Add #arch method to Msf::EncodedPayload.
This allows exploits with few one automatic target to support many different architectures.bug/bundler_fix
parent
88f626184c
commit
6313b29b7a
|
@ -404,6 +404,15 @@ class EncodedPayload
|
||||||
Msf::Util::EXE.to_jsp_war(encoded_exe(opts), opts)
|
Msf::Util::EXE.to_jsp_war(encoded_exe(opts), opts)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# An array containing the architecture(s) that this payload was made to run on
|
||||||
|
#
|
||||||
|
def arch
|
||||||
|
if pinst
|
||||||
|
pinst.arch
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# The raw version of the payload
|
# The raw version of the payload
|
||||||
#
|
#
|
||||||
|
|
|
@ -21,7 +21,8 @@ module Exploit::Remote::Gdb
|
||||||
# Maps arch -> index of register in GDB that holds $PC
|
# Maps arch -> index of register in GDB that holds $PC
|
||||||
PC_REGISTERS = {
|
PC_REGISTERS = {
|
||||||
ARCH_X86 => '08',
|
ARCH_X86 => '08',
|
||||||
ARCH_X64 => '10'
|
ARCH_X64 => '10',
|
||||||
|
ARCH_X86_64 => '10'
|
||||||
}
|
}
|
||||||
|
|
||||||
# Send an ACK packet
|
# Send an ACK packet
|
||||||
|
@ -88,10 +89,10 @@ module Exploit::Remote::Gdb
|
||||||
# @return [String] containing the hex-encoded address stored in EIP
|
# @return [String] containing the hex-encoded address stored in EIP
|
||||||
def get_pc
|
def get_pc
|
||||||
# on x64 it is the register under the key "10"
|
# on x64 it is the register under the key "10"
|
||||||
idx = pc_reg_index(target.arch)
|
idx = pc_reg_index(payload.arch)
|
||||||
pc = step.split(';').map { |r| r =~ /#{idx}:([a-f0-9]*)/ and $1 }.compact.first
|
pc = step.split(';').map { |r| r =~ /#{idx}:([a-f0-9]*)/ and $1 }.compact.first
|
||||||
# convert to desired endian/ptr size for a given arch
|
# convert to desired endian/ptr size for a given arch
|
||||||
addr = Rex::Arch.pack_addr(target.arch, Integer(pc, 16))
|
addr = Rex::Arch.pack_addr(payload.arch, Integer(pc, 16))
|
||||||
Rex::Text.to_hex(addr, '')
|
Rex::Text.to_hex(addr, '')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -128,14 +129,11 @@ module Exploit::Remote::Gdb
|
||||||
read_response # lots of flags, nothing interesting
|
read_response # lots of flags, nothing interesting
|
||||||
end
|
end
|
||||||
|
|
||||||
# @param arch [String, Array] the current system architecture
|
# @param my_arch [String, Array] the current system architecture
|
||||||
# @return [String] hex index of the register that contains $PC for the current arch
|
# @return [String] hex index of the register that contains $PC for the current arch
|
||||||
def pc_reg_index(arch)
|
def pc_reg_index(my_arch)
|
||||||
if arch.is_a?(Array)
|
if my_arch.is_a?(Array) then my_arch = my_arch[0] end
|
||||||
arch = arch[0]
|
PC_REGISTERS[my_arch]
|
||||||
end
|
|
||||||
|
|
||||||
PC_REGISTERS[arch]
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -17,10 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
This module attempts to execute an arbitrary payload on a gdbserver service.
|
This module attempts to execute an arbitrary payload on a gdbserver service.
|
||||||
},
|
},
|
||||||
'Author' => [ 'joev' ],
|
'Author' => [ 'joev' ],
|
||||||
'Targets' => [
|
'Targets' => [ [ 'Automatic', {} ] ],
|
||||||
[ 'x86 (32-bit)', { 'Arch' => ARCH_X86 } ],
|
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||||
[ 'x64 (64-bit)', { 'Arch' => ARCH_X64 } ]
|
|
||||||
],
|
|
||||||
'Platform' => %w(linux unix osx windows),
|
'Platform' => %w(linux unix osx windows),
|
||||||
'DefaultTarget' => 0
|
'DefaultTarget' => 0
|
||||||
))
|
))
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
require 'spec_helper'
|
||||||
|
require 'msf/core/encoded_payload'
|
||||||
|
|
||||||
|
describe Msf::EncodedPayload do
|
||||||
|
PAYLOAD_FRAMEWORK = Msf::Simple::Framework.create(
|
||||||
|
:module_types => [::Msf::MODULE_PAYLOAD, ::Msf::MODULE_ENCODER, ::Msf::MODULE_NOP],
|
||||||
|
'DisableDatabase' => true,
|
||||||
|
'DisableLogging' => true
|
||||||
|
)
|
||||||
|
|
||||||
|
let(:framework) { PAYLOAD_FRAMEWORK }
|
||||||
|
let(:payload) { 'linux/x86/shell_reverse_tcp' }
|
||||||
|
let(:pinst) { framework.payloads.create(payload) }
|
||||||
|
|
||||||
|
subject(:encoded_payload) do
|
||||||
|
described_class.new(framework, pinst, {})
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '#arch' do
|
||||||
|
context 'when payload is linux/x86 reverse tcp' do
|
||||||
|
let(:payload) { 'linux/x86/shell_reverse_tcp' }
|
||||||
|
|
||||||
|
it 'returns ["X86"]' do
|
||||||
|
expect(encoded_payload.arch).to eq [ARCH_X86]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when payload is linux/x64 reverse tcp' do
|
||||||
|
let(:payload) { 'linux/x64/shell_reverse_tcp' }
|
||||||
|
|
||||||
|
it 'returns ["X86_64"]' do
|
||||||
|
expect(encoded_payload.arch).to eq [ARCH_X86_64]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue