Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Prepends in Linux Payloads #19750

Merged
merged 12 commits into from
Jan 23, 2025

Conversation

dledda-r7
Copy link
Contributor

@dledda-r7 dledda-r7 commented Dec 19, 2024

This PR fix how we add prepends and appends shellcode in a Linux payload.
Issue: #19669

The PR fixes the following issue:

  • Split the prepends logic in arch-specific mixin
  • Remove the flatting of lib/core/payload/linux/x64

Aarch64 Prepends

  • PrependSetuid
  • PrependSetreuid
  • PrependSetresuid

Splitting the prepend into arch-specific mixin will have the benefit of registering only the arch supported prepend options.

@bwatters-r7 bwatters-r7 self-assigned this Jan 9, 2025
@dledda-r7 dledda-r7 marked this pull request as ready for review January 10, 2025 12:28
@bwatters-r7
Copy link
Contributor

Looks like there's a mipsle reverse_tcp stager that still imports the old Linux payload mixin.


Since we don't have mipsle prepends, we're not missing anything, but that should fail?

@dledda-r7
Copy link
Contributor Author

Looks like there's a mipsle reverse_tcp stager that still imports the old Linux payload mixin.

Since we don't have mipsle prepends, we're not missing anything, but that should fail?

Thanks @bwatters-r7, No idea why VSCode didn't catch that ones, I think now everything is migrated to the new mixin.

@bwatters-r7
Copy link
Contributor

I'm not seeing any prepends available in single x86 payloads:

[ruby-3.2.5@metasploit-framework](land-19750) tmoose@ubuntu-dev2024:~/rapid7/metasploit-framework$ git log | head -n 10
commit e39af38c73e0728fabdbf38ca49ea35220e6c289
Author: dledda-r7 <dledda-r7@github>
Date:   Wed Jan 15 04:31:53 2025 -0500

    fix(payloads): updating prepend mixin in payloads

commit 4565a04510bf476af9532a6c35778bcac7aa13bf
Author: dledda-r7 <dledda-r7@github>
Date:   Tue Jan 14 09:31:03 2025 -0500

[ruby-3.2.5@metasploit-framework](land-19750) tmoose@ubuntu-dev2024:~/rapid7/metasploit-framework$ ./msfconsole -q
msf6 > use payload/linux/x86/shell_reverse_tcp
msf6 payload(linux/x86/shell_reverse_tcp) > show advanced

Module advanced options (payload/linux/x86/shell_reverse_tcp):

   Name                        Current Setting  Required  Description
   ----                        ---------------  --------  -----------
   AutoRunScript                                no        A script to run automatically on session creation.
   AutoVerifySession           true             yes       Automatically verify and drop invalid sessions
   CommandShellCleanupCommand                   no        A command to run before the session is closed
   InitialAutoRunScript                         no        An initial script to run on session creation (before AutoRunScript)
   ReverseAllowProxy           false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go t
                                                          hrough proxy but directly to LHOST
   ReverseListenerBindAddress                   no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                      no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                          no        The specific communication channel to use for this listener
   ReverseListenerThreaded     false            yes       Handle every connection in a new thread (experimental)
   StagerRetryCount            10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait             5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                     false            no        Enable detailed status messages
   WORKSPACE                                    no        Specify the workspace for this module


View the full module info with the info, or info -d command.

msf6 payload(linux/x86/shell_reverse_tcp) > use payload/linux/x86/read_file 
msf6 payload(linux/x86/read_file) > show advanced

Module advanced options (payload/linux/x86/read_file):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module


View the full module info with the info, or info -d command.

@dledda-r7
Copy link
Contributor Author

I'm not seeing any prepends available in single x86 payloads:

[ruby-3.2.5@metasploit-framework](land-19750) tmoose@ubuntu-dev2024:~/rapid7/metasploit-framework$ git log | head -n 10
commit e39af38c73e0728fabdbf38ca49ea35220e6c289
Author: dledda-r7 <dledda-r7@github>
Date:   Wed Jan 15 04:31:53 2025 -0500

    fix(payloads): updating prepend mixin in payloads

commit 4565a04510bf476af9532a6c35778bcac7aa13bf
Author: dledda-r7 <dledda-r7@github>
Date:   Tue Jan 14 09:31:03 2025 -0500

[ruby-3.2.5@metasploit-framework](land-19750) tmoose@ubuntu-dev2024:~/rapid7/metasploit-framework$ ./msfconsole -q
msf6 > use payload/linux/x86/shell_reverse_tcp
msf6 payload(linux/x86/shell_reverse_tcp) > show advanced

Module advanced options (payload/linux/x86/shell_reverse_tcp):

   Name                        Current Setting  Required  Description
   ----                        ---------------  --------  -----------
   AutoRunScript                                no        A script to run automatically on session creation.
   AutoVerifySession           true             yes       Automatically verify and drop invalid sessions
   CommandShellCleanupCommand                   no        A command to run before the session is closed
   InitialAutoRunScript                         no        An initial script to run on session creation (before AutoRunScript)
   ReverseAllowProxy           false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go t
                                                          hrough proxy but directly to LHOST
   ReverseListenerBindAddress                   no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                      no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                          no        The specific communication channel to use for this listener
   ReverseListenerThreaded     false            yes       Handle every connection in a new thread (experimental)
   StagerRetryCount            10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait             5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                     false            no        Enable detailed status messages
   WORKSPACE                                    no        Specify the workspace for this module


View the full module info with the info, or info -d command.

msf6 payload(linux/x86/shell_reverse_tcp) > use payload/linux/x86/read_file 
msf6 payload(linux/x86/read_file) > show advanced

Module advanced options (payload/linux/x86/read_file):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module


View the full module info with the info, or info -d command.

Thanks, now should be working, the only missing Prepends are the one for linux stageless meterpreter.

@bwatters-r7 bwatters-r7 merged commit 378ac00 into rapid7:master Jan 23, 2025
69 checks passed
@bwatters-r7
Copy link
Contributor

Release Notes

Splits the shellcode prepends into architecture-specific files to better track them and only populate prepend options that can be used with a given payload/architecture combination.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants