metasploit-framework/lib/msf/core/payload/aix.rb

175 lines
4.1 KiB
Ruby
Raw Normal View History

require 'msf/core'
require 'msf/core/auxiliary'
###
#
# This class is here to implement advanced features for AIX-based
# payloads. AIX payloads are expected to include this module if
# they want to support these features.
#
###
module Msf::Payload::Aix
include Msf::Auxiliary::Report
#
# This mixin is chained within payloads that target the AIX platform.
# It provides special prepends, to support things like chroot and setuid
# and detect AIX version.
#
def initialize(info = {})
ret = super(info)
register_options(
[
Msf::OptString.new('AIX', [ true, 'IBM AIX Version', '6.1.4' ]),
], Msf::Payload::Aix)
ret
end
#
# Overload the generate() call to prefix our stubs and detect AIX version
#
def generate(*args)
@aix = datastore['AIX']
#if not assoc_exploit.nil?
# note = find_note(assoc_exploit.rhost, 'AIX')
# if not note.nil?
# @aix = note['data']
# end
#end
if (not @aix)
raise RuntimeError, 'AIX version is not set!'
end
__CAL = 511
# ATTENTION: Don't forget to update this string if you add a specific
# syscall set for a specific version of AIX.
supported = "6.1.4, 6.1.3, 6.1.2, 6.1.1, 6.1.0, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.1"
case @aix
when '6.1.4'
__NR_execve = 7
__NR_getpeername = 211
__NR_accept = 237
__NR_listen = 240
__NR_bind = 242
__NR_socket = 243
__NR_connect = 244
__NR_close = 278
__NR_kfcntl = 658
when '6.1.3'
__NR_execve = 7
__NR_getpeername = 205
__NR_accept = 232
__NR_listen = 235
__NR_bind = 237
__NR_socket = 238
__NR_connect = 239
__NR_close = 272
__NR_kfcntl = 644
when '6.1.2'
__NR_execve = 7
__NR_getpeername = 205
__NR_accept = 232
__NR_listen = 235
__NR_bind = 237
__NR_socket = 238
__NR_connect = 239
__NR_close = 272
__NR_kfcntl = 635
when '6.1.1'
__NR_execve = 7
__NR_getpeername = 202
__NR_accept = 229
__NR_listen = 232
__NR_bind = 234
__NR_socket = 235
__NR_connect = 236
__NR_close = 269
__NR_kfcntl = 614
when '6.1.0'
__NR_execve = 6
__NR_getpeername = 203
__NR_accept = 229
__NR_listen = 232
__NR_bind = 234
__NR_socket = 235
__NR_connect = 236
__NR_close = 269
__NR_kfcntl = 617
when '5.3.10', '5.3.9', '5.3.8', '5.3.7'
__NR_execve = 6
__NR_getpeername = 198
__NR_accept = 214
__NR_listen = 215
__NR_bind = 216
__NR_socket = 217
__NR_connect = 218
__NR_close = 245
__NR_kfcntl = 493
when '5.1'
__NR_execve = 5
__NR_getpeername = 122
__NR_accept = 138
__NR_listen = 139
__NR_bind = 140
__NR_socket = 141
__NR_connect = 142
__NR_close = 160
__NR_kfcntl = 322
else
raise RuntimeError, "Invalid AIX version: #{@aix}. Supported versions: #{supported}"
end
__NC_execve = -(__CAL - __NR_execve)
__NC_getpeername = -(__CAL - __NR_getpeername)
__NC_accept = -(__CAL - __NR_accept)
__NC_listen = -(__CAL - __NR_listen)
__NC_bind = -(__CAL - __NR_bind)
__NC_socket = -(__CAL - __NR_socket)
__NC_connect = -(__CAL - __NR_connect)
__NC_close = -(__CAL - __NR_close)
__NC_kfcntl = -(__CAL - __NR_kfcntl)
cal = "\x38\x5d"
@cal_execve = cal + [__NC_execve].pack('n')
@cal_getpeername = cal + [__NC_getpeername].pack('n')
@cal_accept = cal + [__NC_accept].pack('n')
@cal_listen = cal + [__NC_listen].pack('n')
@cal_bind = cal + [__NC_bind].pack('n')
@cal_socket = cal + [__NC_socket].pack('n')
@cal_connect = cal + [__NC_connect].pack('n')
@cal_close = cal + [__NC_close].pack('n')
@cal_kfcntl = cal + [__NC_kfcntl].pack('n')
return ''
end
protected
attr_accessor :aix
attr_accessor :cal_execve
attr_accessor :cal_getpeername
attr_accessor :cal_accept
attr_accessor :cal_bind
attr_accessor :cal_socket
attr_accessor :cal_connect
attr_accessor :cal_close
attr_accessor :cal_kfcntl
end