Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add metasm format of code for Super small Shell Bind TCP Random Port #11374

Merged
merged 5 commits into from May 17, 2019

Conversation

Projects
None yet
6 participants
@Ekzorcist
Copy link
Contributor

commented Feb 9, 2019

The shellcode is going to upgrade/complement the old one https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb which size is 57. The functionality is virtually the same but the size if SIGNIFICANTLY (44 against 57!) smaller which makes it unique in its kind.

This payload is really tiny since it uses nc by opening a random port.
Use nmap to discover the open port: 'nmap -sS -p- target'.
More details can be found here https://www.exploit-db.com/exploits/41631

Tested on Linux 4.9.0-7-amd64 #1 SMP Debian 4.9.110-1 (2018-07-05) x86_64 GNU/Linux

Please review it.
Thanks in advance!

bcoles and others added some commits Feb 10, 2019

Update modules/payloads/singles/linux/x86/shell_bind_tcp_super_small_…
…random_port.rb

Co-Authored-By: Ekzorcist <infosecurity@ya.ru>
Update modules/payloads/singles/linux/x86/shell_bind_tcp_super_small_…
…random_port.rb

Co-Authored-By: Ekzorcist <infosecurity@ya.ru>
@Ekzorcist

This comment has been minimized.

Copy link
Contributor Author

commented Feb 14, 2019

Hello, guys!
Please reopen #11370
to advance with the current task!

@busterb busterb self-assigned this Feb 20, 2019

@busterb

This comment has been minimized.

Copy link
Member

commented Feb 20, 2019

Reopening #11370 really isn't required for this. Taking a look now.

@Ekzorcist

This comment has been minimized.

Copy link
Contributor Author

commented Feb 20, 2019

ok! Thank you!!

@phra

This comment has been minimized.

Copy link
Contributor

commented Feb 23, 2019

This payload is really tiny since it uses nc by opening a random port.

the command passed to the execve() is nc -le /bin/sh so it requires nc.traditional installed on the target machine making the shellcode dependent on the machine configuration.

@Ekzorcist

This comment has been minimized.

Copy link
Contributor Author

commented Feb 23, 2019

This payload is really tiny since it uses nc by opening a random port.

the command passed to the execve() is nc -le /bin/sh so it requires nc.traditional installed on the target machine making the shellcode dependent on the machine configuration.

yes, I am aware of it. And this is a deliberate approach to make it the tiniest one!
Regardless of the used technique to open a port your attempt to do this can also be limited with other factors such as iptables INPUT configuration, SELINUX etc..
Nothing is universal for every case.

@Ekzorcist

This comment has been minimized.

Copy link
Contributor Author

commented Mar 8, 2019

Hello, @busterb !
Is there any news on reviewing and merging the shellcode?
Appreciate your help on this a lot!!!

@busterb

This comment has been minimized.

Copy link
Member

commented Mar 8, 2019

Hi @Ekzorcist yeah I started reviewing this, noticed that our payload size checker automation was actually broken!, and didn't finish. Plan to get back on this soon to fix that as well.

@Ekzorcist

This comment has been minimized.

Copy link
Contributor Author

commented Mar 9, 2019

Thank you!!

@Ekzorcist

This comment has been minimized.

Copy link
Contributor Author

commented Apr 5, 2019

Hello, @busterb !
How is it going with payload size checker automation?
May be I could help in fixing it ?

@busterb

This comment has been minimized.

Copy link
Member

commented May 17, 2019

All fixed, there was a bug in msfvenom's size checker that got merged in #11821. I have some changes I'm going to include with the merge here too.

@busterb busterb merged commit 1e3be0f into rapid7:master May 17, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request May 17, 2019

msjenkins-r7 added a commit that referenced this pull request May 17, 2019

@busterb

This comment has been minimized.

Copy link
Member

commented May 17, 2019

I added 9ae01c9 which merged this payload into the existing bind payload. This makes it automatically invoked as needed rather than having to evaluate a different payload entirely (this pattern is in many other payloads as well.) If you pass -s 56 or smaller to msfvenom, it will choose the tinier version, e.g. ./msfvenom -p linux/x86/shell_bind_tcp_random_port -s 57

Note also that I had to rename generate_bind_tcp_shell to generate, since the original payload in this PR never generated anything unless it overrode the base class method for the payload class. Keep that in mind for any future efforts.

Thanks!

@acammack-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Release Notes

The linux/x86/shell_bind_tcp_random_port payload now has a smaller version that uses the nc command on the target to reduce the amount of shellcode needed. The new payload will automatically be used when the old one is too large.

@Ekzorcist

This comment has been minimized.

Copy link
Contributor Author

commented May 26, 2019

Super cool!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.