Add ssh -L / ssh.connect_remote() workaround when AllowTcpForwarding is disabled

peace-maker · peace-maker · commit d2217657c25e · 2025-01-30T11:40:12.000+01:00
Use a netcat process on the remote to connect to the specified host:port and tunnel the traffic using normal `ssh.process` I/O. This was inspired by the "Circumventing Disabled SSH Port-Forwarding with a Multiplexer" article by @guysv in the Paged Out! zine no. 5. It allows to use `gdb.debug(arg, ssh=ssh)` to debug processes on pwn.college.
diff --git a/pwnlib/tubes/ssh.py b/pwnlib/tubes/ssh.py
@@ -445,10 +445,25 @@ def __init__(self, parent, host, port, *a, **kw):
         self.rhost = host
         self.rport = port
 
+        import paramiko.ssh_exception
         msg = 'Connecting to %s:%d via SSH to %s' % (self.rhost, self.rport, self.host)
         with self.waitfor(msg) as h:
             try:
                 self.sock = parent.transport.open_channel('direct-tcpip', (host, port), ('127.0.0.1', 0))
+            except paramiko.ssh_exception.ChannelException as e:
+                # Workaround AllowTcpForwarding no in sshd_config
+                if e.args != (1, 'Administratively prohibited'):
+                    self.exception(str(e))
+                
+                self.debug('Failed to open channel, trying to connect to remote port manually using netcat.')
+                if parent.which('nc'):
+                    ncat = 'nc'
+                elif parent.which('ncat'):
+                    ncat = 'ncat'
+                else:
+                    self.exception('Could not find ncat or nc on remote. Cannot connect to remote port.')
+                self.tunnel = parent.process([ncat, host, str(port)])
+                self.sock = self.tunnel.sock
             except Exception as e:
                 self.exception(str(e))
                 raise
@@ -949,6 +964,7 @@ def process(self, argv=None, executable=None, tty=True, cwd=None, env=None, igno
             self.upload_data(script, tmpfile)
             return tmpfile
 
+        executable = executable or argv[0]
         if self.isEnabledFor(logging.DEBUG):
             execve_repr = "execve(%r, %s, %s)" % (executable,
                                                   argv,
