New Payload (shell_bind_tcp_random_port) #2350
Conversation
|
Cool stuff. Do you mind upload the source to external/source/shellcode/linux/ia32? thx. |
|
Thank you. Sure, I'll do it. There are others payloads that I suggested to Tod. I'm just waiting reply. See you. |
|
Nice payload. |
|
Thank you. |
Merge remote-tracking branch 'origin'
|
Hey guys. Here is the x86_64 version. |
|
I want only contribute to the tool; did the modules only with the goal to help. IMHO the syntax isn't hurting anyone. No problem if you don't want the files. Only let me know, so I'll undo the license back to GNU v3 as soon as possible. |
|
Yeah, you're right. The syntax isn't hurting anymore. This is a good contribution, believe me. It's just that we use the |
| def initialize(info = {}) | ||
| super(merge_info(info, | ||
| 'Name' => 'Linux Command Shell, Bind TCP Random Port Inline', | ||
| 'Description' => 'Listen for a connection in a random port and spawn a command shell. ' \ |
There was a problem hiding this comment.
For example, you could use %q like this:
'Description' => %q{
Listen for a connection in a random port and spawn a command shell.
Use nmap to discover the open port: 'nmap -sS target -p-'.
Assembly source: http://goo.gl/TAveVc
},
I also don't have to escape '.
* Moved shortlink to a reference. * Reformat e-mail address. * Fixed whitespace * Use multiline quote per most other module descriptions Still need to resplat the modules, but it's no big thang to do that after landing. Also, References do not seem to appear for post modules in the normal msfconsole. This is a bug in the UI, not for these modules -- many payloads would benefit from being explicit on their references, so may as well start with these.
Fixes for #2350, random bind shellcode
|
Tod, wvu, Now I see why to use %q. Thank you for the fixes. |
|
And thank you for this sweet code. :P |
|
"Also, if you'd like to add source for the x64 payload, it looks like you'd be the first in x64 Linux land (we only appear to ship source for 32-bit payloads for linux, so far)." Tod, I would like to add the x64 source code too. Please guide me about the correct file hierarchy (path). |
| }, | ||
| 'Author' => 'Geyslan G. Bem <geyslan[at]gmail.com>', | ||
| 'License' => BSD_LICENSE, | ||
| 'References' => ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm'], |
There was a problem hiding this comment.
A note:
The correct References here is: https://github.com/geyslan/SLAE/blob/master/improvements/shell_bind_tcp_random_port_x86_64.asm
There was a problem hiding this comment.
You can go ahead and make the change and push. I'll just fetch the PR again.
There was a problem hiding this comment.
I would like but I'm in doctor right now. If you could do that, I would be thankful. If not, no problem, as soon as possible I'll be doing.
|
Fixes done, ready to analyze! |
|
Okay, testing! Assembly looks great. :) |
|
Tested successfully on x{86,64}. w00t! |
|
wvu, thanks. Have you tested the 64 bits version? |
|
Yep. Works for me. |
|
Great. Cheers! 👍 |
|
Changes Unknown when pulling 28c5dd6 on geyslan:master into * on rapid7:master*. |
This payload is the tiniest of its kind, because it doesn't bind the socket; it just let the kernel do it, opening a random port. Use nmap to discover the open port: 'nmap -sS target -p-'.
More details: http://www.hackingbits.com/2013/03/hacking-do-dia-shell-bind-tcp-random.html and https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm