2009-06-23 03:49:25 +00:00
|
|
|
require 'msf/core'
|
|
|
|
require 'msf/core/auxiliary'
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This class is here to implement advanced features for AIX-based
|
|
|
|
# payloads. AIX payloads are expected to include this module if
|
|
|
|
# they want to support these features.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
module Msf::Payload::Aix
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
#
|
|
|
|
# This mixin is chained within payloads that target the AIX platform.
|
|
|
|
# It provides special prepends, to support things like chroot and setuid
|
|
|
|
# and detect AIX version.
|
|
|
|
#
|
|
|
|
def initialize(info = {})
|
|
|
|
ret = super(info)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Msf::OptString.new('AIX', [ true, 'IBM AIX Version', '6.1.4' ]),
|
|
|
|
], Msf::Payload::Aix)
|
|
|
|
|
|
|
|
ret
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Overload the generate() call to prefix our stubs and detect AIX version
|
|
|
|
#
|
|
|
|
def generate(*args)
|
|
|
|
@aix = datastore['AIX']
|
|
|
|
|
|
|
|
#if not assoc_exploit.nil?
|
|
|
|
# note = find_note(assoc_exploit.rhost, 'AIX')
|
|
|
|
|
|
|
|
# if not note.nil?
|
|
|
|
# @aix = note['data']
|
|
|
|
# end
|
|
|
|
#end
|
|
|
|
|
2010-04-04 20:57:17 +00:00
|
|
|
if (not @aix)
|
|
|
|
raise RuntimeError, 'AIX version is not set!'
|
|
|
|
end
|
|
|
|
|
2009-06-23 03:49:25 +00:00
|
|
|
__CAL = 511
|
|
|
|
|
2010-04-04 20:57:17 +00:00
|
|
|
# ATTENTION: Don't forget to update this string if you add a specific
|
|
|
|
# syscall set for a specific version of AIX.
|
|
|
|
supported = "6.1.4, 6.1.3, 6.1.2, 6.1.1, 6.1.0, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.1"
|
|
|
|
|
2009-06-23 03:49:25 +00:00
|
|
|
case @aix
|
|
|
|
when '6.1.4'
|
|
|
|
__NR_execve = 7
|
|
|
|
__NR_getpeername = 211
|
|
|
|
__NR_accept = 237
|
|
|
|
__NR_listen = 240
|
|
|
|
__NR_bind = 242
|
|
|
|
__NR_socket = 243
|
|
|
|
__NR_connect = 244
|
|
|
|
__NR_close = 278
|
|
|
|
__NR_kfcntl = 658
|
|
|
|
|
|
|
|
when '6.1.3'
|
|
|
|
__NR_execve = 7
|
|
|
|
__NR_getpeername = 205
|
|
|
|
__NR_accept = 232
|
|
|
|
__NR_listen = 235
|
|
|
|
__NR_bind = 237
|
|
|
|
__NR_socket = 238
|
|
|
|
__NR_connect = 239
|
|
|
|
__NR_close = 272
|
|
|
|
__NR_kfcntl = 644
|
|
|
|
|
|
|
|
when '6.1.2'
|
|
|
|
__NR_execve = 7
|
|
|
|
__NR_getpeername = 205
|
|
|
|
__NR_accept = 232
|
|
|
|
__NR_listen = 235
|
|
|
|
__NR_bind = 237
|
|
|
|
__NR_socket = 238
|
|
|
|
__NR_connect = 239
|
|
|
|
__NR_close = 272
|
|
|
|
__NR_kfcntl = 635
|
|
|
|
|
|
|
|
when '6.1.1'
|
|
|
|
__NR_execve = 7
|
|
|
|
__NR_getpeername = 202
|
|
|
|
__NR_accept = 229
|
|
|
|
__NR_listen = 232
|
|
|
|
__NR_bind = 234
|
|
|
|
__NR_socket = 235
|
|
|
|
__NR_connect = 236
|
|
|
|
__NR_close = 269
|
|
|
|
__NR_kfcntl = 614
|
|
|
|
|
|
|
|
when '6.1.0'
|
|
|
|
__NR_execve = 6
|
|
|
|
__NR_getpeername = 203
|
|
|
|
__NR_accept = 229
|
|
|
|
__NR_listen = 232
|
|
|
|
__NR_bind = 234
|
|
|
|
__NR_socket = 235
|
|
|
|
__NR_connect = 236
|
|
|
|
__NR_close = 269
|
|
|
|
__NR_kfcntl = 617
|
|
|
|
|
|
|
|
when '5.3.10', '5.3.9', '5.3.8', '5.3.7'
|
|
|
|
__NR_execve = 6
|
|
|
|
__NR_getpeername = 198
|
|
|
|
__NR_accept = 214
|
|
|
|
__NR_listen = 215
|
|
|
|
__NR_bind = 216
|
|
|
|
__NR_socket = 217
|
|
|
|
__NR_connect = 218
|
|
|
|
__NR_close = 245
|
|
|
|
__NR_kfcntl = 493
|
|
|
|
|
2010-02-08 00:44:37 +00:00
|
|
|
when '5.1'
|
|
|
|
__NR_execve = 5
|
|
|
|
__NR_getpeername = 122
|
|
|
|
__NR_accept = 138
|
2010-02-09 00:05:15 +00:00
|
|
|
__NR_listen = 139
|
2010-02-08 00:44:37 +00:00
|
|
|
__NR_bind = 140
|
|
|
|
__NR_socket = 141
|
|
|
|
__NR_connect = 142
|
|
|
|
__NR_close = 160
|
|
|
|
__NR_kfcntl = 322
|
|
|
|
|
2010-04-04 20:57:17 +00:00
|
|
|
else
|
|
|
|
raise RuntimeError, "Invalid AIX version: #{@aix}. Supported versions: #{supported}"
|
|
|
|
|
2009-06-23 03:49:25 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
__NC_execve = -(__CAL - __NR_execve)
|
|
|
|
__NC_getpeername = -(__CAL - __NR_getpeername)
|
|
|
|
__NC_accept = -(__CAL - __NR_accept)
|
|
|
|
__NC_listen = -(__CAL - __NR_listen)
|
|
|
|
__NC_bind = -(__CAL - __NR_bind)
|
|
|
|
__NC_socket = -(__CAL - __NR_socket)
|
|
|
|
__NC_connect = -(__CAL - __NR_connect)
|
|
|
|
__NC_close = -(__CAL - __NR_close)
|
|
|
|
__NC_kfcntl = -(__CAL - __NR_kfcntl)
|
|
|
|
|
|
|
|
cal = "\x38\x5d"
|
|
|
|
@cal_execve = cal + [__NC_execve].pack('n')
|
|
|
|
@cal_getpeername = cal + [__NC_getpeername].pack('n')
|
|
|
|
@cal_accept = cal + [__NC_accept].pack('n')
|
|
|
|
@cal_listen = cal + [__NC_listen].pack('n')
|
|
|
|
@cal_bind = cal + [__NC_bind].pack('n')
|
|
|
|
@cal_socket = cal + [__NC_socket].pack('n')
|
|
|
|
@cal_connect = cal + [__NC_connect].pack('n')
|
|
|
|
@cal_close = cal + [__NC_close].pack('n')
|
|
|
|
@cal_kfcntl = cal + [__NC_kfcntl].pack('n')
|
|
|
|
|
|
|
|
return ''
|
|
|
|
end
|
|
|
|
|
|
|
|
protected
|
|
|
|
attr_accessor :aix
|
|
|
|
attr_accessor :cal_execve
|
|
|
|
attr_accessor :cal_getpeername
|
|
|
|
attr_accessor :cal_accept
|
|
|
|
attr_accessor :cal_bind
|
|
|
|
attr_accessor :cal_socket
|
|
|
|
attr_accessor :cal_connect
|
|
|
|
attr_accessor :cal_close
|
|
|
|
attr_accessor :cal_kfcntl
|
|
|
|
|
|
|
|
end
|