lib/msf/core/exploit/local/linux.rb

# -*- coding: binary -*-

module Msf
module Exploit::Local::Linux
  include Exploit::Local::CompileC

  def linux_x86_syscall_wrappers(metasm_exe)
    cparser.parse <<-EOC
      #ifndef size_t
      #define size_t int
      #endif
      #ifndef off_t
      #define off_t unsigned long
      #endif

      #define O_CREAT 64
      #define O_RDWR 2

      #define MAP_PRIVATE   0x02
      #define MAP_FIXED     0x10
      #define MAP_ANONYMOUS 0x20
      #define MAP_ANON MAP_ANONYMOUS
      #define MAP_FAILED ((void *)-1)

      #define PROT_READ  0x1
      #define PROT_WRITE 0x2
      #define PROT_EXEC  0x4

      void exit(int status);
      int read(int fd, void *buf, size_t count);
      int write(int fd, void *buf, size_t count);
      int open(const char *pathname, int flags, int mode);
      int unlink(const char *pathname);
      int ftruncate(int fd, off_t length);
      int socket(int, int, int);
      int sendfile(int in_fd, int out_fd, void *, int count);
      void *__mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t offset);

      #ifdef DEBUGGING
      void sigtrap();
      #else
      #define sigtrap()
      #endif
      void *__get_tls();

    EOC
    metasm_exe.parse <<-EOS
      sigtrap:
        int    3
        ret
      exit:
        mov    eax, 1         ; sys_exit
        mov    ebx, [esp+4]
        int    0x80
        ret
      read:
        mov    eax, 3         ; sys_write
        mov    edx,[esp+12]   ; length
        mov    ecx,[esp+8]    ; string
        mov    ebx,[esp+4]    ; file descriptor
        int    0x80
        ret
      write:
        mov    eax, 4         ; sys_write
        mov    edx,[esp+12]   ; length
        mov    ecx,[esp+8]    ; string
        mov    ebx,[esp+4]    ; file descriptor
        int    0x80
        ret
      open:
        mov    eax, 5         ; sys_open
        mov    edx,[esp+12]   ; mode
        mov    ecx,[esp+8]    ; flags
        mov    ebx,[esp+4]    ; file name
        int    0x80
        cmp    eax, -129
        jb     1f
        neg    eax
        push   eax
        call   __set_errno
        add    esp, 4
        or     eax, -1
      1:
        ret
      ftruncate:
        push   ebx
        push   ecx
        mov    eax, 93        ; sys_ftruncate
        mov    ecx,[esp+16]   ; file descriptor
        mov    ebx,[esp+12]   ; size
        int    0x80
        cmp    eax, -129
        jb     1f
        neg    eax
        push   eax
        call   __set_errno
        add    esp, 4
        or     eax, -1
      1:
        pop    ecx
        pop    ebx
        ret
      socket:
        push   ebx
        push   ecx
        mov    eax, 102       ; sys_socketcall
        mov    ebx, 1
        mov    ecx, esp
        add    ecx, 12
        int    0x80
        cmp    eax, -129
        jb     1f
        neg    eax
        push   eax
        call   __set_errno
        add    esp, 4
        or     eax, -1
      1:
        pop    ecx
        pop    ebx
        ret
      sendfile:
        push   ebx
        push   ecx
        push   edx
        push   esi

        mov    eax, 187       ; sys_sendfile
        mov    esi,[esp+32]   ; size
        mov    edx,[esp+28]   ; offset
        mov    ecx,[esp+24]    ; out_fd
        mov    ebx,[esp+20]    ; in_fd
        int    0x80
        cmp    eax, -129
        jb     1f
        neg    eax
        push   eax
        call   __set_errno
        add    esp, 4
        or     eax, -1
      1:
        pop    esi
        pop    edx
        pop    ecx
        pop    ebx
        ret

      unlink:
        mov    eax, 10        ; sys_unlink
        mov    ebx,[esp+4]    ; filename
        int    0x80
        ret

      ; stolen from bionic
      __mmap2:
        push   ebx
        push   ecx
        push   edx
        push   esi
        push   edi
        push   ebp

        mov    eax, 192
        mov    ebx, [esp+28]
        mov    ecx, [esp+32]
        mov    edx, [esp+36]
        mov    esi, [esp+40]
        mov    edi, [esp+44]
        mov    ebp, [esp+48]
        int    0x80
        cmp    eax, -129
        jb     1f
        neg    eax
        push   eax
        call   __set_errno
        add    esp, 4
        or     eax, -1
      1:
        pop    ebp
        pop    edi
        pop    esi
        pop    edx
        pop    ecx
        pop    ebx
        ret

      ; Thread Local Storage, used by errno
      __get_tls:
        mov    eax, gs:[0]
        ret
    EOS

  end
end
end
Add 'coding: binary' to all msf/rex library files 2014-08-17 17:31:53 -05:00			`# -- coding: binary --`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00
			`module Msf`
			`module Exploit::Local::Linux`
			`include Exploit::Local::CompileC`

			`def linux_x86_syscall_wrappers(metasm_exe)`
			`cparser.parse <<-EOC`
			`#ifndef size_t`
			`#define size_t int`
			`#endif`
			`#ifndef off_t`
			`#define off_t unsigned long`
			`#endif`

			`#define O_CREAT 64`
			`#define O_RDWR 2`

			`#define MAP_PRIVATE 0x02`
			`#define MAP_FIXED 0x10`
			`#define MAP_ANONYMOUS 0x20`
			`#define MAP_ANON MAP_ANONYMOUS`
			`#define MAP_FAILED ((void *)-1)`

			`#define PROT_READ 0x1`
			`#define PROT_WRITE 0x2`
			`#define PROT_EXEC 0x4`

			`void exit(int status);`
			`int read(int fd, void *buf, size_t count);`
			`int write(int fd, void *buf, size_t count);`
			`int open(const char *pathname, int flags, int mode);`
			`int unlink(const char *pathname);`
			`int ftruncate(int fd, off_t length);`
			`int socket(int, int, int);`
			`int sendfile(int in_fd, int out_fd, void *, int count);`
			`void __mmap2(void addr, size_t length, int prot, int flags, int fd, off_t offset);`

			`#ifdef DEBUGGING`
			`void sigtrap();`
			`#else`
			`#define sigtrap()`
			`#endif`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`void *__get_tls();`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00
			`EOC`
			`metasm_exe.parse <<-EOS`
			`sigtrap:`
			`int 3`
			`ret`
			`exit:`
			`mov eax, 1 ; sys_exit`
			`mov ebx, [esp+4]`
			`int 0x80`
			`ret`
			`read:`
			`mov eax, 3 ; sys_write`
			`mov edx,[esp+12] ; length`
			`mov ecx,[esp+8] ; string`
			`mov ebx,[esp+4] ; file descriptor`
			`int 0x80`
			`ret`
			`write:`
			`mov eax, 4 ; sys_write`
			`mov edx,[esp+12] ; length`
			`mov ecx,[esp+8] ; string`
			`mov ebx,[esp+4] ; file descriptor`
			`int 0x80`
			`ret`
			`open:`
			`mov eax, 5 ; sys_open`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`mov edx,[esp+12] ; mode`
			`mov ecx,[esp+8] ; flags`
			`mov ebx,[esp+4] ; file name`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`int 0x80`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`cmp eax, -129`
			`jb 1f`
			`neg eax`
			`push eax`
			`call __set_errno`
			`add esp, 4`
			`or eax, -1`
			`1:`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`ret`
			`ftruncate:`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`push ebx`
			`push ecx`
			`mov eax, 93 ; sys_ftruncate`
			`mov ecx,[esp+16] ; file descriptor`
			`mov ebx,[esp+12] ; size`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`int 0x80`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`cmp eax, -129`
			`jb 1f`
			`neg eax`
			`push eax`
			`call __set_errno`
			`add esp, 4`
			`or eax, -1`
			`1:`
			`pop ecx`
			`pop ebx`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`ret`
			`socket:`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`push ebx`
			`push ecx`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`mov eax, 102 ; sys_socketcall`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`mov ebx, 1`
			`mov ecx, esp`
			`add ecx, 12`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`int 0x80`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`cmp eax, -129`
			`jb 1f`
			`neg eax`
			`push eax`
			`call __set_errno`
			`add esp, 4`
			`or eax, -1`
			`1:`
			`pop ecx`
			`pop ebx`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`ret`
			`sendfile:`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`push ebx`
			`push ecx`
			`push edx`
			`push esi`

			`mov eax, 187 ; sys_sendfile`
			`mov esi,[esp+32] ; size`
			`mov edx,[esp+28] ; offset`
			`mov ecx,[esp+24] ; out_fd`
			`mov ebx,[esp+20] ; in_fd`
			`int 0x80`
			`cmp eax, -129`
			`jb 1f`
			`neg eax`
			`push eax`
			`call __set_errno`
			`add esp, 4`
			`or eax, -1`
			`1:`
			`pop esi`
			`pop edx`
			`pop ecx`
			`pop ebx`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`ret`

			`unlink:`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`mov eax, 10 ; sys_unlink`
			`mov ebx,[esp+4] ; filename`
			`int 0x80`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`ret`

Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`; stolen from bionic`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`__mmap2:`
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`push ebx`
			`push ecx`
			`push edx`
			`push esi`
			`push edi`
			`push ebp`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`mov eax, 192`
			`mov ebx, [esp+28]`
			`mov ecx, [esp+32]`
			`mov edx, [esp+36]`
			`mov esi, [esp+40]`
			`mov edi, [esp+44]`
			`mov ebp, [esp+48]`
			`int 0x80`
			`cmp eax, -129`
			`jb 1f`
			`neg eax`
			`push eax`
			`call __set_errno`
			`add esp, 4`
			`or eax, -1`
			`1:`
			`pop ebp`
			`pop edi`
			`pop esi`
			`pop edx`
			`pop ecx`
			`pop ebx`
			`ret`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00
Add an exploit for sock_sendpage 2012-07-15 20:29:48 -06:00			`; Thread Local Storage, used by errno`
			`__get_tls:`
			`mov eax, gs:[0]`
More progress on syscall wrappers 2012-06-22 17:45:49 -06:00			`ret`
			`EOS`

			`end`
			`end`
			`end`