diff --git a/lib/msf/core/encoded_payload.rb b/lib/msf/core/encoded_payload.rb index 7396ff0aa2..36d46c3455 100644 --- a/lib/msf/core/encoded_payload.rb +++ b/lib/msf/core/encoded_payload.rb @@ -404,6 +404,15 @@ class EncodedPayload Msf::Util::EXE.to_jsp_war(encoded_exe(opts), opts) end + # + # An array containing the architecture(s) that this payload was made to run on + # + def arch + if pinst + pinst.arch + end + end + # # The raw version of the payload # diff --git a/lib/msf/core/exploit/gdb.rb b/lib/msf/core/exploit/gdb.rb index 5f3e9b5e4b..baa7784a9b 100644 --- a/lib/msf/core/exploit/gdb.rb +++ b/lib/msf/core/exploit/gdb.rb @@ -21,7 +21,8 @@ module Exploit::Remote::Gdb # Maps arch -> index of register in GDB that holds $PC PC_REGISTERS = { ARCH_X86 => '08', - ARCH_X64 => '10' + ARCH_X64 => '10', + ARCH_X86_64 => '10' } # Send an ACK packet @@ -88,10 +89,10 @@ module Exploit::Remote::Gdb # @return [String] containing the hex-encoded address stored in EIP def get_pc # on x64 it is the register under the key "10" - idx = pc_reg_index(target.arch) + idx = pc_reg_index(payload.arch) pc = step.split(';').map { |r| r =~ /#{idx}:([a-f0-9]*)/ and $1 }.compact.first # convert to desired endian/ptr size for a given arch - addr = Rex::Arch.pack_addr(target.arch, Integer(pc, 16)) + addr = Rex::Arch.pack_addr(payload.arch, Integer(pc, 16)) Rex::Text.to_hex(addr, '') end @@ -128,14 +129,11 @@ module Exploit::Remote::Gdb read_response # lots of flags, nothing interesting end - # @param arch [String, Array] the current system architecture + # @param my_arch [String, Array] the current system architecture # @return [String] hex index of the register that contains $PC for the current arch - def pc_reg_index(arch) - if arch.is_a?(Array) - arch = arch[0] - end - - PC_REGISTERS[arch] + def pc_reg_index(my_arch) + if my_arch.is_a?(Array) then my_arch = my_arch[0] end + PC_REGISTERS[my_arch] end end diff --git a/modules/exploits/multi/gdb/gdb_server_exec.rb b/modules/exploits/multi/gdb/gdb_server_exec.rb index bf575a67bd..8c37c98ac9 100644 --- a/modules/exploits/multi/gdb/gdb_server_exec.rb +++ b/modules/exploits/multi/gdb/gdb_server_exec.rb @@ -12,16 +12,14 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'GDB Server Remote Payload Execution', - 'Description' => %q{ + 'Name' => 'GDB Server Remote Payload Execution', + 'Description' => %q{ This module attempts to execute an arbitrary payload on a gdbserver service. }, - 'Author' => [ 'joev' ], - 'Targets' => [ - [ 'x86 (32-bit)', { 'Arch' => ARCH_X86 } ], - [ 'x64 (64-bit)', { 'Arch' => ARCH_X64 } ] - ], - 'Platform' => %w(linux unix osx windows), + 'Author' => [ 'joev' ], + 'Targets' => [ [ 'Automatic', {} ] ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Platform' => %w(linux unix osx windows), 'DefaultTarget' => 0 )) end diff --git a/spec/lib/msf/core/encoded_payload_spec.rb b/spec/lib/msf/core/encoded_payload_spec.rb new file mode 100644 index 0000000000..dce2df7298 --- /dev/null +++ b/spec/lib/msf/core/encoded_payload_spec.rb @@ -0,0 +1,36 @@ +require 'spec_helper' +require 'msf/core/encoded_payload' + +describe Msf::EncodedPayload do + PAYLOAD_FRAMEWORK = Msf::Simple::Framework.create( + :module_types => [::Msf::MODULE_PAYLOAD, ::Msf::MODULE_ENCODER, ::Msf::MODULE_NOP], + 'DisableDatabase' => true, + 'DisableLogging' => true + ) + + let(:framework) { PAYLOAD_FRAMEWORK } + let(:payload) { 'linux/x86/shell_reverse_tcp' } + let(:pinst) { framework.payloads.create(payload) } + + subject(:encoded_payload) do + described_class.new(framework, pinst, {}) + end + + describe '#arch' do + context 'when payload is linux/x86 reverse tcp' do + let(:payload) { 'linux/x86/shell_reverse_tcp' } + + it 'returns ["X86"]' do + expect(encoded_payload.arch).to eq [ARCH_X86] + end + end + + context 'when payload is linux/x64 reverse tcp' do + let(:payload) { 'linux/x64/shell_reverse_tcp' } + + it 'returns ["X86_64"]' do + expect(encoded_payload.arch).to eq [ARCH_X86_64] + end + end + end +end