Merge pull request #231 from 13ph03nix/master

feat: add encrypted shell (TLS) support

CHANGELOG.md

@@ -267,3 +267,8 @@ Cross-platform shell code generation
 -----------------
 * support bind shell in shell mode
 * fix #221
+
+# version 1.8.6
+-----------------
+* support encrypted shell (TLS) in shell mode
+* fix #228

docs/CODING.md

@@ -213,6 +213,8 @@ bind shell 的实现位于 `./pocsuite3/modules/listener/bind_tcp.py`，原理
 
 `bind_telnet_shell`：对 telnet 服务的原生支持，在 shell 模式中 `return bind_telnet_shell(ip, port, username, password)`
 
+从 ***1.8.6*** 版本开始，pocsuite3 支持加密的 shell。PoC 中使用 openssl 的反弹命令（也可以用代码反弹），并且在运行时指定 `--tls` 选项。
+
 7. 结果返回
 
 不管是验证模式或者攻击模式，返回结果 result 中的 key 值必须按照下面的规范来写，result 各字段意义请参见[《PoC 结果返回规范》](#resultstandard)

manpages/poc-console.1

@@ -31,7 +31,7 @@ is maintained at:
 .I https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md
 .PP
 .SH VERSION
-This manual page documents pocsuite version 1.8.5
+This manual page documents pocsuite version 1.8.6
 .SH AUTHOR
 .br
 (c) 2014-2021 by Knownsec 404 Team

manpages/pocsuite.1

@@ -161,6 +161,9 @@ Connect back host for target PoC in shell mode
 \fB\-\-lport\fR CONNECT_BACK_PORT
 Connect back port for target PoC in shell mode
 .TP
+\fB\-\-tls\fR
+Enable TLS listener in shell mode
+.TP
 \fB\-\-comparison\fR
 Compare popular web search engines
 .TP
@@ -250,7 +253,7 @@ is maintained at:
 .I https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md
 .PP
 .SH VERSION
-This manual page documents pocsuite version 1.8.5
+This manual page documents pocsuite version 1.8.6
 .SH AUTHOR
 .br
 (c) 2014-2021 by Knownsec 404 Team

pocsuite3/__init__.py

@@ -1,5 +1,5 @@
 __title__ = 'pocsuite'
-__version__ = '1.8.5'
+__version__ = '1.8.6'
 __author__ = 'Knownsec Security Team'
 __author_email__ = '[email protected]'
 __license__ = 'GPL 2.0'

pocsuite3/lib/core/option.py

@@ -564,6 +564,7 @@ def _set_conf_attributes():
     conf.rule_req = False
     conf.rule_filename = None
     conf.show_options = False
+    conf.enable_tls_listener = False
 
 
 def _set_kb_attributes(flush_all=True):

pocsuite3/lib/core/settings.py

@@ -9,13 +9,22 @@
 VERSION = __version__
 REVISION = get_revision_number()
 SITE = "http://pocsuite.org"
-VERSION_STRING = "pocsuite/%s%s" % (VERSION, "-%s" % REVISION if REVISION else "-nongit-%s" % time.strftime("%Y%m%d",
-                                                                                                            time.gmtime(
-                                                                                                                os.path.getctime(
-                                                                                                                    __file__.replace(
-                                                                                                                        '.pyc',
-                                                                                                                        '.py') if __file__.endswith(
-                                                                                                                        'pyc') else __file__))))
+VERSION_STRING = "pocsuite/%s%s" % (
+    VERSION,
+    "-%s" % REVISION
+    if REVISION
+    else "-nongit-%s"
+    % time.strftime(
+        "%Y%m%d",
+        time.gmtime(
+            os.path.getctime(
+                __file__.replace(".pyc", ".py")
+                if __file__.endswith("pyc")
+                else __file__
+            )
+        ),
+    ),
+)
 
 IS_WIN = True if (sys.platform in ["win32", "cygwin"] or os.name == "nt") else False
 PLATFORM = os.name
@@ -26,22 +35,32 @@
 GIT_PAGE = "https://github.com/knownsec/pocsuite3"
 ZIPBALL_PAGE = "https://github.com/knownsec/pocsuite3/zipball/master"
 
-LEGAL_DISCLAIMER = "Usage of pocsuite for attacking targets without prior mutual consent is illegal."
+LEGAL_DISCLAIMER = (
+    "Usage of pocsuite for attacking targets without prior mutual consent is illegal."
+)
 
 BANNER = """\033[01;33m
 ,------.                        ,--. ,--.       ,----.   \033[01;37m{\033[01;%dm%s\033[01;37m}\033[01;33m
-|  .--. ',---. ,---.,---.,--.,--`--,-'  '-.,---.'.-.  | 
-|  '--' | .-. | .--(  .-'|  ||  ,--'-.  .-| .-. : .' <  
-|  | --'' '-' \ `--.-'  `'  ''  |  | |  | \   --/'-'  | 
-`--'     `---' `---`----' `----'`--' `--'  `----`----'   \033[0m\033[4;37m%s\033[0m                                            
-""" % ((31 + hash(REVISION) % 6) if REVISION else 30, VERSION_STRING.split('/')[-1], SITE)
+|  .--. ',---. ,---.,---.,--.,--`--,-'  '-.,---.'.-.  |
+|  '--' | .-. | .--(  .-'|  ||  ,--'-.  .-| .-. : .' <
+|  | --'' '-' \ `--.-'  `'  ''  |  | |  | \   --/'-'  |
+`--'     `---' `---`----' `----'`--' `--'  `----`----'   \033[0m\033[4;37m%s\033[0m
+""" % (
+    (31 + hash(REVISION) % 6) if REVISION else 30,
+    VERSION_STRING.split("/")[-1],
+    SITE,
+)
 
 # Encoding used for Unicode data
 UNICODE_ENCODING = "utf-8"
 
 DEFAULT_USER_AGENT = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36"
 
-BOLD_PATTERNS = ("' is vulnerable", "success", "\d    ",)
+BOLD_PATTERNS = (
+    "' is vulnerable",
+    "success",
+    "\d    ",
+)
 
 OLD_VERSION_CHARACTER = ("from comm import cmdline", "from comm import generic")
 POCSUITE_VERSION_CHARACTER = ("from pocsuite.poc import", "from pocsuite.net import")
@@ -67,12 +86,16 @@
 IPV6_ADDRESS_REGEX = r"^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$"
 IPV6_URL_REGEX = r"(https?:\/\/)?\[((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\](:\d+)?(\/)?"
 URL_ADDRESS_REGEX = r"(?:(?:https?):\/\/|www\.|ftp\.)(?:\([-a-zA-Z0-9+&@#\/%=~_|$?!:,.]*\)|[-a-zA-Z0-9+&@#\/%=~_|$?!:,.])*(?:\([-a-zA-Z0-9+&@#\/%=~_|$?!:,.]*\)|[a-zA-Z0-9+&@#\/%=~_|$])"
-URL_DOMAIN_REGEX = r"(?:www)?(?:[\w-]{2,255}(?:\.\w{2,6}){1,3})(?:/[\w&%?#-]{1,300})?(?:\:\d+)?"
-LOCAL_IP_ADDRESS_REGEX = r"(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)"
+URL_DOMAIN_REGEX = (
+    r"(?:www)?(?:[\w-]{2,255}(?:\.\w{2,6}){1,3})(?:/[\w&%?#-]{1,300})?(?:\:\d+)?"
+)
+LOCAL_IP_ADDRESS_REGEX = (
+    r"(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)"
+)
 
 POC_REQUIRES_REGEX = r"install_requires\s*=\s*\[(?P<result>.*?)\]"
 
-POC_NAME_REGEX = r'''(?sm)POCBase\):.*?name\s*=\s*['"](?P<result>.*?)['"]'''
+POC_NAME_REGEX = r"""(?sm)POCBase\):.*?name\s*=\s*['"](?P<result>.*?)['"]"""
 
 MAX_NUMBER_OF_THREADS = 20
 
@@ -81,17 +104,69 @@
 # Maximum number of lines to save in history file
 MAX_HISTORY_LENGTH = 1000
 
-IMG_EXT = ('.jpg', '.png', '.gif')
+IMG_EXT = (".jpg", ".png", ".gif")
 
-TIMESTAMP = time.strftime('%Y%m%d%H%M%S', time.gmtime())
+TIMESTAMP = time.strftime("%Y%m%d%H%M%S", time.gmtime())
 OS_SYSTEM = system().upper()
 OS_ARCH = machine()
 
