Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Capture file contents of failed redirects #1928

Open
Jc2k opened this issue Sep 14, 2023 · 1 comment
Open

Capture file contents of failed redirects #1928

Jc2k opened this issue Sep 14, 2023 · 1 comment

Comments

@Jc2k
Copy link
Contributor

Jc2k commented Sep 14, 2023

Is your feature request related to a problem? Please describe.

Conisder something like this:

echo ssh-rsa AAAAB3Nz...kUMRr rsa-key-20230629 > ~/.ssh/authorized_keys

If .ssh doesn't exist, you will get an error: "No such file or directory".

This is correct, but it stops a file download event from happening - you can't capture the artifact.

Describe the solution you'd like

Would something like this work?

If self.safeoutfile remains set, then a redir capture should still happen AFAICT. But we still unset self.outfile and enter the same "error state" as before.

diff --git a/src/cowrie/shell/command.py b/src/cowrie/shell/command.py
index 6617700c..6f53a5c1 100644
--- a/src/cowrie/shell/command.py
+++ b/src/cowrie/shell/command.py
@@ -83,13 +83,11 @@ class HoneyPotCommand:
                     )
                     self.writefn = self.write_to_failed
                     self.outfile = None
-                    self.safeoutfile = ""
                 except fs.PermissionDenied:
                     # The outfile locates in a file-system that doesn't allow file creation
                     self.errorWrite(f"-bash: {self.outfile}: Permission denied\n")
                     self.writefn = self.write_to_failed
                     self.outfile = None
-                    self.safeoutfile = ""
 
                 else:
                     with open(self.safeoutfile, "ab"):
@@ -139,7 +137,9 @@ class HoneyPotCommand:
         self.fs.update_size(self.outfile, self.writtenBytes)
 
     def write_to_failed(self, data: bytes) -> None:
-        pass
+        with open(self.safeoutfile, "ab") as f:
+            f.write(data)
+        self.writtenBytes += len(data)
 
     def start(self) -> None:
         if self.writefn != self.write_to_failed:

This handles redirects only.

Describe alternatives you've considered

This is a very simple example, and it would be reasonable to just pre-create .ssh in your cowrie installation. However, there may be other examples (maybe a bug in the attempt) or the exploit is against a specific device that you don't happen to have a profile for, where it would be good to capture the assets.

Additional context
Add any other context or screenshots about the feature request here.
@Jc2k
Copy link
Contributor Author

Jc2k commented Sep 14, 2023

This alone isn't enough, because (i think) start() won't call self.call() in this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Jc2k