Add #arch method to Msf::EncodedPayload.

This allows exploits with few one automatic target to support many different architectures.
2014-08-24 02:22:15 -05:00 · 2014-08-24 02:22:15 -05:00 · 6313b29b7a
parent 88f626184c
commit 6313b29b7a
4 changed files with 59 additions and 18 deletions
--- a/lib/msf/core/encoded_payload.rb
+++ b/lib/msf/core/encoded_payload.rb
@ -404,6 +404,15 @@ class EncodedPayload
    Msf::Util::EXE.to_jsp_war(encoded_exe(opts), opts)
  end

+  #
+  # An array containing the architecture(s) that this payload was made to run on
+  #
+  def arch
+    if pinst
+      pinst.arch
+    end
+  end
+
  #
  # The raw version of the payload
  #
--- a/lib/msf/core/exploit/gdb.rb
+++ b/lib/msf/core/exploit/gdb.rb
@ -21,7 +21,8 @@ module Exploit::Remote::Gdb
  # Maps arch -> index of register in GDB that holds $PC
  PC_REGISTERS = {
    ARCH_X86 => '08',
-    ARCH_X64 => '10'
+    ARCH_X64 => '10',
+    ARCH_X86_64 => '10'
  }

  # Send an ACK packet
@ -88,10 +89,10 @@ module Exploit::Remote::Gdb
  # @return [String] containing the hex-encoded address stored in EIP
  def get_pc
    # on x64 it is the register under the key "10"
-    idx = pc_reg_index(target.arch)
+    idx = pc_reg_index(payload.arch)
    pc = step.split(';').map { |r| r =~ /#{idx}:([a-f0-9]*)/ and $1 }.compact.first
    # convert to desired endian/ptr size for a given arch
-    addr = Rex::Arch.pack_addr(target.arch, Integer(pc, 16))
+    addr = Rex::Arch.pack_addr(payload.arch, Integer(pc, 16))
    Rex::Text.to_hex(addr, '')
  end

@ -128,14 +129,11 @@ module Exploit::Remote::Gdb
    read_response # lots of flags, nothing interesting
  end

-  # @param arch [String, Array] the current system architecture
+  # @param my_arch [String, Array] the current system architecture
  # @return [String] hex index of the register that contains $PC for the current arch
-  def pc_reg_index(arch)
-    if arch.is_a?(Array)
-      arch = arch[0]
-    end
-
-    PC_REGISTERS[arch]
+  def pc_reg_index(my_arch)
+    if my_arch.is_a?(Array) then my_arch = my_arch[0] end
+    PC_REGISTERS[my_arch]
  end

 end
--- a/modules/exploits/multi/gdb/gdb_server_exec.rb
+++ b/modules/exploits/multi/gdb/gdb_server_exec.rb
@ -17,10 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
          This module attempts to execute an arbitrary payload on a gdbserver service.
      },
      'Author'        => [ 'joev' ],
-      'Targets'        => [
-        [ 'x86 (32-bit)', { 'Arch' => ARCH_X86 } ],
-        [ 'x64 (64-bit)', { 'Arch' => ARCH_X64 } ]
-      ],
+      'Targets'       => [ [ 'Automatic', {} ] ],
+      'Arch'          => [ ARCH_X86, ARCH_X64 ],
      'Platform'      => %w(linux unix osx windows),
      'DefaultTarget' => 0
    ))
--- a/spec/lib/msf/core/encoded_payload_spec.rb
+++ b/spec/lib/msf/core/encoded_payload_spec.rb
@ -0,0 +1,36 @@
+require 'spec_helper'
+require 'msf/core/encoded_payload'
+
+describe Msf::EncodedPayload do
+  PAYLOAD_FRAMEWORK = Msf::Simple::Framework.create(
+    :module_types => [::Msf::MODULE_PAYLOAD, ::Msf::MODULE_ENCODER, ::Msf::MODULE_NOP],
+    'DisableDatabase' => true,
+    'DisableLogging' => true
+  )
+
+  let(:framework) { PAYLOAD_FRAMEWORK }
+  let(:payload) { 'linux/x86/shell_reverse_tcp' }
+  let(:pinst) { framework.payloads.create(payload) }
+
+  subject(:encoded_payload) do
+    described_class.new(framework, pinst, {})
+  end
+
+  describe '#arch' do
+    context 'when payload is linux/x86 reverse tcp' do
+      let(:payload) { 'linux/x86/shell_reverse_tcp' }
+
+      it 'returns ["X86"]' do
+        expect(encoded_payload.arch).to eq [ARCH_X86]
+      end
+    end
+
+    context 'when payload is linux/x64 reverse tcp' do
+      let(:payload) { 'linux/x64/shell_reverse_tcp' }
+
+      it 'returns ["X86_64"]' do
+        expect(encoded_payload.arch).to eq [ARCH_X86_64]
+      end
+    end
+  end
+end