Documentation
¶
Overview ¶
Payload related functions and actions
The payload package contains a collection of universally applicable functions for payloads, sub-packages containing specific payloads, and any specific payloads that do not fit into the other sub package types.
Index ¶
- Constants
- Variables
- func Base64EncodeForBash(cmd string) string
- func Base64EncodeForGroovyEval(cmd string) string
- func Base64EncodeForPHPEval(cmd string) string
- func EncodeCommandBrace(cmd string) string
- func EncodeCommandIFS(cmd string) string
- func PHPIconvFilter(chain string) string
- type Arch
- type Effect
- type Effects
- type Supported
- type Type
Constants ¶
const ( NotDefault bool = false Default = true )
Variables ¶
var ( NoEffects = Effects{} UnknownEffects = Effects{ Unknown: []string{"The effects of this exploit are unknown at this time"}, } )
Functions ¶
func Base64EncodeForBash ¶ added in v1.16.0
Base64 encodes the command. Wraps it in logic to base64 decode and pipe to bash.
func Base64EncodeForGroovyEval ¶ added in v1.16.0
Base64 encodes the command. Wraps it in logic to base64 decode and evaluate it in Groovy.
func Base64EncodeForPHPEval ¶ added in v1.19.0
Base64 encodes the command. Wraps it in logic to base64 decode and evaluate it in PHP.
func EncodeCommandBrace ¶
func EncodeCommandIFS ¶
func PHPIconvFilter ¶ added in v1.20.0
Creates a valid PHP filter string from an input. Normally these are PHP payloads, but there are exceptions. This is based on the techniques identified in: https://gynvael.coldwind.pl/?id=671
Types ¶
type Arch ¶ added in v1.52.0
type Arch int
Arch represents generalized architecture support for payload selection disambiguation and metadata. This allows a payload to explicitly declare what architectures they support and can be used by an exploit to change behavior dynamically if required.
func ArchFromString ¶ added in v1.52.0
ArchFromString returns the architecture type from a string.
type Effect ¶ added in v1.52.0
type Effect int
Effect is the type of impact a portion of the exploit employs and any target system side effects. These are relatively loosely defined and focused on the combination between indicators-of-compromise, payload default behavior, and types of network traffic. The payload.Effects map provides a way to define multiple types of effects and define the metadata as arbitrary strings.
const ( FileCreate Effect = 1 << iota FileOverwrite FileDelete Execute InMemory ConfigChanges IndicatorInLogs AccountLockout Physical WebRequest ReverseShellTCP ReverseShellUDP ReverseShellTLS Unknown ReverseShellSSL Effect = ReverseShellTLS )
type Effects ¶ added in v1.52.0
Effects represents an exploits impact on the target, network, and potential side-effects caused by it's usage. An effect can happen multiple times and a human readable string describing the context can be used. For example, defining an effect for an exploit that creates 2 files can be defined as follows:
payload.Effects{
payload.FileCreate: []string{"/var/www/html/pwnt", "/var/www/html/pwnt2"},
}
These effects are currently only used for metadata definitions and details flags.
type Supported ¶ added in v1.52.0
Supported struct is passed to exploit definitions for calling RunExploit and informs the exploit of the types, architecture, effects, and whether a payload is the default type the exploit should use. An exploit developer can add support for a payload type to an exploit with config.AddPayload, which in turn enables enables the contextual flags for custom payload usage.
If Default is set, the exploit will use the set payload. Additionally, if only a single payload is used Default does not have to be set and if no Default is set with multiple payloads the exploit logic will select the first processed supported type.
Multiple payloads being defined enables the -payload-type flag that allows for string selection between the supported payloads. In addition, using multiple payloads of the same type but with different architectures will enable -payload-arch flag to further allow selection.
An example of defining multiple payloads to support an exploit with a command execution or a payload upload with multiple architectures can be defined as follows:
[]payload.Supported{
{
Type: payload.GenericCommand,
Arch: payload.None,
Effects: payload.NoEffects,
Default: true,
},
{
Type: payload.LinuxELF,
Arch: payload.AMD64,
Effects: payload.NoEffects,
},
{
Type: payload.LinuxELF,
Arch: payload.ARM64,
Effects: payload.Effects{
payload.FileCreate: []string{"/var/www/html/pwnt", "/var/www/html/pwnt2"},
},
},
}
type Type ¶ added in v1.52.0
type Type int
Type defines the different types of payload can be. These fall into 2 buckets: command and payload based. We define each of the types to be specific both for exploit payload metadata, but also because it is possible to support an exploit that targets different types depending on required behavior.
const ( // GenericCommand is used for arbitrary command line execution // without OS specificity. GenericCommand Type = iota // WindowsCommand is used for command line execution, generally via // cmd.exe or local execution on Windows systems. WindowsCommand // WindowsPowerShellCommand represents command line execution of PowerShell. WindowsPowerShellCommand // MacCommand is used command line execution on a macOS system. MacCommand // LinuxCommand is used for shell execution in a Linux environment. LinuxCommand // LinuxELF is used for payloads containing ELF binaries for execution. LinuxELF // LinuxSO is used for payloads containing ELF shared object // binaries for execution via some library loading mechanism or via // dropping. LinuxSO // WindowsEXE is used for Windows PE executable files. WindowsEXE // PE // WindowsDLL is used for Windows DLL files binaries for execution // via some library loading mechanism or via dropping. WindowsDLL // Webshell is used for arbitrary web shells that represent // payloads that get dropped to targets. Webshell UnspecifiedType )
func TypeFromString ¶ added in v1.52.0
func (Type) IsCommand ¶ added in v1.52.0
If the payload type should be categorized as a command. This can be used to check if the selected type is a command payload type without doing type comparisons. An example of it's usages in combination with a custom payload can be seen below:
if conf.HasCustomPayload() {
if conf.SelectedPayload.Type.IsCommand() {
output.PrintfStatus("using '%s' in place of default", string(conf.CustomPayload))
} else {
output.PrintfStatus("using binary len %d in place of default", len(string(conf.CustomPayload)))
}
}
func (Type) IsPayload ¶ added in v1.52.0
If the payload type should be categorized as a payload based type. This can be used to check if the selected type is a payload type without doing type comparisons. An example of it's usages in combination with a custom payload can be seen below:
if conf.HasCustomPayload() {
if conf.SelectedPayload.Type.IsPayload() {
output.PrintfStatus("using binary len %d in place of default", len(string(conf.CustomPayload)))
} else {
output.PrintfStatus("using '%s' in place of default", string(conf.CustomPayload))
}
}
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Bind shell payloads & listeners.
|
Bind shell payloads & listeners. |
|
File dropper download and execute payloads.
|
File dropper download and execute payloads. |
|
file planting based payloads.
|
file planting based payloads. |
|
Reverse shell and command payloads.
|
Reverse shell and command payloads. |
|
Webshell payloads
|
Webshell payloads |