Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Linux ARMLE exe Template.

From: Civ <framework () 8thdaytech com>
Date: Thu, 20 May 2010 00:22:05 -0500
Hi All,

I've attached what I've used to get a usable template. The only
difference with this and the x86 template and assembly source are just
that here the ARM arch set and the starting address is different.

Included also is a patch for exe.rb so ./msfpayload <payload> X will use
the template. Just created a new function and copied the functionality
for the linux x86 elf function.

Hope to have the reverse_shell_tcp and a few other payloads and
linux/arm specific patches done soon.

--Civ

.bin for inclusion in
data/templates/

.s for inclusion in
data/templates/src/elf/exe/

Attachment: template_armle_linux.bin
Description: 

; build with:
;   nasm elf_armle_template.s -f bin -o template_armle_linux.bin

BITS 32

org 0x8000

ehdr:                            ; Elf32_Ehdr
  db    0x7F, "ELF", 1, 1, 1, 0  ;   e_ident
  db    0, 0, 0, 0,  0, 0, 0, 0  ;
  dw    2                        ;   e_type       = ET_EXEC for an executable
  dw    0x28                     ;   e_machine    = ARM
  dd    1                        ;   e_version
  dd    _start                   ;   e_entry
  dd    phdr - $$                ;   e_phoff
  dd    0                        ;   e_shoff
  dd    0                        ;   e_flags
  dw    ehdrsize                 ;   e_ehsize
  dw    phdrsize                 ;   e_phentsize
  dw    1                        ;   e_phnum
  dw    0                        ;   e_shentsize
  dw    0                        ;   e_shnum
  dw    0                        ;   e_shstrndx

ehdrsize equ  $ - ehdr

phdr:                            ; Elf32_Phdr
  dd    1                        ;   p_type       = PT_LOAD
  dd    0                        ;   p_offset
  dd    $$                       ;   p_vaddr
  dd    $$                       ;   p_paddr
  dd    0xDEADBEEF               ;   p_filesz
  dd    0xDEADBEEF               ;   p_memsz
  dd    7                        ;   p_flags      = rwx
  dd    0x1000                   ;   p_align

phdrsize equ  $ - phdr

_start:


Index: lib/msf/util/exe.rb
===================================================================
--- lib/msf/util/exe.rb (revision 9326)
+++ lib/msf/util/exe.rb (working copy)
@@ -57,7 +57,11 @@
                        if(plat.index(Msf::Module::Platform::OSX))
                                return to_osx_arm_macho(framework, code)
                        end
-                       # XXX: Add Linux here
+                       if(plat.index(Msf::Module::Platform::Linux))
+                               return to_linux_armle_elf(framework, code)
+                       end
+                       
+                       # XXX: Add remaining ARMLE systems here
                end
 
                if(arch.index(ARCH_PPC))
@@ -437,6 +441,24 @@
                return mo
        end
 
+       def self.to_linux_armle_elf(framework, code)
+               mo = ''
+               
+               fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", 
"template_armle_linux.bin"), "rb")
+               mo = fd.read(fd.stat.size)
+               fd.close
+               
+               # The template is just an ELF header with its entrypoint set to the 
+               # end of the file, so just append shellcode to it and fixup p_filesz
+               # and p_memsz in the header for a working ELF executable.
+               mo << code
+               mo[0x44,4] = [mo.length + code.length].pack('V')
+               mo[0x48,4] = [mo.length + code.length].pack('V')
+
+               return mo
+
+       end
+
        def self.to_exe_vba(exes='')
                exe = exes.unpack('C*')
                vba = ""

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: