metasploit-framework
metasploit-framework copied to clipboard
rapid7
M1ssion Dyld Mettle: Aarch64 Payloads
This builds on Back from the dyld by adding the required aarch64 assembly code to enable the OSX loader to run on the m1. This enables the use of native payloads on M1 or M2 devices that do not have Rosetta installed.
See #17050
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.
We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>
You can automate most of these changes with the -a flag:
rubocop -a <directory or file>
Please update your branch after these have been made, and reach out if you have any problems.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Presumably this needs a corresponding pull request to mettle to support building aarch64? Nice work btw!
#17050 has been landed, so you should be able to rebase and pull in those changes. This is really great, thanks for adding this!
https://github.com/rapid7/mettle/pull/237 should contain the required mettle artifacts to move this forward. Using metasploit_payloads-mettle v1.0.23.
@space-r7 Is the staged payload crashing every time on your machine? It's crashing about 1/5 times on mine. I am working on a fix, but it's not pretty. :-P
@space-r7 Is the staged payload crashing every time on your machine? It's crashing about 1/5 times on mine. I am working on a fix, but it's not pretty. :-P
Yea, it's happened for me every time so far
@space-r7 Does the most recent commit fix your issue? If not, would you please send me a crash report from Console.app?
@space-r7 Does the most recent commit fix your issue? If not, would you please send me a crash report from Console.app?
Sorry, I should have worded myself better. It's not that the process is actually crashing for the staged payload, just that once the Sending stage.. message is displayed, Metasploit then outputs that the session is invalid, and then the session is closed. The new changes haven't affected this so far. I'll try to do some debugging to better help with this.
Alright, is there any output on the cli running the staged payload like Bus error: 10 or Segmentation Fault: 11?
Would you remove the //#define DEBUG in main.c and run it again to get more verbose output?
What OS / Hardware are you using? I'm on Monterey with an M1.
Sorry for the delay! Here's my output from executing a staged payload:
sherbs@nostromo -> Desktop ./payload
main!
hello world!
good symbol!
gDyld found, using dual hijack technique.
apis: %lld
config: %i
base: %lld
sdyld: %lld
It appears to hang at the sdyld line. I'm testing this on Ventura 13.2 with an M1.
Thanks @space-r7! I've found that the symbol mangling has changed in Ventura. I'm working on a fix.
@space-r7 I've just got it working on Ventura 13.3 Beta, going to clean up the code a bit and push my changes.
Thanks! The payload managed to get much further this time; however, I'm now getting a bus error:
sherbs@nostromo -> Desktop ./payload
zsh: bus error ./payload
sherbs@nostromo -> Desktop ./payload
main!
hello world!
good symbol!
gDyld found, using dual hijack technique.
apis: %lld
config: %i
base: %lld
sdyld: %lld
Ventura!
Errno: %lld
Buffer: %lld
Analyzing Segments.
vmSpace: %lld
Translated: %s
VMAllocate Ret: %lld
LoadAddress: %lld
Region Ptrs: %lld
usedCount: %lld
allocCount: %lld
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Errno: %i
Addr: %lld
Size: %lld
Perms: %lld
Flags: %lld
FD: %lld
Offset: %lld
Errno: %i
Buffer: %lld
BufferO: %lld
Errno: %i
SegAddress: %lld
Errno: %i
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Errno: %i
Addr: %lld
Size: %lld
Perms: %lld
Flags: %lld
FD: %lld
Offset: %lld
Errno: %i
Buffer: %lld
BufferO: %lld
Errno: %i
SegAddress: %lld
Errno: %i
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Errno: %i
Addr: %lld
Size: %lld
Perms: %lld
Flags: %lld
FD: %lld
Offset: %lld
Errno: %i
Buffer: %lld
BufferO: %lld
Errno: %i
SegAddress: %lld
Errno: %i
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Region vmOffset: %lld
Region perms: %lld
Region isZeroFill: %lld
Region readOnlyData: %lld
Region fileOffset: %lld
Region fileSize: %lld
----
Errno: %i
Addr: %lld
Size: %lld
Perms: %lld
Flags: %lld
FD: %lld
