  
[   ]revsh_1.92_arm.deb02-Feb-2006 21:59 21K 
[TXT]revsh_1.93.dsc23-Nov-2006 23:10 289  
[   ]revsh_1.93_armel.changes23-Nov-2006 23:10 621  
[   ]revsh_1.93_armel.deb23-Nov-2006 23:10 22K 
[DIR]screenshots/23-Nov-2006 23:41 -  

Reverse Shell

Check also Some screenshots...

Go to RevSH Maemo page for some Nokia 770 Internet Tablet spesific information.

Reverse Shell 1.93 (2006/11/23)


A tool to create Secure/Remote shell tunnel and then start commands/shells
on tunnel destination machine to be executed on tunnel originating machine.


Is is quite easy to weaken the security of your network with this
tool (like make holes to a firewall). Know what you are doing
when using this tool.


Usage: revsh [-d] [-l username] host command

  With command `shell' interactive shell session is started.
  If 'host' is ssh2, ssh, lsh or rsh, then that "host" is used
  as tunnel creation command instead and rest of the arguments
  are given to that command (-l username is then in format
  -l user[@host]).
  The option -d is only used with tunnel creation command; 
  program goes background after tunnel successfully created.

Read ssh2(1), ssh(1), lsh(1), rsh(1) manual pages for companion information.

RevSH limitations

revsh (it was then revcmd) was originally a quick & dirty tool to access
CVS repository through a firewall so that ordinary users could grant the
access by just running revsh to create a tunnel. Not much thought was
given on design. (Not!) suprisingly, it still took more time to get 
simplest things working that was originally thought.

* No flow control. Revsh provides multiplexed data "pipes" but doesn't 
  control the traffic. So one datastream can make other "connections"
  work jerky. This usually isn't a problem. If program that receives
  data blocks reading for longer than 900 ms it will be killed.
  (originally this limit was 50ms, but Nokia 770 could not handle that).

  To fix this would require rewrite of big parts of the code. 
* Communication between revsh-client and revsh-forwarder (the revsh
  components running on remote host where revsh tunnel is created...
  is (also) just simple datastreams; client cannot receive any "metadata",
  like program exit values or so on. Also client cannot provide window
  size changes, signals or anything to the commands running under revsh-server.
  Using some communication protocol between revsh-cliend and revsh-forwarder
  could be used to fix this. This requiress much less rewrites as in above.

* Currently revsh-client and revsh-forwarder parts can only be run on Linux
  system since other OSses does not return POLLHUP in .revents.  
  revsh-server (i.e. revsh tunnel originating component) can be run on
  other OSses than linux

  Using communication protocol like above could be used to fix this issue
  as well.

* revsh-shell does not have escape character.
  Requires revsh-client tunes. There are options to avoid no-flow-control
  problems, but implementing flow control would definitely help here.

* The system is limited to 125 multiplexed "connections" through one
  revsh tunnel connection. Should not be a big problem.

* Program requires openpty() function to compile. It would not be too
  difficult to copy openpty() implementation and compile that when there
  is no support by some libraries around. Good candidates where to copy
  are dtach(1) and ssh(1) source code.

Nevertheless, RevSH is perfectly suitable for the usual cases users needs it.

Quick start

(orig: commands executed on tunnel originating machine,
 dest: commands executed on tunnel destination machine)

orig 1 $ wget
orig 2 $ sh revsh.c
orig 3 $ cp revsh /path/to/bindir/in/PATH/


dest 1 $ wget
dest 2 $ sh revsh.c
dest 3 $ cp revsh /path/to/bindir/in/PATH/


orig 4 $ revsh ssh2 dest


dest 4 $ revsh orig ls
dest 5 $ revsh orig shell

dest 6 $ SVN_SSH=revsh svn co svn+ssh://orig/path/to/svn/projects/revsh


(ctrl-c on orig machine)
orig 5 $ revsh -l foo@bar ssh2 dest


dest 7 $ revsh -l foo bar ls
dest 8 $ revsh foo@bar hostname

Program description

In order to work, revsh has the following 4 modes of operation:

revsh_server: "Server" mode. This mode is chosen when ssh2, ssh, lsh or rsh
	is given as host (fsh could be added too, but...;). In this mode,
	tunnel to remote host is created and then program starts waiting
	for messages from frontend.

revsh_forwarder: In this mode revsh is started as tunnel endpoint to 
	revsh_server. This mode is chosen when environment variable 
	REVSH_DAEMON_SOCKET_FILE is defined. revsh_server sets this up when
	creating tunnel with the following trick (compare to orig 5 $ above):
	ssh2 dest REVSH_DAEMON_SOCKET_FILE=foo@bar revsh

revsh_client: In this mode revsh works like ssh2, ssh, lsh and rsh works
	normally. This mode is chosen if neither of the above (and the next)
	modes is not. revsh tries to connect to the unix socket in file
	/tmp/revsh-/@ and if succeeds, expects to be 
	communicating with revsh_forwarder. After version check it passes the
	command line arguments to revsh_forwarder. revsh_forwarder in turn, 
	creates "channel" with revsh_server, passes given information for 
	revsh_server to be executed and passes input/output(/error) streams 
	between revsh_server and revsh_client so that reverse shell works 
	as much like secure shell and remote shell.

revsh_shell: This is a special mode, which purpose on tunnel destination
	machine is to restrict access to revsh_front only. This mode is
	chosen when SHELL environment variable contains string "revsh".
	This happens when user shell in /etc/passwd contains full path
	to revsh instead of standard shell, like bash or zsh. I have the
	following in my /etc/passwd:
	   too:x:501:501:Tomi Ollila:/p/home/too:/bin/zsh
	   toorcmd:x:501:501:Tomi Ollila RevSH:/tmp/revsh-501:/p/bin/revsh
	With secure shell authorization keys I can ask users to create tunnel
	for me, without allowing to execute anything else on my machine.

	- Reporting exit values of commands / shells.
	- Info remote program about window size change (when in shell mode).
	- Have escape character when in shell mode in revsh_command.
	- Change revsh_client HANGUP checking to support other than Linux.
	- Implement openpty() for systems it doesn't have one.
	- Shell mode should be possible without giving 'shell' on command line.

	- That's all for now. Add more documentation is the last TODO entry.

2006/02/02 Tomi Ollila

Ps. Not XHTML just yet ;/