 # Cmd line parse whitelist
-CMD_PARSE_WHITELIST = ['version', 'update', 'url', 'file', 'verify', 'attack', 'shell', 'cookie', 'host', 'referer',
-                       'user-agent', 'random-agent', 'proxy', 'proxy-cred', 'timeout', 'retry', 'delay', 'headers',
-                       'login-user', 'login-pass', 'dork', 'dork-shodan', 'dork-censys', 'dork-zoomeye', 'dork-fofa','dork-quake',
-                       'max-page', 'search-type', 'shodan-token', 'fofa-user', 'fofa-token', 'quake-token','vul-keyword', 'ssv-id',
-                       'lhost', 'lport', 'plugins', 'pocs-path', 'threads', 'batch', 'requires', 'quiet', 'poc',
-                       'verbose', 'mode', 'api', 'connect_back_host', 'connect_back_port', 'ppt', 'help', 'pcap',
-                       'rule','rule-req','rule-filename','dork-b64', 'options']
+CMD_PARSE_WHITELIST = [
+    "version",
+    "update",
+    "url",
+    "file",
+    "verify",
+    "attack",
+    "shell",
+    "cookie",
+    "host",
+    "referer",
+    "user-agent",
+    "random-agent",
+    "proxy",
+    "proxy-cred",
+    "timeout",
+    "retry",
+    "delay",
+    "headers",
+    "login-user",
+    "login-pass",
+    "dork",
+    "dork-shodan",
+    "dork-censys",
+    "dork-zoomeye",
+    "dork-fofa",
+    "dork-quake",
+    "max-page",
+    "search-type",
+    "shodan-token",
+    "fofa-user",
+    "fofa-token",
+    "quake-token",
+    "vul-keyword",
+    "ssv-id",
+    "lhost",
+    "lport",
+    "plugins",
+    "pocs-path",
+    "threads",
+    "batch",
+    "requires",
+    "quiet",
+    "poc",
+    "verbose",
+    "mode",
+    "api",
+    "connect_back_host",
+    "connect_back_port",
+    "ppt",
+    "help",
+    "pcap",
+    "rule",
+    "rule-req",
+    "rule-filename",
+    "dork-b64",
+    "options",
+    "tls",
+]

pocsuite3/lib/parse/cmd.py

@@ -64,7 +64,7 @@ def cmd_line_parser(argv=None):
         request.add_argument("--delay", dest="delay", help="Delay between two request of one thread")
         request.add_argument("--headers", dest="headers", help="Extra headers (e.g. \"key1: value1\\nkey2: value2\")")
         # Account options
-        group = parser.add_argument_group("Account", "Telnet404、Shodan、CEye、Fofa account options")
+        group = parser.add_argument_group("Account", "Telnet404, Shodan, CEye, Fofa account options")
         group.add_argument("--login-user", dest="login_user", help="Telnet404 login user")
         group.add_argument("--login-pass", dest="login_pass", help="Telnet404 login password")
         group.add_argument("--shodan-token", dest="shodan_token", help="Shodan token")
@@ -74,7 +74,7 @@ def cmd_line_parser(argv=None):
         group.add_argument("--censys-uid", dest="censys_uid", help="Censys uid")
         group.add_argument("--censys-secret", dest="censys_secret", help="Censys secret")
         # Modules options
-        modules = parser.add_argument_group("Modules", "Modules(Seebug、Zoomeye、CEye、Fofa、Quake Listener) options")
+        modules = parser.add_argument_group("Modules", "Modules(Seebug, Zoomeye, CEye, Fofa, Quake, Listener) options")
         modules.add_argument("--dork", dest="dork", action="store", default=None,
                              help="Zoomeye dork used for search.")
         modules.add_argument("--dork-zoomeye", dest="dork_zoomeye", action="store", default=None,
@@ -99,6 +99,8 @@ def cmd_line_parser(argv=None):
                              help="Connect back host for target PoC in shell mode")
         modules.add_argument("--lport", dest="connect_back_port", action="store", default=None,
                              help="Connect back port for target PoC in shell mode")
+        modules.add_argument("--tls", dest="enable_tls_listener", action="store_true", default=False,
+                             help="Enable TLS listener in shell mode")
         modules.add_argument("--comparison", dest="comparison", help="Compare popular web search engines",
                              action="store_true",
                              default=False)
@@ -133,7 +135,7 @@ def cmd_line_parser(argv=None):
         # Diy options
         diy = parser.add_argument_group("Poc options", "definition options for PoC")
         diy.add_argument("--options", dest="show_options", action="store_true", default=False,
-                                  help="Show all definition options")
+                         help="Show all definition options")
 
         for line in argv:
             if line.startswith("--"):