Offset: %lld
Errno: %i
Buffer: %lld
BufferO: %lld
Errno: %i
SegAddress: %lld
Errno: %i
Loaded Size: %lld
Loaded first: %lld
Loaded Capacity: %lld
Apis: %lld
LoadAddress: %lld
JITLMP: %lld
zsh: bus error ./payload
Yep, here's the message:
Sending event: com.apple.stability.crash {"coalitionName":"com.apple.Terminal","exceptionCodes":"0x0000000000000002, 0x00000001047b44d0(\n 2,\n 4370154704\n)EXC_BAD_ACCESSSIGBUSKERN_PROTECTION_FAILURE at 0x00000001047b44d0","incidentID":"0C94A929-FE0E-4AC0-B231-8BA024F547E3","logwritten":1,"process":"payload_staged.macho","responsibleApp":"Terminal","terminationReasonExceptionCode":"0xa","terminationReasonNamespace":"SIGNAL"}
And the full crash report:
sherbs@nostromo -> Desktop cat /Users/sherbs/Library/Logs/DiagnosticReports/payload_staged.macho-2023-03-21-140831.ips
{"app_name":"payload_staged.macho","timestamp":"2023-03-21 14:08:31.00 -0500","app_version":"","slice_uuid":"66f0bdc4-e561-3f11-a616-f4817bcbbdd3","build_version":"","platform":1,"share_with_app_devs":0,"is_first_party":1,"bug_type":"309","os_version":"macOS 13.2 (22D49)","roots_installed":0,"incident_id":"0C94A929-FE0E-4AC0-B231-8BA024F547E3","name":"payload_staged.macho"}
{
"uptime" : 200000,
"procRole" : "Unspecified",
"version" : 2,
"userID" : 501,
"deployVersion" : 210,
"modelCode" : "MacBookPro17,1",
"coalitionID" : 1904,
"osVersion" : {
"train" : "macOS 13.2",
"build" : "22D49",
"releaseType" : "User"
},
"captureTime" : "2023-03-21 14:08:31.3689 -0500",
"incident" : "0C94A929-FE0E-4AC0-B231-8BA024F547E3",
"pid" : 80546,
"translated" : false,
"cpuType" : "ARM-64",
"roots_installed" : 0,
"bug_type" : "309",
"procLaunch" : "2023-03-21 14:08:30.8416 -0500",
"procStartAbsTime" : 4820963989912,
"procExitAbsTime" : 4820976635370,
"procName" : "payload_staged.macho",
"procPath" : "\/Users\/USER\/Desktop\/payload_staged.macho",
"parentProc" : "zsh",
"parentPid" : 26216,
"coalitionName" : "com.apple.Terminal",
"crashReporterKey" : "AD9892D9-18C8-AF3E-C8D9-D6D0A9CCB814",
"responsiblePid" : 2309,
"responsibleProc" : "Terminal",
"wakeTime" : 357,
"sleepWakeUUID" : "378FF9AA-A682-439F-AFA1-74D5F82A8645",
"sip" : "enabled",
"vmRegionInfo" : "0x1047b44d0 is in 0x1047b4000-0x1047f4000; bytes after start: 1232 bytes before end: 260911\n REGION TYPE START - END [ VSIZE] PRT\/MAX SHRMOD REGION DETAIL\n __LINKEDIT 1047b0000-1047b4000 [ 16K] r--\/r-- SM=COW ..._staged.macho\n---> dyld private memory 1047b4000-1047f4000 [ 256K] r--\/rwx SM=PRV \n VM_ALLOCATE 1047f4000-1047f8000 [ 16K] r-x\/rwx SM=PRV ",
"exception" : {"codes":"0x0000000000000002, 0x00000001047b44d0","rawCodes":[2,4370154704],"type":"EXC_BAD_ACCESS","signal":"SIGBUS","subtype":"KERN_PROTECTION_FAILURE at 0x00000001047b44d0"},
"termination" : {"flags":0,"code":10,"namespace":"SIGNAL","indicator":"Bus error: 10","byProc":"exc handler","byPid":80546},
"vmregioninfo" : "0x1047b44d0 is in 0x1047b4000-0x1047f4000; bytes after start: 1232 bytes before end: 260911\n REGION TYPE START - END [ VSIZE] PRT\/MAX SHRMOD REGION DETAIL\n __LINKEDIT 1047b0000-1047b4000 [ 16K] r--\/r-- SM=COW ..._staged.macho\n---> dyld private memory 1047b4000-1047f4000 [ 256K] r--\/rwx SM=PRV \n VM_ALLOCATE 1047f4000-1047f8000 [ 16K] r-x\/rwx SM=PRV ",
"extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":88,"task_for_pid":10},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
"faultingThread" : 0,
"threads" : [{"triggered":true,"id":4324065,"threadState":{"x":[{"value":255},{"value":4371954168},{"value":0},{"value":4371954008},{"value":4371954392},{"value":65536},{"value":14942208},{"value":4371953999},{"value":4370154704},{"value":4370176544},{"value":0},{"value":4371954225},{"value":4371954185},{"value":3},{"value":5},{"value":18446744073709551615},{"value":8820469072,"symbolLocation":72,"symbol":"vtable for lsl::PersistentAllocator"},{"value":1461699562878905680,"symbolLocation":1461699554058436680,"symbol":"vtable for lsl::PersistentAllocator"},{"value":0},{"value":4370153472},{"value":4371954208},{"value":16},{"value":18446744073709551600},{"value":4371954186},{"value":240},{"value":4370154576},{"value":16},{"value":15},{"value":224}],"flavor":"ARM_THREAD_STATE64","lr":{"value":7257480984},"cpsr":{"value":2147487744},"fp":{"value":4371954368},"sp":{"value":4371954112},"esr":{"value":2449473615,"description":"(Data