rapid7 · dledda-r7 · Jan 10, 2025 · Jan 13, 2025 · Jan 14, 2025 · Jan 14, 2025
diff --git a/data/templates/src/elf/exe/build.sh b/data/templates/src/elf/exe/build.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+dst_folder="../../../"
+for file in $(find ./ -name "*.s")
+do
+   arch=`echo $file | cut -d "_" -f2`;
+   nasm -f bin $file -o $dst_folder"template_"$arch"_linux.bin"
+ done
diff --git a/data/templates/src/elf/exe/elf_aarch64_template.s b/data/templates/src/elf/exe/elf_aarch64_template.s
@@ -1,7 +1,6 @@
 ; build with:
 ;   nasm elf_aarch64_template.s -f bin -o template_aarch64_linux.bin
 
-
 BITS 64
 org     0x400000
 ehdr:                            ; Elf32_Ehdr

diff --git a/data/templates/src/elf/exe/elf_armbe_template.s b/data/templates/src/elf/exe/elf_armbe_template.s
@@ -0,0 +1,37 @@
+; build with:
+;   nasm elf_armbe_template.s -f bin -o template_armbe_linux.bin
+
+BITS 32
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x2800                   ;   e_machine    = ARM
+  dd    0x01000000               ;   e_version
+  dd    0x54800000               ;   e_entry
+  dd    0x34000000               ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x3400                   ;   e_ehsize
+  dw    0x2000                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+
+  dd    0x01000000               ;   p_type       = pt_load
+  dd    0                        ;   p_offset
+  dd    0x00800000               ;   p_vaddr
+  dd    0x00800000               ;   p_paddr
+  dd    0xefbeadde               ;   p_filesz
+  dd    0xefbeadde               ;   p_memsz
+  dd    0x07000000               ;   p_flags      = rwx
+  dd    0x00100000               ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
diff --git a/data/templates/src/elf/exe/elf_mips64_template.s b/data/templates/src/elf/exe/elf_mips64_template.s
@@ -0,0 +1,55 @@
+; build with:
+;   nasm elf_mips64_template.s -f bin -o template_mips64_linux.bin
+
+%define WORD_BE(value) (((value & 0xFF) << 8) | ((value >> 8) & 0xFF))
+%define DWORD_BE(dword) (((dword & 0xFF) << 24) | \
+                        ((dword & 0xFF00) << 8) | \
+                        ((dword >> 8) & 0xFF00) | \
+                        ((dword >> 24) & 0xFF))
+%define QWORD_BE(qword) ( \
+    ((qword & 0x00000000000000FF) << 56) | \
+    ((qword & 0x000000000000FF00) << 40) | \
+    ((qword & 0x0000000000FF0000) << 24) | \
+    ((qword & 0x00000000FF000000) << 8) | \
+    ((qword >> 8) & 0x000000FF00000000) | \
+    ((qword >> 24) & 0x0000FF0000000000) | \
+    ((qword >> 40) & 0x00FF000000000000) | \
+    ((qword >> 56) & 0xFF00000000000000) )
+
+BITS 64
+
+org     0x400000
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    WORD_BE(2)               ;   e_type       = ET_EXEC for an executable
+  dw    WORD_BE(0x08)            ;   e_machine    = MIPS
+  dd    0                        ;   e_version
+  dq    QWORD_BE(0x400078)       ;   e_entry
+  dq    QWORD_BE(0x40)           ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    WORD_BE(0x40)            ;   e_ehsize
+  dw    WORD_BE(0x38)            ;   e_phentsize
+  dw    WORD_BE(0x1)             ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    DWORD_BE(1)              ;   p_type       = PT_LOAD
+  dd    DWORD_BE(7)              ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    QWORD_BE(0x400000)       ;   p_vaddr
+  dq    QWORD_BE(0x400000)       ;   p_paddr
+  dq    QWORD_BE(0xA00000)       ;   p_filesz
+  dq    QWORD_BE(0xA00000)       ;   p_memsz
+  dq    QWORD_BE(0x1000)         ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
diff --git a/data/templates/src/elf/exe/elf_ppc64le_template.s b/data/templates/src/elf/exe/elf_ppc64le_template.s
@@ -0,0 +1,40 @@
+; build with:
+;   nasm elf_ppc64le_template.s -f bin -o template_ppc64le_linux.bin
+
+BITS 64
+
+org 0x400000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0x15                     ;   e_machine    = PPC64
+  dd    0                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
+dq _start+0x8
diff --git a/data/templates/src/elf/exe/elf_ppc_template.s b/data/templates/src/elf/exe/elf_ppc_template.s
@@ -0,0 +1,37 @@
+; build with:
+;   nasm elf_ppc_template.s -f bin -o template_ppc_linux.bin
+
+BITS 32
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x1400                   ;   e_machine    = PPC
+  dd    0x01000000               ;   e_version
+  dd    0x54100000               ;   e_entry
+  dd    0x34000000               ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x3400                   ;   e_ehsize
+  dw    0x2000                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+
+  dd    0x01000000               ;   p_type       = pt_load
+  dd    0                        ;   p_offset
+  dd    0x00100000               ;   p_vaddr
+  dd    0x00100000               ;   p_paddr
+  dd    0xefbeadde               ;   p_filesz
+  dd    0xefbeadde               ;   p_memsz
+  dd    0x07000000               ;   p_flags      = rwx
+  dd    0x00000100               ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
diff --git a/data/templates/src/elf/exe/elf_ppce500v2_template.s b/data/templates/src/elf/exe/elf_ppce500v2_template.s
@@ -0,0 +1,37 @@
+; build with:
+;   nasm elf_ppce500v2_template.s -f bin -o template_ppce500v2_linux.bin
+
+BITS 32
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x1400                   ;   e_machine    = PPC
+  dd    0x01000000               ;   e_version
+  dd    0x54100000               ;   e_entry
+  dd    0x34000000               ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x3400                   ;   e_ehsize
+  dw    0x2000                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+
+  dd    0x01000000               ;   p_type       = pt_load
+  dd    0                        ;   p_offset
+  dd    0x00100000               ;   p_vaddr
+  dd    0x00100000               ;   p_paddr
+  dd    0xefbeadde               ;   p_filesz
+  dd    0xefbeadde               ;   p_memsz
+  dd    0x07000000               ;   p_flags      = rwx
+  dd    0x00000100               ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
diff --git a/data/templates/src/elf/exe/elf_zarch_template.s b/data/templates/src/elf/exe/elf_zarch_template.s
@@ -0,0 +1,34 @@
+; build with:
+;   nasm elf_zarch_template.s -f bin -o template_zarch_linux.bin
+
+BITS 64
+
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x1600                   ;   e_machine    = ZARCH
+  dd    0x01000000               ;   e_version
+  dq    0x7810000000000000       ;   e_entry
+  dq    0x4000000000000000       ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x4000                   ;   e_ehsize
+  dw    0x3800                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+phdr:                            ; Elf32_Phdr
+  dd    0x01000000               ;   p_type       = PT_LOAD
+  dd    0x07000000               ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    0x0010000000000000       ;   p_vaddr
+  dq    0x0010000000000000       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x0000100000000000       ;   p_align
+
+_start:
diff --git a/data/templates/template_armbe_linux.bin b/data/templates/template_armbe_linux.bin
diff --git a/data/templates/template_mips64_linux.bin b/data/templates/template_mips64_linux.bin
diff --git a/data/templates/template_ppc64le_linux.bin b/data/templates/template_ppc64le_linux.bin
diff --git a/data/templates/template_ppc_linux.bin b/data/templates/template_ppc_linux.bin
diff --git a/data/templates/template_ppce500v2_linux.bin b/data/templates/template_ppce500v2_linux.bin
diff --git a/data/templates/template_zarch_linux.bin b/data/templates/template_zarch_linux.bin
diff --git a/lib/msf/base/sessions/mettle_config.rb b/lib/msf/base/sessions/mettle_config.rb
@@ -6,7 +6,6 @@
 module Msf
   module Sessions
     module MettleConfig
-
       include Msf::Payload::TransportConfig
 
