Initial implementation of ShellTunnel

Author: j-baines

.golangci.yml

@@ -57,7 +57,7 @@ linters:
     - importas
     - interfacebloat
     - intrange
-    - lll
+    #- lll
     - loggercheck
     - makezero
     - mirror
@@ -93,8 +93,6 @@ linters:
 
 
 linters-settings:
-  lll:
-    line-length: 160
   cyclop:
     max-complexity: 25
 issues:
@@ -111,10 +109,13 @@ issues:
       linters:
         - staticcheck
       text: SA1019
+    - path: c2/shelltunnel/shelltunnel.go
+      linters:
+        - staticcheck
+      text: SA1019
+    - path: cli/commandline_test.go
+      linters:
+        - staticcheck
+      text: SA1019
   exclude-files:
-     - protocol/mikrotik/mikrotik_test.go
      - protocol/mikrotik/msg.go
-     - protocol/rocketmq/remoting.go
-     - protocol/payloads
-     - cli/commandline_test.go
-     - payload/wrapper_test.go

c2/factory.go

@@ -5,6 +5,7 @@ import (
 	"github.com/vulncheck-oss/go-exploit/c2/external"
 	"github.com/vulncheck-oss/go-exploit/c2/httpservefile"
 	"github.com/vulncheck-oss/go-exploit/c2/httpserveshell"
+	"github.com/vulncheck-oss/go-exploit/c2/shelltunnel"
 	"github.com/vulncheck-oss/go-exploit/c2/simpleshell"
 	"github.com/vulncheck-oss/go-exploit/c2/sslshell"
 	"github.com/vulncheck-oss/go-exploit/output"
@@ -35,6 +36,7 @@ const (
 	HTTPServeFileCategory     category = 3
 	HTTPServeShellCategory    category = 4
 	ExternalCategory          category = 5
+	ShellTunnelCategory       category = 6
 )
 
 // Simplified names in order to keep the old calling convention and allow
@@ -45,6 +47,7 @@ var (
 	SSLShellServer    = internalSupported["SSLShellServer"]
 	HTTPServeFile     = internalSupported["HTTPServeFile"]
 	HTTPServeShell    = internalSupported["HTTPServeShell"]
+	ShellTunnel       = internalSupported["ShellTunnel"]
 	// We do not want external to be called directly because external
 	// internally is not useful.
 )
@@ -60,7 +63,8 @@ var internalSupported = map[string]Impl{
 	"HTTPServeShell":    {Name: "HTTPServeShell", Category: HTTPServeShellCategory},
 	// Insure the internal supported External module name is an error if used
 	// directly.
-	"External": {Name: "", Category: InvalidCategory},
+	"External":    {Name: "", Category: InvalidCategory},
+	"ShellTunnel": {Name: "ShellTunnel", Category: ShellTunnelCategory},
 }
 
 // Add an external C2 to the supported list. Use this to integrate a new C2
@@ -99,6 +103,8 @@ func GetInstance(implementation Impl) (Interface, bool) {
 		if implementation.Name != "" {
 			return external.GetInstance(implementation.Name), true
 		}
+	case ShellTunnelCategory:
+		return shelltunnel.GetInstance(), true
 	case InvalidCategory:
 		// Calling your external C2 as explicitly invalid is odd.
 		output.PrintFrameworkError("Invalid C2 Server")
@@ -126,6 +132,8 @@ func CreateFlags(implementation Impl) {
 		if implementation.Name != "" {
 			external.GetInstance(implementation.Name).CreateFlags()
 		}
+	case ShellTunnelCategory:
+		shelltunnel.GetInstance().CreateFlags()
 	case InvalidCategory:
 		// Calling your external C2 as explicitly invalid is odd.
 		output.PrintFrameworkError("Invalid C2 Server")

docs/c2.md

@@ -9,6 +9,7 @@ In `go-exploit`, the command and control (C2) provides very basic second stage a
 3. *SSLShellServer* - An encrypted shell via a reverse shell.
 4. *HTTPServeFile* - An HTTP server that serves a user provided file (e.g. to server a Meterpreter payload).
 5. *HTTPServeShell* - An HTTP server that serves a user provided binary that will connect back to the exploit for `SSLShellServer` or `SimpleShellServer`.
+6. *ShellTunnel* - A C2 that will catch a reverse shell, connect to a listener, and proxy the data between the two.
 
 `go-exploit` also supports a `-o` option which means "The c2 is handled by an outside program so don't expect any type of connect back."