rapid7 · wvu · May 25, 2017 · May 25, 2017 · May 25, 2017 · May 25, 2017
diff --git a/data/templates/src/elf/dll/elf_dll_armle_template.s b/data/templates/src/elf/dll/elf_dll_armle_template.s
@@ -0,0 +1,92 @@
+; build with:
+;   nasm elf_dll_armle_template.s -f bin -o template_armle_linux_dll.bin
+
+BITS 32
+org     0
+ehdr:
+  db    0x7f, "ELF", 1, 1, 1, 0    ; e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0
+  dw    3                          ; e_type    = ET_DYN
+  dw    40                         ; e_machine = EM_ARMLE
+  dd    1                          ; e_version = EV_CURRENT
+  dd    _start                     ; e_entry   = _start
+  dd    phdr - $$                  ; e_phoff
+  dd    shdr - $$                  ; e_shoff
+  dd    0                          ; e_flags
+  dw    ehdrsize                   ; e_ehsize
+  dw    phdrsize                   ; e_phentsize
+  dw    2                          ; e_phnum
+  dw    shentsize                  ; e_shentsize
+  dw    2                          ; e_shnum
+  dw    1                          ; e_shstrndx
+ehdrsize equ  $ - ehdr
+
+phdr:
+  dd    1                          ; p_type       = PT_LOAD
+  dd    0                          ; p_offset
+  dd    $$                         ; p_vaddr
+  dd    $$                         ; p_paddr
+  dd    0xDEADBEEF                 ; p_filesz
+  dd    0xDEADBEEF                 ; p_memsz
+  dd    7                          ; p_flags      = rwx
+  dd    0x1000                     ; p_align
+
+phdrsize equ  $ - phdr
+  dd    2                          ; p_type  = PT_DYNAMIC
+  dd    7                          ; p_flags = rwx
+  dd    dynsection                 ; p_offset
+  dd    dynsection                 ; p_vaddr
+  dd    dynsection                 ; p_vaddr
+  dd    dynsz                      ; p_filesz
+  dd    dynsz                      ; p_memsz
+  dd    0x1000                     ; p_align
+
+shdr:
+  dd    1                          ; sh_name
+  dd    6                          ; sh_type = SHT_DYNAMIC
+  dd    0                          ; sh_flags
+  dd    dynsection                 ; sh_addr
+  dd    dynsection                 ; sh_offset
+  dd    dynsz                      ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dd    8                          ; sh_addralign
+  dd    7                          ; sh_entsize
+shentsize equ $ - shdr
+  dd    0                          ; sh_name
+  dd    3                          ; sh_type = SHT_STRTAB
+  dd    0                          ; sh_flags
+  dd    strtab                     ; sh_addr
+  dd    strtab                     ; sh_offset
+  dd    strtabsz                   ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dd    0                          ; sh_addralign
+  dd    0                          ; sh_entsize
+dynsection:
+; DT_INIT
+  dd    0x0c
+  dd    _start
+; DT_STRTAB
+  dd    0x05
+  dd    strtab
+; DT_SYMTAB
+  dd    0x06
+  dd    strtab
+; DT_STRSZ
+  dd    0x0a
+  dd    0
+; DT_SYMENT
+  dd    0x0b
+  dd    0
+; DT_NULL
+  dd    0x00
+  dd    0
+dynsz equ $ - dynsection
+
+strtab:
+ db 0
+ db 0
+strtabsz equ $ - strtab
+global _start
+_start:
diff --git a/data/templates/src/elf/dll/elf_dll_x86_template.s b/data/templates/src/elf/dll/elf_dll_x86_template.s
@@ -0,0 +1,92 @@
+; build with:
+;   nasm elf_dll_x86_template.s -f bin -o template_x86_linux_dll.bin
+
+BITS 32
+org     0
+ehdr:
+  db    0x7f, "ELF", 1, 1, 1, 0    ; e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0
+  dw    3                          ; e_type    = ET_DYN
+  dw    3                          ; e_machine = EM_386
+  dd    1                          ; e_version = EV_CURRENT
+  dd    _start                     ; e_entry   = _start
+  dd    phdr - $$                  ; e_phoff
+  dd    shdr - $$                  ; e_shoff
+  dd    0                          ; e_flags
+  dw    ehdrsize                   ; e_ehsize
+  dw    phdrsize                   ; e_phentsize
+  dw    2                          ; e_phnum
+  dw    shentsize                  ; e_shentsize
+  dw    2                          ; e_shnum
+  dw    1                          ; e_shstrndx
+ehdrsize equ  $ - ehdr
+
+phdr:
+  dd    1                          ; p_type       = PT_LOAD
+  dd    0                          ; p_offset
+  dd    $$                         ; p_vaddr
+  dd    $$                         ; p_paddr
+  dd    0xDEADBEEF                 ; p_filesz
+  dd    0xDEADBEEF                 ; p_memsz
+  dd    7                          ; p_flags      = rwx
+  dd    0x1000                     ; p_align
+
+phdrsize equ  $ - phdr
+  dd    2                          ; p_type  = PT_DYNAMIC
+  dd    7                          ; p_flags = rwx
+  dd    dynsection                 ; p_offset
+  dd    dynsection                 ; p_vaddr
+  dd    dynsection                 ; p_vaddr
+  dd    dynsz                      ; p_filesz
+  dd    dynsz                      ; p_memsz
+  dd    0x1000                     ; p_align
+
+shdr:
+  dd    1                          ; sh_name
+  dd    6                          ; sh_type = SHT_DYNAMIC
+  dd    0                          ; sh_flags
+  dd    dynsection                 ; sh_addr
+  dd    dynsection                 ; sh_offset
+  dd    dynsz                      ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dd    8                          ; sh_addralign
+  dd    7                          ; sh_entsize
+shentsize equ $ - shdr
+  dd    0                          ; sh_name
+  dd    3                          ; sh_type = SHT_STRTAB
+  dd    0                          ; sh_flags
+  dd    strtab                     ; sh_addr
+  dd    strtab                     ; sh_offset
+  dd    strtabsz                   ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dd    0                          ; sh_addralign
+  dd    0                          ; sh_entsize
+dynsection:
+; DT_INIT
+  dd    0x0c
+  dd    _start
+; DT_STRTAB
+  dd    0x05
+  dd    strtab
+; DT_SYMTAB
+  dd    0x06
+  dd    strtab
+; DT_STRSZ
+  dd    0x0a
+  dd    0
+; DT_SYMENT
+  dd    0x0b
+  dd    0
+; DT_NULL
+  dd    0x00
+  dd    0
+dynsz equ $ - dynsection
+
+strtab:
+ db 0
+ db 0
+strtabsz equ $ - strtab
+global _start
+_start:
diff --git a/data/templates/template_armle_linux_dll.bin b/data/templates/template_armle_linux_dll.bin
diff --git a/data/templates/template_x86_linux_dll.bin b/data/templates/template_x86_linux_dll.bin
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
@@ -1049,7 +1049,18 @@ def self.to_linux_x64_elf(framework, code, opts = {})
     to_exe_elf(framework, opts, "template_x64_linux.bin", code)
   end
 