       def initialize(info = {})
@@ -18,12 +17,22 @@ def initialize(info = {})
               'MeterpreterTryToFork',
               'Fork a new process if the functionality is available',
               default: false
-            )
+            ),
           ]
         )
+        unless staged?
+          register_advanced_options(
+            [
+              OptEnum.new(
+                'PayloadLinuxMinKernel',
+                [true, 'Linux minimum kernel version for compatibility', '2.6', ['2.6', '3.17']]
+              )
+            ]
+          )
+        end
       end
 
-      def generate_uri(opts={})
+      def generate_uri(opts = {})
         ds = opts[:datastore] || datastore
         uri_req_len = ds['StagerURILength'].to_i
 
@@ -33,7 +42,7 @@ def generate_uri(opts={})
         end
 
         if uri_req_len < 5
-          raise ArgumentError, "Minimum StagerURILength is 5"
+          raise ArgumentError, 'Minimum StagerURILength is 5'
         end
 
         generate_uri_uuid_mode(:init_connect, uri_req_len, uuid: opts[:uuid])
@@ -76,7 +85,7 @@ def generate_tcp_uri(opts)
         target_uri
       end
 
-      def generate_config(opts={})
+      def generate_config(opts = {})
         ds = opts[:datastore] || datastore
 
         opts[:background] = ds['MeterpreterTryToFork'] ? 1 : 0
@@ -117,7 +126,6 @@ def encode_stage?
 
