
       Name: HTTP Fetch, Linux Command Shell, Reverse TCP Stager (IPv6)
     Module: payload/cmd/linux/http/x86/shell/reverse_ipv6_tcp
   Platform: Linux
       Arch: cmd
Needs Admin: No
 Total size: 111
       Rank: Normal

Provided by:
    Brendan Watters
    Spencer McIntyre
    skape <mmiller@hick.org>
    kris katterjohn <katterjohn@gmail.com>

Basic options:
Name            Current Setting  Required  Description
----            ---------------  --------  -----------
FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE    false            yes       Attempt to delete the binary after execution
FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
FETCH_SRVHOST                    no        Local IP to use for serving payload
FETCH_SRVPORT   8080             yes       Local port to use for serving payload
FETCH_URIPATH                    no        Local URI to use for serving payload
LHOST                            yes       The listen address (an interface may be specified)
LPORT           4444             yes       The listen port
SCOPEID         0                no        IPv6 scope ID, for link-local addresses


When FETCH_COMMAND is one of CURL,WGET:

Name        Current Setting  Required  Description
----        ---------------  --------  -----------
FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


When FETCH_FILELESS is none:

Name                Current Setting  Required  Description
----                ---------------  --------  -----------
FETCH_FILENAME      AyqIvKLrYhI      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces

Description:
    Fetch and execute a x86 payload from an HTTP server.
    Spawn a command shell (staged).

    Connect back to attacker over IPv6


    Name                        Current Setting  Required  Description
    ----                        ---------------  --------  -----------
    AppendExit                  false            no        Prepend a stub that will break out of a chroot (includes setreuid to root)
    AutoRunScript                                no        A script to run automatically on session creation.
    AutoVerifySession           true             yes       Automatically verify and drop invalid sessions
    CommandShellCleanupCommand                   no        A command to run before the session is closed
    EXE::Custom                                  no        Use custom exe instead of automatically generating a payload exe
    EXE::EICAR                  false            no        Generate an EICAR file instead of regular payload exe
    EXE::FallBack               false            no        Use the default template in case the specified one is missing
    EXE::Inject                 false            no        Set to preserve the original EXE function
    EXE::OldMethod              false            no        Set to use the substitution EXE generation method.
    EXE::Path                                    no        The directory in which to look for the executable template
    EXE::Template                                no        The executable template file name.
    EnableStageEncoding         false            no        Encode the second stage payload
    FetchHandlerDisable         false            yes       Disable fetch handler
    FetchHttpServerName         Apache           yes       Fetch HTTP server name
    FetchListenerBindAddress                     no        The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
    FetchListenerBindPort                        no        The port to bind to if different from FETCH_SRVPORT
    InitialAutoRunScript                         no        An initial script to run on session creation (before AutoRunScript)
    MSI::Custom                                  no        Use custom msi instead of automatically generating a payload msi
    MSI::EICAR                  false            no        Generate an EICAR file instead of regular payload msi
    MSI::Path                                    no        The directory in which to look for the msi template
    MSI::Template                                no        The msi template file name
    MSI::UAC                    false            no        Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
    PayloadUUIDName                              no        A human-friendly name to reference this unique payload (requires tracking)
    PayloadUUIDRaw                               no        A hex string representing the raw 8-byte PUID value for the UUID
    PayloadUUIDSeed                              no        A string to use when generating the payload UUID (deterministic)
    PayloadUUIDTracking         false            yes       Whether or not to automatically register generated UUIDs
    PingbackRetries             0                yes       How many additional successful pingbacks
    PingbackSleep               30               yes       Time (in seconds) to sleep between pingbacks
    PrependChrootBreak          false            no        Prepend a stub that will break out of a chroot (includes setreuid to root)
    PrependFork                 false            no        Prepend a stub that starts the payload in its own process via fork
    PrependSetgid               false            no        Prepend a stub that executes the setgid(0) system call
    PrependSetregid             false            no        Prepend a stub that executes the setregid(0, 0) system call
    PrependSetresgid            false            no        Prepend a stub that executes the setresgid(0, 0, 0) system call
    PrependSetresuid            false            no        Prepend a stub that executes the setresuid(0, 0, 0) system call
    PrependSetreuid             false            no        Prepend a stub that executes the setreuid(0, 0) system call
    PrependSetuid               false            no        Prepend a stub that executes the setuid(0) system call
    ReverseAllowProxy           false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
    ReverseListenerBindAddress                   no        The specific IP address to bind to on the local system
    ReverseListenerBindPort                      no        The port to bind to on the local system if different from LPORT
    ReverseListenerComm                          no        The specific communication channel to use for this listener
    ReverseListenerThreaded     false            yes       Handle every connection in a new thread (experimental)
    StageEncoder                                 no        Encoder to use if EnableStageEncoding is set
    StageEncoderSaveRegisters                    no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
    StageEncodingFallback       true             no        Fallback to no encoding if the selected StageEncoder is not compatible
    StagerRetryCount            10               no        The number of times the stager should retry if the first connect fails
    StagerRetryWait             5                no        Number of seconds to wait for the stager between reconnect attempts
    VERBOSE                     false            no        Enable detailed status messages
    WORKSPACE                                    no        Specify the workspace for this module

