metasploit-framework/lib/msf/core/payload/aix.rb

197 lines
5.3 KiB
Ruby

# -*- coding: binary -*-
require 'msf/core'
###
#
# This class is here to implement advanced features for AIX-based
# payloads. AIX payloads are expected to include this module if
# they want to support these features.
#
###
module Msf::Payload::Aix
#
# This mixin is chained within payloads that target the AIX platform.
# It provides special prepends, to support things like chroot and setuid
# and detect AIX version.
#
def initialize(info = {})
ret = super(info)
register_options(
[
Msf::OptString.new('AIX', [ true, 'IBM AIX Version', '6.1.4' ]),
], Msf::Payload::Aix)
ret
end
#
# Overload the generate() call to prefix our stubs and detect AIX version
#
def generate(*args)
@aix = datastore['AIX']
#if not assoc_exploit.nil?
# note = find_note(assoc_exploit.rhost, 'AIX')
# if not note.nil?
# @aix = note['data']
# end
#end
if (not @aix)
raise RuntimeError, 'AIX version is not set!'
end
#
# NOTE:
#
# To add a syscall set, add a aix_XXXX_syscalls hash as seen below,
# and add a line to the versions hash using that version.
#
aix_614_syscalls = {
:__NR_execve => 7,
:__NR_getpeername => 211,
:__NR_accept => 237,
:__NR_listen => 240,
:__NR_bind => 242,
:__NR_socket => 243,
:__NR_connect => 244,
:__NR_close => 278,
:__NR_kfcntl => 658
}
aix_613_syscalls = {
:__NR_execve => 7,
:__NR_getpeername => 205,
:__NR_accept => 232,
:__NR_listen => 235,
:__NR_bind => 237,
:__NR_socket => 238,
:__NR_connect => 239,
:__NR_close => 272,
:__NR_kfcntl => 644
}
aix_612_syscalls = {
:__NR_execve => 7,
:__NR_getpeername => 205,
:__NR_accept => 232,
:__NR_listen => 235,
:__NR_bind => 237,
:__NR_socket => 238,
:__NR_connect => 239,
:__NR_close => 272,
:__NR_kfcntl => 635
}
aix_611_syscalls = {
:__NR_execve => 7,
:__NR_getpeername => 202,
:__NR_accept => 229,
:__NR_listen => 232,
:__NR_bind => 234,
:__NR_socket => 235,
:__NR_connect => 236,
:__NR_close => 269,
:__NR_kfcntl => 614
}
aix_610_syscalls = {
:__NR_execve => 6,
:__NR_getpeername => 203,
:__NR_accept => 229,
:__NR_listen => 232,
:__NR_bind => 234,
:__NR_socket => 235,
:__NR_connect => 236,
:__NR_close => 269,
:__NR_kfcntl => 617
}
aix_53x_syscalls = {
:__NR_execve => 6,
:__NR_getpeername => 198,
:__NR_accept => 214,
:__NR_listen => 215,
:__NR_bind => 216,
:__NR_socket => 217,
:__NR_connect => 218,
:__NR_close => 245,
:__NR_kfcntl => 493
}
aix_51_syscalls = {
:__NR_execve => 5,
:__NR_getpeername => 122,
:__NR_accept => 138,
:__NR_listen => 139,
:__NR_bind => 140,
:__NR_socket => 141,
:__NR_connect => 142,
:__NR_close => 160,
:__NR_kfcntl => 322
}
versions = {
'6.1.4' => aix_614_syscalls,
'6.1.3' => aix_613_syscalls,
'6.1.2' => aix_612_syscalls,
'6.1.1' => aix_611_syscalls,
'6.1.0' => aix_610_syscalls,
'5.3.10' => aix_53x_syscalls,
'5.3.9' => aix_53x_syscalls,
'5.3.8' => aix_53x_syscalls,
'5.3.7' => aix_53x_syscalls,
'5.1' => aix_51_syscalls
}
if (not versions[@aix])
# Dynamically build the support version array :)
supported = versions.sort.reverse.map { |k,v| k.to_s }.join(', ')
raise RuntimeError, "Invalid AIX version: \"#{@aix}\". Supported versions: #{supported}"
else
syscalls = versions[@aix]
end
__CAL = 2047
__NC_execve = -(__CAL - syscalls[:__NR_execve])
__NC_getpeername = -(__CAL - syscalls[:__NR_getpeername])
__NC_accept = -(__CAL - syscalls[:__NR_accept])
__NC_listen = -(__CAL - syscalls[:__NR_listen])
__NC_bind = -(__CAL - syscalls[:__NR_bind])
__NC_socket = -(__CAL - syscalls[:__NR_socket])
__NC_connect = -(__CAL - syscalls[:__NR_connect])
__NC_close = -(__CAL - syscalls[:__NR_close])
__NC_kfcntl = -(__CAL - syscalls[:__NR_kfcntl])
cal = "\x38\x5d"
@cal_execve = cal + [__NC_execve].pack('n')
@cal_getpeername = cal + [__NC_getpeername].pack('n')
@cal_accept = cal + [__NC_accept].pack('n')
@cal_listen = cal + [__NC_listen].pack('n')
@cal_bind = cal + [__NC_bind].pack('n')
@cal_socket = cal + [__NC_socket].pack('n')
@cal_connect = cal + [__NC_connect].pack('n')
@cal_close = cal + [__NC_close].pack('n')
@cal_kfcntl = cal + [__NC_kfcntl].pack('n')
return ''
end
protected
attr_accessor :aix
attr_accessor :cal_execve
attr_accessor :cal_getpeername
attr_accessor :cal_accept
attr_accessor :cal_bind
attr_accessor :cal_socket
attr_accessor :cal_connect
attr_accessor :cal_close
attr_accessor :cal_kfcntl
end