93 lines
6.7 KiB
Plaintext
93 lines
6.7 KiB
Plaintext
|
|
Name: TFTP Fetch, Linux Command Shell, Bind TCP Stager
|
|
Module: payload/cmd/linux/tftp/x86/shell/bind_nonx_tcp
|
|
Platform: Linux
|
|
Arch: cmd
|
|
Needs Admin: No
|
|
Total size: 114
|
|
Rank: Normal
|
|
|
|
Provided by:
|
|
Brendan Watters
|
|
Spencer McIntyre
|
|
skape <mmiller@hick.org>
|
|
|
|
Basic options:
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
|
|
FETCH_DELETE false yes Attempt to delete the binary after execution
|
|
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
|
|
FETCH_SRVHOST yes Local IP to use for serving payload
|
|
FETCH_SRVONCE true yes Stop serving the payload after it is retrieved
|
|
FETCH_SRVPORT 8080 yes Local port to use for serving payload
|
|
FETCH_URIPATH no Local URI to use for serving payload
|
|
LPORT 4444 yes The listen port
|
|
RHOST no The target address
|
|
|
|
|
|
When FETCH_COMMAND is one of CURL,WGET:
|
|
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
|
|
|
|
|
|
When FETCH_FILELESS is none:
|
|
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
FETCH_FILENAME WlPZFdeTUcLW no Name to use on remote system when storing payload; cannot contain spaces or slashes
|
|
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
|
|
|
|
Description:
|
|
Fetch and execute a x86 payload from a TFTP server.
|
|
Spawn a command shell (staged).
|
|
|
|
Listen for a connection
|
|
|
|
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
AppendExit false no Prepend a stub that will break out of a chroot (includes setreuid to root)
|
|
AutoRunScript no A script to run automatically on session creation.
|
|
AutoVerifySession true yes Automatically verify and drop invalid sessions
|
|
CommandShellCleanupCommand no A command to run before the session is closed
|
|
EXE::Custom no Use custom exe instead of automatically generating a payload exe
|
|
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
|
|
EXE::FallBack false no Use the default template in case the specified one is missing
|
|
EXE::Inject false no Set to preserve the original EXE function
|
|
EXE::OldMethod false no Set to use the substitution EXE generation method.
|
|
EXE::Path no The directory in which to look for the executable template
|
|
EXE::Template no The executable template file name.
|
|
EnableStageEncoding false no Encode the second stage payload
|
|
FetchHandlerDisable false yes Disable fetch handler
|
|
FetchListenerBindAddress no The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
|
|
FetchListenerBindPort no The port to bind to if different from FETCH_SRVPORT
|
|
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
|
|
MSI::Custom no Use custom msi instead of automatically generating a payload msi
|
|
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
|
|
MSI::Path no The directory in which to look for the msi template
|
|
MSI::Template no The msi template file name
|
|
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
|
|
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
|
|
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
|
|
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
|
|
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
|
|
PingbackRetries 0 yes How many additional successful pingbacks
|
|
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
|
|
PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root)
|
|
PrependFork false no Prepend a stub that starts the payload in its own process via fork
|
|
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
|
|
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
|
|
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
|
|
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
|
|
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
|
|
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
|
|
StageEncoder no Encoder to use if EnableStageEncoding is set
|
|
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
|
|
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
|
|
VERBOSE false no Enable detailed status messages
|
|
WORKSPACE no Specify the workspace for this module
|
|
|