Skip to content

Commit

Permalink
Implement x64 BSD exec and exe template.
Browse files Browse the repository at this point in the history 
- Fixes bug in CachedSize due to all options being set
- Adds new payload to payload_spec.
  • Loading branch information
@joevennix
joevennix committed Apr 12, 2015
1 parent e8e7a2a commit 2d3614f
Show file tree
Hide file tree
Showing 14 changed files with 259 additions and 107 deletions.
Binary file added data/templates/template_x64_bsd.bin
View file
Binary file not shown.
236 changes: 149 additions & 87 deletions lib/msf/core/payload/bsd.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,49 +23,49 @@ def initialize(info = {})
[
false,
"Prepend a stub that executes the setresuid(0, 0, 0) system call",
"false"
false
]
),
Msf::OptBool.new('PrependSetreuid',
[
false,
"Prepend a stub that executes the setreuid(0, 0) system call",
"false"
false
]
),
Msf::OptBool.new('PrependSetuid',
[
false,
"Prepend a stub that executes the setuid(0) system call",
"false"
false
]
),
Msf::OptBool.new('PrependSetresgid',
[
false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false"
false
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
false
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
false
]
),
Msf::OptBool.new('AppendExit',
[
false,
"Append a stub that executes the exit(0) system call",
"false"
false
]
),
], Msf::Payload::Bsd)
Expand All @@ -74,95 +74,157 @@ def initialize(info = {})
end


#
# Overload the generate() call to prefix our stubs
#
def generate(*args)
# Call the real generator to get the payload
buf = super(*args)
def apply_prepends(buf)
test_arch = [ *(self.arch) ]
pre = ''
app = ''

test_arch = [ *(self.arch) ]

# Handle all x86 code here
if (test_arch.include?(ARCH_X86))
handle_x86_bsd_opts(pre, app)
elsif (test_arch.include?(ARCH_X86_64))
handle_x64_bsd_opts(pre, app)
end

pre + buf + app
end

def handle_x86_bsd_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end

# Prepend

if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
# Append

if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end

if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end

return (pre + buf + app)
if (datastore['AppendExit'])
# exit(0)
app << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x01" +# movb $0x01,%al #
"\xcd\x80" # int $0x80 #
end
end

def handle_x64_bsd_opts(pre, app)
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x4d" +# or rax, 77 (setgid=311>>2=77)
"\x48\xc1\xe0\x02" +# shl rax, 2
"\x48\x83\xf0\x03" +# xor rax, 3 (311&3=3)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x48\x31\xd2" +# xor rdx, rdx 0
"\x0f\x05" # syscall
end

if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x7e" +# or rax, 126 (setreuid=126)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
end

if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x17" +# or rax, 23 (setuid=23)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
end

if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x4e" +# or rax, 78 (setgid=312>>2=78)
"\x48\xc1\xe0\x02" +# shl rax, 2 (78<<2=312)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x48\x31\xd2" +# xor rdx, rdx 0
"\x0f\x05" # syscall
end

if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x7f" +# or rax, 127 (setuid=127)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x48\x31\xf6" +# xor rsi, rsi 0
"\x0f\x05" # syscall
end

if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x5a" +# or rax, 90 (setgid=181>>1=90)
"\x48\xd1\xe0" +# shl rax, 1
"\x48\x83\xc8\x01" +# or rax, 1 (setgid=181&1=1)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
end

if (datastore['AppendExit'])
# exit(0)
app << "\x48\x31\xc0" +# xor rax, rax
"\x48\x83\xc8\x01" +# or rax, 1 (exit=1)
"\x48\x31\xff" +# xor rdi, rdi 0
"\x0f\x05" # syscall
end
end

end
25 changes: 15 additions & 10 deletions lib/msf/util/exe.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,10 @@ def self.to_executable(framework, arch, plat, code = '', opts = {})
if plat.index(Msf::Module::Platform::OSX)
return to_osx_x64_macho(framework, code)
end

if plat.index(Msf::Module::Platform::BSD)
return to_bsd_x64_elf(framework, code)
end
end

if arch.index(ARCH_ARMLE)
Expand Down Expand Up @@ -891,6 +895,11 @@ def self.to_bsd_x86_elf(framework, code, opts = {})
to_exe_elf(framework, opts, "template_x86_bsd.bin", code)
end

# Create a 64-bit Linux ELF containing the payload provided in +code+
def self.to_bsd_x64_elf(framework, code, opts = {})
to_exe_elf(framework, opts, "template_x64_bsd.bin", code)
end

# Create a 32-bit Solaris ELF containing the payload provided in +code+
def self.to_solaris_x86_elf(framework, code, opts = {})
to_exe_elf(framework, opts, "template_x86_solaris.bin", code)
Expand Down Expand Up @@ -1870,10 +1879,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
if !plat || plat.index(Msf::Module::Platform::Linux)
case arch
when ARCH_X86,nil
to_linux_x86_elf(framework, code, exeopts)
when ARCH_X86_64
to_linux_x64_elf(framework, code, exeopts)
when ARCH_X64
to_linux_x86_elf(framework, code, exeopts)
when ARCH_X86_64, ARCH_X64
to_linux_x64_elf(framework, code, exeopts)
when ARCH_ARMLE
to_linux_armle_elf(framework, code, exeopts)
Expand All @@ -1886,6 +1893,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
case arch
when ARCH_X86,nil
Msf::Util::EXE.to_bsd_x86_elf(framework, code, exeopts)
when ARCH_X86_64, ARCH_X64
Msf::Util::EXE.to_bsd_x64_elf(framework, code, exeopts)
end
elsif plat && plat.index(Msf::Module::Platform::Solaris)
case arch
Expand All @@ -1896,19 +1905,15 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
when 'elf-so'
if !plat || plat.index(Msf::Module::Platform::Linux)
case arch
when ARCH_X86_64
to_linux_x64_elf_dll(framework, code, exeopts)
when ARCH_X64
when ARCH_X86_64, ARCH_X64
to_linux_x64_elf_dll(framework, code, exeopts)
end
end
when 'macho', 'osx-app'
macho = case arch
when ARCH_X86,nil
to_osx_x86_macho(framework, code, exeopts)
when ARCH_X86_64
to_osx_x64_macho(framework, code, exeopts)
when ARCH_X64
when ARCH_X86_64, ARCH_X64
to_osx_x64_macho(framework, code, exeopts)
when ARCH_ARMLE
to_osx_arm_macho(framework, code, exeopts)
Expand Down
Loading

0 comments on commit 2d3614f

Please sign in to comment.