New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Super small Shell Bind TCP Random Port Payload (x86) #11370

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
4 participants
@Ekzorcist
Copy link

Ekzorcist commented Feb 8, 2019

Hello, folks!
Let me share Super small random port TCP bind shell (x86).

This payload is the tiniest possible of its kind (44 bytes!), since it uses nc by opening a random port.
Use nmap to discover the open port: 'nmap -sS -p- target'.
More details can be found here https://www.exploit-db.com/exploits/41631

Tested on Linux 4.9.0-7-amd64 #1 SMP Debian 4.9.110-1 (2018-07-05) x86_64 GNU/Linux

@bcoles bcoles added the payload label Feb 8, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 8, 2019

This is interesting, congrats on your first pull request!

I don't think we'd want this in Metasploit as-is though, since it kind of breaks in the context of a module. Maybe try to make something that pairs with a special bind 'listener' that can also do the scan automatically? Otherwise, I think this is just going to be confusing since it can't work out of the box.

@busterb busterb closed this Feb 8, 2019

@Ekzorcist Ekzorcist deleted the Ekzorcist:new branch Feb 9, 2019

@Ekzorcist

This comment has been minimized.

Copy link
Author

Ekzorcist commented Feb 9, 2019

Actually, my shellcode was going to upgrade/complement the old one https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb which size is 57.

The functionality is virtually the same but the size if SIGNIFICANTLY (44 against 57!) smaller which makes it unique in its kind.

It will be a pity if the community does not get such an option!
What do you think, guys?

@Ekzorcist Ekzorcist restored the Ekzorcist:new branch Feb 9, 2019

@Ekzorcist Ekzorcist changed the title Add Super Small Shell Bind TCP Random Port Payload (x86) The smallest ever Shell Bind TCP Random Port Payload (x86) Feb 9, 2019

@Ekzorcist Ekzorcist changed the title The smallest ever Shell Bind TCP Random Port Payload (x86) The smallest Shell Bind TCP Random Port Payload (x86) Feb 9, 2019

@Ekzorcist Ekzorcist changed the title The smallest Shell Bind TCP Random Port Payload (x86) Super small Shell Bind TCP Random Port Payload (x86) Feb 9, 2019

@timwr

This comment has been minimized.

Copy link
Contributor

timwr commented Feb 9, 2019

I'd be happy to see this landed as is. The handler could be added later in a separate PR.
One thing that would be worth adding is to use metasm instead of raw shellcode bytes as it makes it much more readable.
A good example a metasm payload is here: https://github.com/rapid7/metasploit-framework/pull/11039/files

@Ekzorcist

This comment has been minimized.

Copy link
Author

Ekzorcist commented Feb 9, 2019

Sure! I will add metasm! This is a good idea)!

@Ekzorcist

This comment has been minimized.

Copy link
Author

Ekzorcist commented Feb 9, 2019

Hello, folks!
Please review it #11374

@Ekzorcist

This comment has been minimized.

Copy link
Author

Ekzorcist commented Feb 9, 2019

busterb, could you please reopen the current request in order to advance with #11374?
The payload is undoubtedly interesting as you have mentioned! And a handler could be added later in a separate PR.
Let me repeat that the current payload is unique in its class due to the tiniest size!

Thank you in advance!

@Ekzorcist

This comment has been minimized.

Copy link
Author

Ekzorcist commented Feb 11, 2019

timwr, metasm commit is ready! What shall we do to go further?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment