Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cmd/unix/reverse_bash_udp payload #11857

Merged
merged 5 commits into from May 24, 2019

Conversation

Projects
None yet
3 participants
@bcoles
Copy link
Contributor

commented May 20, 2019

Shameless ripoff of hdm's reverse_bash (tcp) payload.

May or may not be useful.

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#bash-udp

The handler doesn't like the payload being terminated using exit.

msf5 exploit(multi/handler) > run

[*] Started reverse handler on 172.16.191.165:4444 
[*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.211:34220) at 2019-05-20 03:51:32 -0400

id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),128(sambashare)
$ exit

[-] Session manipulation failed: Connection refused ["/usr/lib/ruby/2.5.0/socket.rb:452:in `__read_nonblock'", "/usr/lib/ruby/2.5.0/socket.rb:452:in `read_nonblock'", "/var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:72:in `read'", "/var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:202:in `get_once'", "/root/Desktop/metasploit-framework/lib/msf/base/sessions/command_shell.rb:638:in `shell_read'", "/root/Desktop/metasploit-framework/lib/msf/base/sessions/command_shell.rb:758:in `_interact_stream'", "/root/Desktop/metasploit-framework/lib/msf/base/sessions/command_shell.rb:745:in `_interact'", "/root/Desktop/metasploit-framework/lib/rex/ui/interactive.rb:51:in `interact'", "/root/Desktop/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1363:in `cmd_sessions'", "/root/Desktop/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in `run_command'", "/root/Desktop/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in `block in run_single'", "/root/Desktop/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `each'", "/root/Desktop/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `run_single'", "/root/Desktop/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:215:in `cmd_exploit'", "/root/Desktop/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in `run_command'", "/root/Desktop/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in `block in run_single'", "/root/Desktop/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `each'", "/root/Desktop/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `run_single'", "/root/Desktop/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'", "/root/Desktop/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'", "/root/Desktop/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'", "./msfconsole:49:in `<main>'"]

Comparatively, ^C kills it fine.

msf5 exploit(multi/handler) > run

[*] Started reverse handler on 172.16.191.165:4444 
[*] Command shell session 3 opened (172.16.191.165:4444 -> 172.16.191.211:59087) at 2019-05-20 03:51:41 -0400

id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),128(sambashare)
$ ^C
Abort session 3? [y/N]  y
""

[*] 172.16.191.211 - Command shell session 3 closed.  Reason: User exit
msf5 exploit(multi/handler) > 

I presume this is an issue with the handler rather than the payload.

@bcoles bcoles added the payload label May 20, 2019

@wvu-r7 wvu-r7 self-assigned this May 23, 2019

@wvu-r7

wvu-r7 approved these changes May 23, 2019

Copy link
Contributor

left a comment

LGTM. Gonna give it a test and land. Ideally, I wanted cmd_bash to be cmd, but I feel like we have too much tech debt surrounding it. Maybe another time.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 23, 2019

Can you test on Ubuntu or OS X? I couldn't get a shell on either unless I added an echo>&#{fd}. When I did, it worked on Ubuntu but not on OS X.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 23, 2019

Added human_name and changed references to TCP as per #10251.

@wvu-r7 wvu-r7 added the feature label May 24, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor Author

commented May 24, 2019

Can you test on Ubuntu or OS X? I couldn't get a shell on either unless I added an echo>&#{fd}. When I did, it worked on Ubuntu but not on OS X.

Tested your echo changes. Works on Ubuntu 19.

@wvu-r7 wvu-r7 merged commit 2d6847a into rapid7:master May 24, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request May 24, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Release Notes

This adds the cmd/unix/reverse_bash_udp payload, which uses the /dev/udp pseudo-device within bash to spawn a reverse shell over UDP.

@bcoles bcoles deleted the bcoles:reverse_bash_udp branch May 24, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Will sort out OS X later.

msjenkins-r7 added a commit that referenced this pull request May 24, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.