RS-Shell is reverse shell solution developped in Rust with client, implant and server embedded in the same binary.

This project has been mainly started to learn Rust with a tool that could help me in my work, and the code quality could be greatly improved.

This project is like my Rust sandbox where I can test new things.

RS-Shell implements two modes: TLS over TCP and HTTPS.

  • TLS over TCP mode is a standard reverse shell where the implant executed on the target machine will connect back to the TLS listener, running on the operator’s machine
  • HTTPS mode works more like a C2 infratructure, with an HTTPS server, an implant, and a client:
    • The HTTPS server is executed on a server accessible by both the implant and the client. It is based on the Actix web framework with Rustls
    • The implant is executed on the target machine and will request the server for “new tasks” every 2 seconds (by default, can be changed in the code for the moment)
    • The client is executed on the operator’s machine. It will also connect to the server via HTTPS, and will permit to send the commands to the implant

Windows HTTPS implant is partially proxy aware thanks to the Windows’s WinINet library. T

his means that it is able to identify proxy configuration in the registry and automatically authenticate against it if necessary (if the proxy is not configured via the registry or a WPAD file, this will probably fail, and you will have to indicate the proxy URL and the credentials manually in the implant code).

Client, implant and server are all cross-platform and work on Windows and Linux systems.

For Windows implants, additonal features have been integrated for offensive purpose, and they will be improved in futur commits.

For this purpose, I have chosen to mainly use the official windows_sys crate to interact with the Win32API and the ntapi crate for the NTAPI.

The project is thought in module. This means that you can easily add or remove features to and from it, and you can also easily take parts from it to put them in your own project.

Features

For the moment, the following features are present:

  • Semi-interactive reverse shell via TLS over TCP
  • Semi-interactive reverse shell via HTTPS with a C2 like infrastructure, and a proxy aware Windows implant
  • File upload and download
  • Start a PowerShell interactive session with the ability to patch the AMSI in memory with or without indirect syscalls (only in TCP mode)
  • Loading features :
    • Load and execute a PE in the implant memory, with or without indirect syscalls
    • Load and execute a PE in a remote process memory, with or without indirect syscalls
    • Load and execute a shellcode in a remote process memory, with or without indirect syscalls
  • Autopwn the client machine and elevate the privileges to SYSTEM or root by exploiting a 0day in tcpdump

To perform the indirect syscalls, I use the incredible rust-mordor-rs project initiate by memN0ps. However, I use the version from my repository, which just patches little errors I have found regarding libraries versions and crate imports.

How To

Setup

By default, only the errorwarn and info logs are displayed. If you also need the debug ones (can be usefull for the loading features), you can change this in main.rs by modifying ::log::set_max_level(LevelFilter::Info); to ::log::set_max_level(LevelFilter::Debug);.

TCP Setup

I have set a dummy domain for hostname validation in the connect() function for both clients in TCP mode. If you use a signed certificate for a real server, you can change it and remove the unsecure functions that remove hostname and certs validations.

A new self-signed PKCS12 TLS certificate can be obtained like this:

openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out certificate.cer
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.cer

For more information click here.

LEAVE A REPLY

Please enter your comment!
Please enter your name here