Implement a reverse SSH shell using nothing but the on-target SSH
client and a fifo in the same manner as used by netcat payloads.
This is not forensically sound as the fifo will be caught by HIDS,
filesystem snapshots, and other defensive measures. However, it
does provide a way out from almost any modern POSIX system as they
nearly all have an SSH client in one form or another.
Convert existing Ruby reverse SSH payloads to use dynamic cached
payload sizing.
Implement a command-only session type over the HrrRbSsh client
Connection Channels' file descriptors, adjust from base command
session to deal with the separate reader/writer IOs. Technically,
a TTY session works out of the box here as well.
Implement a pair of showcase Ruby payloads using net/ssh to call
back to the handler, create a shell channel, and loop piping I/O
between framework session and client via the Ruby backtick exec.
Next Steps:
Command payloads need to be written for every major interpreted
language as well as some sort of bashism a la openssl_double if
it comes to that, but preferably single socket implementation.
Testing:
Very minimal, needs a good run through by the community and R7
Not all payloads compatible with TCP stagers are compatible with UDP
stagers, so assuming sockedi is not sufficient to ensure compatibility.
This adds a udpsockedi which pairs compatible payloads together.
Update metasm generated shellcode blocks to cobble together an
RC4 decryption routine with a bind-socket handler for x64 targets.
Expose via new payload module
The original payload left the binary behind, which could be
then used by someone else intentionally or otherwise. This
addition cleans up the module by removing it after running.
Update vax shell_reverse_tcp.rb to fix ReverseTcp NameError
Error:
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb:24:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
After adding this line the error dissapeared for me and I was able to run msfconsole again.
RageLtMan