         false
       end
-
     end
   end
 end
diff --git a/lib/msf/core/payload/linux/aarch64/elf_loader.rb b/lib/msf/core/payload/linux/aarch64/elf_loader.rb
@@ -0,0 +1,66 @@
+#
+# In memory loader used to execute Mettle ELF file.
+# Compatible with Kernel Linux >= 3.17 (where memfd_create is introduced)
+# Author: Martin Sutovsky <martin_sutovsky[at]rapid7.com>
+# Resource and Credits: https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html
+# ARM64 conventions
+#  Parameters: x0-x7
+#  Syscall offset: x8
+#  Return Address for BL: x30
+#
+module Msf::Payload::Linux::Aarch64::ElfLoader
+  def in_memory_load(payload)
+    # the exec syscall can be substituted with execveat syscall, which takes out the need for itoa, however, it proved to be not stable across various IoT-specific kernel versions
+    in_memory_loader = [
+      # memfd_create(null, MFD_CLOEXEC);
+      0x0a0080d2, # 0x1000:	mov	x10, #0	0x0a0080d2
+      0xea0300f9, # 0x1004:	str	x10, [sp]	0xea0300f9
+      0xe0030091, # 0x1008:	mov	x0, sp	0xe0030091
+      0x210080d2, # 0x100c:	mov	x1, #1	0x210080d2
+      0xe82280d2, # 0x1010:	mov	x8, #0x117	0xe82280d2
+      0x010000d4, # 0x1014:	svc	#0	0x010000d4
+
+      # use branching and branching with link to reliably get address of payload data
+      0xe90300aa, # 0x1018:	mov	x9, x0	0xe90300aa
+      0x1f000014, # 0x101c:	b	#0x1098	0x1f000014
+      0xea031eaa, # 0x1020:	mov	x10, x30	0xea031eaa
+
+      # write(fd,payload_addr, payload_size)
+      0x420140b9, # 0x1024:	ldr	w2, [x10]	0x420140b9
+      0x4a890091, # 0x1028:	add	x10, x10, #0x22	0x4a890091
+      0xe1030aaa, # 0x102c:	mov	x1, x10	0xe1030aaa
+      0x080880d2, # 0x1030:	mov	x8, #0x40	0x080880d2
+      0x010000d4, # 0x1034:	svc	#0	0x010000d4
+
+      # convert fd using itoa and append it to /proc/self/fd/
+      0x4b0180d2, # 0x1038:	mov	x11, #0xa	0x4b0180d2
+      0x4a0900d1, # 0x103c:	sub	x10, x10, #2	0x4a0900d1
+      0x2c09cb9a, # 0x1040:	udiv	x12, x9, x11	0x2c09cb9a
+      0x8d7d0b9b, # 0x1044:	mul	x13, x12, x11	0x8d7d0b9b
+      0x2d010dcb, # 0x1048:	sub	x13, x9, x13	0x2d010dcb
+      0xe9030caa, # 0x104c:	mov	x9, x12	0xe9030caa
+      0xadc10091, # 0x1050:	add	x13, x13, #0x30	0xadc10091
+      0x4d010039, # 0x1054:	strb	w13, [x10]	0x4d010039
+      0x4a0500d1, # 0x1058:	sub	x10, x10, #1	0x4a0500d1
+      0x3f0100f1, # 0x105c:	cmp	x9, #0	0x3f0100f1
+      0x01ffff54, # 0x1060:	b.ne	#0x1040	0x01ffff54
+      0xe90580d2, # 0x1064:	mov	x9, #0x2f	0xe90580d2
+      0x4b014039, # 0x1068:	ldrb	w11, [x10]	0x4b014039
+      0x7f0109eb, # 0x106c:	cmp	x11, x9	0x7f0109eb
+      0x80000054, # 0x1070:	b.eq	#0x1080	0x80000054
+      0x49010039, # 0x1074:	strb	w9, [x10]	0x49010039
+      0x4a0500d1, # 0x1078:	sub	x10, x10, #1	0x4a0500d1
+      0xfaffff17, # 0x107c:	b	#0x1064	0xfaffff17
+      0x4a3500d1, # 0x1080:	sub	x10, x10, #0xd	0x4a3500d1
+      # execve(/proc/self/fd/[fd],0,0)
+      0xe0030aaa, # 0x1084:	mov	x0, x10	0xe0030aaa
+      0x010080d2, # 0x1088:	mov	x1, #0	0x010080d2
+      0x020080d2, # 0x108c:	mov	x2, #0	0x020080d2
+      0xa81b80d2, # 0x1090:	mov	x8, #0xdd	0xa81b80d2
+      0x010000d4, # 0x1094:	svc	#0	0x010000d4
+      0xe2ffff97, # 0x1098:	bl	#0x1020	0xe2ffff97,
+    ].pack('N*')
+    fd_path = '/proc/self/fd/'.bytes.pack('c*') + "\x00" * 16
+    in_memory_loader + [payload.length].pack('V*') + fd_path
+  end
+end