Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistencies among mettle arches/stage values and prepend/output types. #19669

Open
5 tasks
bwatters-r7 opened this issue Nov 21, 2024 · 1 comment
Open
5 tasks

Inconsistencies among mettle arches/stage values and prepend/output types. #19669

bwatters-r7 opened this issue Nov 21, 2024 · 1 comment
Assignees
@dledda-r7
Labels
bug

Comments

@bwatters-r7
Copy link
Contributor

This all started because I wanted to enable prepend values on stageless meterpreter payloads and other architecture payloads.
Prepends for Linux payloads are established here: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/linux.rb

That provides the advanced options and logic for prepending the shellcode to the payload before it is elf-ified by utils.

Unfortunately, that works by prepending the values to the buffer, and not all architectures are supported. Unfortunately, AARCH_64 has different stager logic, so simply adding the shellcode in like the other archetectures is not an option.
Further, in the case of stageless mettle like reverse_tcp, the generate method just requests the full elf file from mettle:

metasploit-framework/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb

Line 41 in d75ed35

MetasploitPayloads::Mettle.new('x86_64-linux-musl', generate_config(opts)).to_binary :exec

When we use a staged mettle payload, we're implementing a midstager that just copies up the full elf file and calculates the entry point, then just jumps: https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stages/linux/x64/meterpreter.rb

Also, I don't believe that we get any sort of usable shellcode when we request a raw stageless payload in venom.

There are a couple of things here:

  • Fix the delivery of shellcode so that a RAW stageless payload works.
  • Add parity for prepends of other architectures
  • Maybe add a way to determine if a prepend (or any option) is supported programmatically. Right now, you can set PrependSetuid on any payload and it may or may not work, with no warning if it does not. Further, since all the options are in the msf::payload::linux mixin are added to every payload without checking the payload arch, the datatastore is being properly populated by important options we're offering the user and developer that that will simply be ignored.
  • Maybe let's not upload the whole elf file for the mettle midstager?
  • Correct the implementation of AARCH_64 to take prepends like the other stagers.

Thanks to my partners in crime in tracking a lot of this down, @smcintyre-r7 and @dledda-r7
@bwatters-r7
Copy link
Contributor Author

Related: #19670

@dledda-r7 dledda-r7 self-assigned this Nov 27, 2024
@dledda-r7 dledda-r7 moved this to Todo in Metasploit Kanban Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dledda-r7 dledda-r7

Labels
bug
Projects
Metasploit Kanban
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bwatters-r7 @dledda-r7