-  # Create a 64-bit Linux ELF_DYN containing the payload provided in +code+
+  # Create a 32-bit x86 Linux ELF_DYN containing the payload provided in +code+
+  #
+  # @param framework [Msf::Framework]
+  # @param code       [String]
+  # @param opts       [Hash]
+  # @option           [String] :template
+  # @return           [String] Returns an elf
+  def self.to_linux_x86_elf_dll(framework, code, opts = {})
+    to_exe_elf(framework, opts, "template_x86_linux_dll.bin", code)
+  end
+
+  # Create a 64-bit x86_64 Linux ELF_DYN containing the payload provided in +code+
   #
   # @param framework [Msf::Framework]
   # @param code       [String]
@@ -1060,7 +1071,7 @@ def self.to_linux_x64_elf_dll(framework, code, opts = {})
     to_exe_elf(framework, opts, "template_x64_linux_dll.bin", code)
   end
 
-  # self.to_linux_mipsle_elf
+  # Create a 32-bit ARMLE Linux ELF containing the payload provided in +code+
   #
   # @param framework [Msf::Framework]
   # @param code       [String]
@@ -1071,7 +1082,18 @@ def self.to_linux_armle_elf(framework, code, opts = {})
     to_exe_elf(framework, opts, "template_armle_linux.bin", code)
   end
 
-  # self.to_linux_mipsle_elf
+  # Create a 32-bit ARMLE Linux ELF_DYN containing the payload provided in +code+
+  #
+  # @param framework [Msf::Framework]
+  # @param code       [String]
+  # @param opts       [Hash]
+  # @option           [String] :template
+  # @return           [String] Returns an elf
+  def self.to_linux_armle_elf_dll(framework, code, opts = {})
+    to_exe_elf(framework, opts, "template_armle_linux_dll.bin", code)
+  end
+
+  # Create a 32-bit MIPSLE Linux ELF containing the payload provided in +code+
   # Little Endian
   # @param framework [Msf::Framework]
   # @param code       [String]
@@ -1082,7 +1104,7 @@ def self.to_linux_mipsle_elf(framework, code, opts = {})
     to_exe_elf(framework, opts, "template_mipsle_linux.bin", code)
   end
 
-  # self.to_linux_mipsbe_elf
+  # Create a 32-bit MIPSBE Linux ELF containing the payload provided in +code+
   # Big Endian
   # @param framework [Msf::Framework]
   # @param code       [String]
@@ -2117,8 +2139,12 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
       end
       if !plat || plat.index(Msf::Module::Platform::Linux)
         case arch
+        when ARCH_X86
+          to_linux_x86_elf_dll(framework, code, exeopts)
         when ARCH_X64
           to_linux_x64_elf_dll(framework, code, exeopts)
+        when ARCH_ARMLE
+          to_linux_armle_elf_dll(framework, code, exeopts)
         end
       end
     when 'macho', 'osx-app'