Last updated at Fri, 23 Feb 2024 21:38:03 GMT
Direct Syscalls Support for Windows Meterpreter
Direct system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do so is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Direct syscalls are a way to run system calls directly and enter kernel mode without passing through the Win32 API.
This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with Direct Syscalls to the corresponding Native API's. For example,
VirtualAlloc has been substituted by a system call to
ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.
The main difficulty is to find the correct syscall number since it is not the same across Windows versions. Also, EDR's usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (
ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo's Gate.
Another improvement is to make sure the call to the
syscall instruction is made through
ntdll.dll. EDR/AV can monitor this and flag any system calls not coming from
ntdll.dll as suspicious. This technique is directly taken from
RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing
ntdll.dll and get the correct
trampoline address that will be used when the system call is executed.
This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using Direct Syscalls. The long-term goal is to make Direct Syscalls a standard for any future Windows-based development (payload, exploit, etc.).
New module content (8)
GL.iNet Unauthenticated Remote Command Execution via the logread module.
Description: This PR adds an exploit module for a number of different GL.iNet network products. The module combines an authentication by-pass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.
Ivanti Connect Secure Unauthenticated Remote Code Execution
Description: This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.
MajorDoMo Command Injection
Description: This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.
Saltstack Minion Payload Deployer
Description: This PR adds an exploit module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.
Apache Commons Text RCE
Description: Adds an exploit module for CVE-2022-42889 that targets web apps utilizing Apache Commons Text's (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.
Atlassian Confluence SSTI Injection
Description: This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.
PRTG CVE-2023-32781 Authenticated RCE
Description: This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 188.8.131.526 and earlier. The result is command execution as SYSTEM.
Description: Adds a new
multi/gather/memory_search module that can read memory of processes on Windows and Linux hosts with Meterpreter. Regular expressions can be used to find passwords/credentials, and glob patterns and PIDs can be used to identify target processes.
Enhancements and features (6)
- #17634 from adfoster-r7 - Reliability and stability notes that have been previously missing have been added to some modules.
- #18645 from jvoisin - This adds a way to get the Build ID from ld.so by using the 'perf' command. Before this module depended on the commands 'file' and 'readelf' being installed to get the Build ID.
- #18663 from sjanusz-r7 - Adds a new Postgres session type, which is current behind a feature flag that can be activated with:
features set postgresql_session_type true. Example usage:
use scanner/postgres/postgres_loginfollowed by
run postgres://postgres:firstname.lastname@example.org:9000/template1 createsession=true verbose=false.
- #18720 from zeroSteiner - This enhancement marks the existing Unix encoders as also being compatible with Linux. Previously, no encoder modules were marked as compatible with Linux, so users could not set bad character when using the new fetch payloads.
- #18735 from AleksaZatezalo - Adds additional module metadata to the
- #18737 from zeroSteiner - This updates
metasploit-payloadsgem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.
Bugs fixed (3)
- #18662 from dwelch-r7 - Fixes an edgecase where
features set dns_feature truedid not correctly parse a user's
/etc/resolv.conffile if there were multiple nameservers present.
- #18712 from ekalinichev-r7 - Fixes a crash with Metasploit's REST api when calling
- #18746 from zeroSteiner - Fixes a module bug when using the
generate OPTION=VALUEsyntax. Previously, the module's datastore would be unintentionally updated with the new option value.
Documentation added (1)
You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro