Skip to content

Commit 8d1126e

Browse files
wvuwvu
committed
Land rapid7#5129, x64 BSD prepend stubs 'n' stuff
2 parents c2a252f + 2d3614f commit 8d1126e

File tree

14 files changed

+259
-107
lines changed

14 files changed

+259
-107
lines changed

data/templates/template_x64_bsd.bin

120 Bytes
Binary file not shown.

lib/msf/core/payload/bsd.rb

Lines changed: 149 additions & 87 deletions
Original file line numberDiff line numberDiff line change
@@ -23,49 +23,49 @@ def initialize(info = {})
2323
[
2424
false,
2525
"Prepend a stub that executes the setresuid(0, 0, 0) system call",
26-
"false"
26+
false
2727
]
2828
),
2929
Msf::OptBool.new('PrependSetreuid',
3030
[
3131
false,
3232
"Prepend a stub that executes the setreuid(0, 0) system call",
33-
"false"
33+
false
3434
]
3535
),
3636
Msf::OptBool.new('PrependSetuid',
3737
[
3838
false,
3939
"Prepend a stub that executes the setuid(0) system call",
40-
"false"
40+
false
4141
]
4242
),
4343
Msf::OptBool.new('PrependSetresgid',
4444
[
4545
false,
4646
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
47-
"false"
47+
false
4848
]
4949
),
5050
Msf::OptBool.new('PrependSetregid',
5151
[
5252
false,
5353
"Prepend a stub that executes the setregid(0, 0) system call",
54-
"false"
54+
false
5555
]
5656
),
5757
Msf::OptBool.new('PrependSetgid',
5858
[
5959
false,
6060
"Prepend a stub that executes the setgid(0) system call",
61-
"false"
61+
false
6262
]
6363
),
6464
Msf::OptBool.new('AppendExit',
6565
[
6666
false,
6767
"Append a stub that executes the exit(0) system call",
68-
"false"
68+
false
6969
]
7070
),
7171
], Msf::Payload::Bsd)
@@ -74,95 +74,157 @@ def initialize(info = {})
7474
end
7575

7676

77-
#
78-
# Overload the generate() call to prefix our stubs
79-
#
80-
def generate(*args)
81-
# Call the real generator to get the payload
82-
buf = super(*args)
77+
def apply_prepends(buf)
78+
test_arch = [ *(self.arch) ]
8379
pre = ''
8480
app = ''
8581

86-
test_arch = [ *(self.arch) ]
87-
88-
# Handle all x86 code here
8982
if (test_arch.include?(ARCH_X86))
83+
handle_x86_bsd_opts(pre, app)
84+
elsif (test_arch.include?(ARCH_X86_64))
85+
handle_x64_bsd_opts(pre, app)
86+
end
87+
88+
pre + buf + app
89+
end
90+
91+
def handle_x86_bsd_opts(pre, app)
92+
if (datastore['PrependSetresuid'])
93+
# setresuid(0, 0, 0)
94+
pre << "\x31\xc0" +# xorl %eax,%eax #
95+
"\x50" +# pushl %eax #
96+
"\x50" +# pushl %eax #
97+
"\x50" +# pushl %eax #
98+
"\x50" +# pushl %eax #
99+
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
100+
"\xcd\x80" # int $0x80 #
101+
end
102+
103+
if (datastore['PrependSetreuid'])
104+
# setreuid(0, 0)
105+
pre << "\x31\xc0" +# xorl %eax,%eax #
106+
"\x50" +# pushl %eax #
107+
"\x50" +# pushl %eax #
108+
"\x50" +# pushl %eax #
109+
"\xb0\x7e" +# movb $0x7e,%al #
110+
"\xcd\x80" # int $0x80 #
111+
end
112+
113+
if (datastore['PrependSetuid'])
114+
# setuid(0)
115+
pre << "\x31\xc0" +# xorl %eax,%eax #
116+
"\x50" +# pushl %eax #
117+
"\x50" +# pushl %eax #
118+
"\xb0\x17" +# movb $0x17,%al #
119+
"\xcd\x80" # int $0x80 #
120+
end
121+
122+
if (datastore['PrependSetresgid'])
123+
# setresgid(0, 0, 0)
124+
pre << "\x31\xc0" +# xorl %eax,%eax #
125+
"\x50" +# pushl %eax #
126+
"\x50" +# pushl %eax #
127+
"\x50" +# pushl %eax #
128+
"\x50" +# pushl %eax #
129+
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
130+
"\xcd\x80" # int $0x80 #
131+
end
90132

91-
# Prepend
92-
93-
if (datastore['PrependSetresuid'])
94-
# setresuid(0, 0, 0)
95-
pre << "\x31\xc0" +# xorl %eax,%eax #
96-
"\x50" +# pushl %eax #
97-
"\x50" +# pushl %eax #
98-
"\x50" +# pushl %eax #
99-
"\x50" +# pushl %eax #
100-
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
101-
"\xcd\x80" # int $0x80 #
102-
end
103-
104-
if (datastore['PrependSetreuid'])
105-
# setreuid(0, 0)
106-
pre << "\x31\xc0" +# xorl %eax,%eax #
107-
"\x50" +# pushl %eax #
108-
"\x50" +# pushl %eax #
109-
"\x50" +# pushl %eax #
110-
"\xb0\x7e" +# movb $0x7e,%al #
111-
"\xcd\x80" # int $0x80 #
112-
end
113-
114-
if (datastore['PrependSetuid'])
115-
# setuid(0)
116-
pre << "\x31\xc0" +# xorl %eax,%eax #
117-
"\x50" +# pushl %eax #
118-
"\x50" +# pushl %eax #
119-
"\xb0\x17" +# movb $0x17,%al #
120-
"\xcd\x80" # int $0x80 #
121-
end
122-
123-
if (datastore['PrependSetresgid'])
124-
# setresgid(0, 0, 0)
125-
pre << "\x31\xc0" +# xorl %eax,%eax #
126-
"\x50" +# pushl %eax #
127-
"\x50" +# pushl %eax #
128-
"\x50" +# pushl %eax #
129-
"\x50" +# pushl %eax #
130-
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
131-
"\xcd\x80" # int $0x80 #
132-
end
133-
134-
if (datastore['PrependSetregid'])
135-
# setregid(0, 0)
136-
pre << "\x31\xc0" +# xorl %eax,%eax #
137-
"\x50" +# pushl %eax #
138-
"\x50" +# pushl %eax #
139-
"\x50" +# pushl %eax #
140-
"\xb0\x7f" +# movb $0x7f,%al #
141-
"\xcd\x80" # int $0x80 #
142-
end
143-
144-
if (datastore['PrependSetgid'])
145-
# setgid(0)
146-
pre << "\x31\xc0" +# xorl %eax,%eax #
147-
"\x50" +# pushl %eax #
148-
"\x50" +# pushl %eax #
149-
"\xb0\xb5" +# movb $0xb5,%al #
150-
"\xcd\x80" # int $0x80 #
151-
end
152-
# Append
153-
154-
if (datastore['AppendExit'])
155-
# exit(0)
156-
app << "\x31\xc0" +# xorl %eax,%eax #
157-
"\x50" +# pushl %eax #
158-
"\xb0\x01" +# movb $0x01,%al #
159-
"\xcd\x80" # int $0x80 #
160-
end
133+
if (datastore['PrependSetregid'])
134+
# setregid(0, 0)
135+
pre << "\x31\xc0" +# xorl %eax,%eax #
136+
"\x50" +# pushl %eax #
137+
"\x50" +# pushl %eax #
138+
"\x50" +# pushl %eax #
139+
"\xb0\x7f" +# movb $0x7f,%al #
140+
"\xcd\x80" # int $0x80 #
141+
end
161142

143+
if (datastore['PrependSetgid'])
144+
# setgid(0)
145+
pre << "\x31\xc0" +# xorl %eax,%eax #
146+
"\x50" +# pushl %eax #
147+
"\x50" +# pushl %eax #
148+
"\xb0\xb5" +# movb $0xb5,%al #
149+
"\xcd\x80" # int $0x80 #
162150
end
163151

164-
return (pre + buf + app)
152+
if (datastore['AppendExit'])
153+
# exit(0)
154+
app << "\x31\xc0" +# xorl %eax,%eax #
155+
"\x50" +# pushl %eax #
156+
"\xb0\x01" +# movb $0x01,%al #
157+
"\xcd\x80" # int $0x80 #
158+
end
165159
end
166160

161+
def handle_x64_bsd_opts(pre, app)
162+
if (datastore['PrependSetresuid'])
163+
# setresuid(0, 0, 0)
164+
pre << "\x48\x31\xc0" +# xor rax, rax
165+
"\x48\x83\xc8\x4d" +# or rax, 77 (setgid=311>>2=77)
166+
"\x48\xc1\xe0\x02" +# shl rax, 2
167+
"\x48\x83\xf0\x03" +# xor rax, 3 (311&3=3)
168+
"\x48\x31\xff" +# xor rdi, rdi 0
169+
"\x48\x31\xf6" +# xor rsi, rsi 0
170+
"\x48\x31\xd2" +# xor rdx, rdx 0
171+
"\x0f\x05" # syscall
172+
end
173+
174+
if (datastore['PrependSetreuid'])
175+
# setreuid(0, 0)
176+
pre << "\x48\x31\xc0" +# xor rax, rax
177+
"\x48\x83\xc8\x7e" +# or rax, 126 (setreuid=126)
178+
"\x48\x31\xff" +# xor rdi, rdi 0
179+
"\x48\x31\xf6" +# xor rsi, rsi 0
180+
"\x0f\x05" # syscall
181+
end
182+
183+
if (datastore['PrependSetuid'])
184+
# setuid(0)
185+
pre << "\x48\x31\xc0" +# xor rax, rax
186+
"\x48\x83\xc8\x17" +# or rax, 23 (setuid=23)
187+
"\x48\x31\xff" +# xor rdi, rdi 0
188+
"\x0f\x05" # syscall
189+
end
190+
191+
if (datastore['PrependSetresgid'])
192+
# setresgid(0, 0, 0)
193+
pre << "\x48\x31\xc0" +# xor rax, rax
194+
"\x48\x83\xc8\x4e" +# or rax, 78 (setgid=312>>2=78)
195+
"\x48\xc1\xe0\x02" +# shl rax, 2 (78<<2=312)
196+
"\x48\x31\xff" +# xor rdi, rdi 0
197+
"\x48\x31\xf6" +# xor rsi, rsi 0
198+
"\x48\x31\xd2" +# xor rdx, rdx 0
199+
"\x0f\x05" # syscall
200+
end
201+
202+
if (datastore['PrependSetregid'])
203+
# setregid(0, 0)
204+
pre << "\x48\x31\xc0" +# xor rax, rax
205+
"\x48\x83\xc8\x7f" +# or rax, 127 (setuid=127)
206+
"\x48\x31\xff" +# xor rdi, rdi 0
207+
"\x48\x31\xf6" +# xor rsi, rsi 0
208+
"\x0f\x05" # syscall
209+
end
210+
211+
if (datastore['PrependSetgid'])
212+
# setgid(0)
213+
pre << "\x48\x31\xc0" +# xor rax, rax
214+
"\x48\x83\xc8\x5a" +# or rax, 90 (setgid=181>>1=90)
215+
"\x48\xd1\xe0" +# shl rax, 1
216+
"\x48\x83\xc8\x01" +# or rax, 1 (setgid=181&1=1)
217+
"\x48\x31\xff" +# xor rdi, rdi 0
218+
"\x0f\x05" # syscall
219+
end
220+
221+
if (datastore['AppendExit'])
222+
# exit(0)
223+
app << "\x48\x31\xc0" +# xor rax, rax
224+
"\x48\x83\xc8\x01" +# or rax, 1 (exit=1)
225+
"\x48\x31\xff" +# xor rdi, rdi 0
226+
"\x0f\x05" # syscall
227+
end
228+
end
167229

168230
end

lib/msf/util/exe.rb

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,10 @@ def self.to_executable(framework, arch, plat, code = '', opts = {})
111111
if plat.index(Msf::Module::Platform::OSX)
112112
return to_osx_x64_macho(framework, code)
113113
end
114+
115+
if plat.index(Msf::Module::Platform::BSD)
116+
return to_bsd_x64_elf(framework, code)
117+
end
114118
end
115119

116120
if arch.index(ARCH_ARMLE)
@@ -891,6 +895,11 @@ def self.to_bsd_x86_elf(framework, code, opts = {})
891895
to_exe_elf(framework, opts, "template_x86_bsd.bin", code)
892896
end
893897

898+
# Create a 64-bit Linux ELF containing the payload provided in +code+
899+
def self.to_bsd_x64_elf(framework, code, opts = {})
900+
to_exe_elf(framework, opts, "template_x64_bsd.bin", code)
901+
end
902+
894903
# Create a 32-bit Solaris ELF containing the payload provided in +code+
895904
def self.to_solaris_x86_elf(framework, code, opts = {})
896905
to_exe_elf(framework, opts, "template_x86_solaris.bin", code)
@@ -1870,10 +1879,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
18701879
if !plat || plat.index(Msf::Module::Platform::Linux)
18711880
case arch
18721881
when ARCH_X86,nil
1873-
to_linux_x86_elf(framework, code, exeopts)
1874-
when ARCH_X86_64
1875-
to_linux_x64_elf(framework, code, exeopts)
1876-
when ARCH_X64
1882+
to_linux_x86_elf(framework, code, exeopts)
1883+
when ARCH_X86_64, ARCH_X64
18771884
to_linux_x64_elf(framework, code, exeopts)
18781885
when ARCH_ARMLE
18791886
to_linux_armle_elf(framework, code, exeopts)
@@ -1886,6 +1893,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
18861893
case arch
18871894
when ARCH_X86,nil
18881895
Msf::Util::EXE.to_bsd_x86_elf(framework, code, exeopts)
1896+
when ARCH_X86_64, ARCH_X64
1897+
Msf::Util::EXE.to_bsd_x64_elf(framework, code, exeopts)
18891898
end
18901899
elsif plat && plat.index(Msf::Module::Platform::Solaris)
18911900
case arch
@@ -1896,19 +1905,15 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
18961905
when 'elf-so'
18971906
if !plat || plat.index(Msf::Module::Platform::Linux)
18981907
case arch
1899-
when ARCH_X86_64
1900-
to_linux_x64_elf_dll(framework, code, exeopts)
1901-
when ARCH_X64
1908+
when ARCH_X86_64, ARCH_X64
19021909
to_linux_x64_elf_dll(framework, code, exeopts)
19031910
end
19041911
end
19051912
when 'macho', 'osx-app'
19061913
macho = case arch
19071914
when ARCH_X86,nil
19081915
to_osx_x86_macho(framework, code, exeopts)
1909-
when ARCH_X86_64
1910-
to_osx_x64_macho(framework, code, exeopts)
1911-
when ARCH_X64
1916+
when ARCH_X86_64, ARCH_X64
19121917
to_osx_x64_macho(framework, code, exeopts)
19131918
when ARCH_ARMLE
19141919
to_osx_arm_macho(framework, code, exeopts)

0 commit comments

Comments
 (0)