Abort) byte write Permission fault"},"pc":{"value":7257481076,"matchesCrashFrame":1},"far":{"value":4370154704}},"queue":"com.apple.main-thread","frames":[{"imageOffset":196468,"symbol":"lsl::PersistentAllocator::allocate_buffer(unsigned long, unsigned long, unsigned long, lsl::Allocator**)","symbolLocation":308,"imageIndex":0},{"imageOffset":196376,"symbol":"lsl::PersistentAllocator::allocate_buffer(unsigned long, unsigned long, unsigned long, lsl::Allocator**)","symbolLocation":216,"imageIndex":0},{"imageOffset":192992,"symbol":"lsl::Allocator::aligned_alloc(unsigned long, unsigned long)","symbolLocation":180,"imageIndex":0},{"imageOffset":144456,"symbol":"dyld4::JustInTimeLoader::make(dyld4::RuntimeState&, dyld3::MachOFile const*, char const*, dyld4::FileID const&, unsigned long long, bool, bool, bool, unsigned short, mach_o::Layout const*)","symbolLocation":156,"imageIndex":0},{"imageOffset":4370454392,"imageIndex":1},{"imageOffset":24144,"symbol":"start","symbolLocation":2544,"imageIndex":0}]}],
"usedImages" : [
{
"source" : "P",
"arch" : "arm64e",
"base" : 7257284608,
"size" : 568228,
"uuid" : "fe8a9d9e-f65d-34ca-942c-175b99c0601b",
"path" : "\/usr\/lib\/dyld",
"name" : "dyld"
},
{
"size" : 0,
"source" : "A",
"base" : 0,
"uuid" : "00000000-0000-0000-0000-000000000000"
}
],
"sharedCache" : {
"base" : 7256637440,
"size" : 3447406592,
"uuid" : "3366b98c-6b8a-3546-8233-dc167320439f"
},
"vmSummary" : "ReadOnly portion of Libraries: Total=772.8M resident=0K(0%) swapped_out_or_unallocated=772.8M(100%)\nWritable regions: Total=530.3M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=530.3M(100%)\n\n VIRTUAL REGION \nREGION TYPE SIZE COUNT (non-coalesced) \n=========== ======= ======= \nKernel Alloc Once 32K 1 \nMALLOC 137.2M 11 \nMALLOC guard page 96K 5 \nMALLOC_NANO (reserved) 384.0M 1 reserved VM address space (unallocated)\nStack 8176K 1 \nStack Guard 56.0M 1 \nVM_ALLOCATE 1952K 9 \nVM_ALLOCATE (reserved) 48K 1 reserved VM address space (unallocated)\n__AUTH 46K 11 \n__AUTH_CONST 70K 38 \n__DATA 191K 37 \n__DATA_CONST 188K 40 \n__DATA_DIRTY 78K 22 \n__LINKEDIT 767.8M 2 \n__OBJC_CONST 11K 5 \n__OBJC_RO 65.5M 1 \n__OBJC_RW 1988K 1 \n__TEXT 5120K 42 \ndyld private memory 256K 1 \nshared memory 16K 1 \n=========== ======= ======= \nTOTAL 1.4G 231 \nTOTAL, minus reserved VM space 1.0G 231 \n",
"legacyInfo" : {
"threadTriggered" : {
"queue" : "com.apple.main-thread"
}
},
"trialInfo" : {
"rollouts" : [
{
"rolloutId" : "5fb4245a1bbfe8005e33a1e1",
"factorPackIds" : {
},
"deploymentId" : 240000021
},
{
"rolloutId" : "60f8ddccefea4203d95cbeef",
"factorPackIds" : {
},
"deploymentId" : 240000025
}
],
"experiments" : [
]
}
}
Thanks! It looks like calling lsl::Allocator::malloc is going to crash. I'll have to replicate the function with vm_allocate instead...
Any update on this? @usiegl00 @space-r7
Sorry, just had some personal stuff to deal with last month. I'll be continuing to work on this soon.
To the tester:
- We should have access to test hardware on our side
- It looks like a few other commits are coming along with this which we should quickly verify as working as well, i.e. 1.0.20 to the version on this PR. It might be easier to put up a separate PR for this version bump in isolation
- Looks like we'll want to recompile the payloads ourselves too to verify the bytes align
Yes, the crash was due to the recvfrom syscall reading too many bytes (0x1000). I'll go back to the exact 328 stager size.
@usiegl00 Thanks! I've ran this through on 11.7.8 on AWS, and 12.6 on M1 in UTM. I've sent a PR for updating the Makefile for the template setup and compiling the binaries. I'll do a final pass on 13.x tomorrow
Finished testing with Ventura 13.4.1 on AWS now too, all looks good to me! 🥳
Release Notes
Adds new support for multiple OSX AArch64 payloads: osx/aarch64/meterpreter/reverse_tcp, osx/aarch64/meterpreter_reverse_https, osx/aarch64/meterpreter_reverse_tcp, osx/aarch64/meterpreter_reverse_http. This enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.