-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
payloads/x64: exec.rb - refactoring, metasm, new NullFreeVersion option #15028
Conversation
This patch converts shellcode to metasm and make it more efficient, resulting in its size being reduced to 37 bytes + CMD length. Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
This patch adds new behaviour to CMD option. Now if CMD is empty or unset, a 21 byte not null-free execve payload is built. The arbitrary command option continues the same when CMD is set. It also adds the OptBool NullFreeVersion advanced option. Its default value is false. When set as true, generate will output a self included null-free version of the payload without need of encoding. Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
Neat, thank you @geyslan, pulling in for testing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this looks good, just had a few places where I think the comments might need to be cleared up for clarity. I also wanted to double check on the use of db
vs dw
for storing the command string.
Alright main issue I was waiting on has been resolved so I'll push the comment updates to your branch now and then test and land this PR assuming all the tests pass as expected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some general comments on how we could save an extra byte or two given what I saw when commenting. Let me know what you think 👍
Alright looks good for testing thanks for the help and info here! |
Okay looks like the ones without a command are working brilliantly so no issues there:
And the execution results:
|
And with a command also works well:
And as a final confirmation I also dumped the hex output of the shellcode and we can see that the NULL flag does in fact generate shellcode that doesn't contain any NULL bytes:
This is all good to land, will get this in now. |
Release NotesUpdated the |
This PR (similar to #14661) converts shellcode to metasm and make it more efficient, resulting in its size being reduced to 37 bytes + CMD length.
It adds new behaviour to CMD option.
Now if CMD is empty or unset, a 21 byte not null-free execve payload is built.
The arbitrary command option continues the same when CMD is set.
It also adds the OptBool NullFreeVersion advanced option.
Its default value is false. When set as true, generate will output a
self included null-free version of the payload without need of encoding.
Verification
List the steps needed to make sure this thing works
msfconsole
use payload/linux/x86/exec
options
advanced
unset CMD
generate -f elf -o exec64.elf
set NullFreeVersion true
generate -f elf -o exec64.elf
set NullFreeVersion false
set CMD uname -a
generate -f elf -o exec64.elf
set NullFreeVersion true
generate -f elf -o exec64.elf