Scribd
Upload
269 views189 pages

Understanding A Payloads Life

The document discusses the life cycle of a Meterpreter payload, from its generation to execution. It begins with an introduction to Meterpreter and its goals of working without creating new processes, in restricted environments, and allowing extensibility. It then covers key components like Metsrv and extensions, how extensions are loaded, and the high-level architecture. Finally, it previews analyzing each step of the Meterpreter payload life cycle, including generation, executables, staging, and reflective loading.

Uploaded by

gobf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
269 views189 pages

Understanding A Payloads Life

The document discusses the life cycle of a Meterpreter payload, from its generation to execution. It begins with an introduction to Meterpreter and its goals of working without creating new processes, in restricted environments, and allowing extensibility. It then covers key components like Metsrv and extensions, how extensions are loaded, and the high-level architecture. Finally, it previews analyzing each step of the Meterpreter payload life cycle, including generation, executables, staging, and reflective loading.

Uploaded by

gobf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 189

UNDERSTANDING A PAYLOAD’S LIFE

Featuring Meterpreter & other guests

ATTL4S
# ATTL4S
• Daniel López Jiménez
• Twitter: @DaniLJ94
• GitHub: @ATTL4S
• Youtube: ATTL4S

• Loves Windows and Active Directory security


• Managing Security Consultant at NCC Group
• Associate Teacher at Universidad Castilla-La Mancha (MCSI)

attl4s.github.io
The aim of this presentation is understanding the life of a Meterpreter payload - from its
generation to its execution. How all the pieces fit together. This knowledge will be handy
not only for MSF and Meterpreter… but for almost any popular C2 framework

attl4s.github.io
The idea and name of this presentation are based on Raphael Mudge’s “Red Team Ops with
Cobalt Strike (4 of 9): Weaponization” video, where he wonderfully explained the life of a
Beacon payload

attl4s.github.io
Metasploit Cobalt Strike Modern Frameworks

attl4s.github.io
Agenda
1. Needing an Advanced Payload
2. About Terminology
3. Payload Generation
4. Payload Executables
5. Payload Staging
6. Reflective Loading

attl4s.github.io
Needing an Advanced Payload

attl4s.github.io
Introduction
• Consider a memory corruption vulnerability

• Prior to the existence of “advanced” payloads, it was common to rely on native


command interpreters for post-exploitation
• E.g. run cmd.exe and redirect input to and output from into a TCP connection

• Payloads like Meterpreter were created as better choices for such scenarios

http://www.hick.org/code/skape/papers/meterpreter.pdf attl4s.github.io
Meterpreter Origins
• Born in response to the limitations of native command
interpreters

• Which limitations?
• Presence of command interpreter process
• Execution may not be allowed on restricted
environments
• Limited set of commands

http://www.hick.org/code/skape/papers/meterpreter.pdf attl4s.github.io
Meterpreter Origins (cont.)
As such, the original goals of Meterpreter were:

• Must not create a new process

• Must work in restricted environments

• Must allow for robust extensibility

http://www.hick.org/code/skape/papers/meterpreter.pdf attl4s.github.io
The Meta-interpreter
• Command interpreter & remote access tool
• Have remote control of a system - extract juicy info!

• Designed to be a “payload”
• Can be executed from memory without touching disk
• Suitable for memory corruption exploits and other attack scenarios

• Capabilities can be extended


• Meterpreter extensions!

attl4s.github.io
The Meta-interpreter (cont.)
• Integrated within the Metasploit Framework
• Meterpreter is the server
• Metasploit is the client

• Multi-platform (implementations in C, PHP, Python, Java…) and multi-architecture


(x86, x64, ARM…)

• We are going to focus on Windows Meterpreter


• Written in C/C++/Assembly (+ Ruby on MSF’s side)

https://github.com/rapid7/metasploit-payloads attl4s.github.io
The Meta-interpreter (cont.)

attl4s.github.io
Components
• Windows Meterpreter main components are reflective DLLs
• Can be loaded from memory, rather than disk (more on this later)

• Meterpreter’s core component is called Metsrv


• In charge of network communications, extension-loading functionality and more

• Metsrv alone does not provide much in terms of offensive capability


• For that we need extensions!

attl4s.github.io
Extensions
• Further reflective DLLs loaded as modules to expand capabilities of a Meterpreter
session (no new processes, and nothing written to disk)

• Some examples:
• Stdapi: interact with the OS and file system (cd, ls, netstat, arp and more)
• Extapi: WMI and ADSI support, interact with the clipboard, with services and more
• Priv: escalate to SYSTEM or dump SAM
• Kiwi: Mimikatz
• Bofloader: load COFF/BOF files
• …

attl4s.github.io
Loading Extensions (cont.)
• Extensions follow the “ext_server_*.dll” nomenclature
• (Elevator is a reflective DLL used by the Priv extension)
• (Screenshot is a reflective DLL used by the Stdapi extension)

attl4s.github.io
High-level Architecture

Attacker Network Victim Network

Process

Meterpreter Code
MSF
Metsrv
Extension1
Extension2
Attacker System

Victim System

attl4s.github.io
“But m8… Meterpreter is SO NOISY!!”

attl4s.github.io
Modern Needs
• Executables generated by Metasploit are blocked by AVs

• The way Meterpreter’s shellcode initialises in memory is detected and blocked by


EDRs

• Even if executed, memory scans and Yara rules can easily spot a Meterpreter
agent within the memory of a process

attl4s.github.io
Modern Needs (cont.)
• When Meterpreter was created, it filled an important need of that time
• A post-exploitation tool better than traditional command interpreters

• Over time, other needs have arisen and focus has shifted to them

https://github.com/rapid7/metasploit-framework/discussions/14490 attl4s.github.io
Modern Needs (cont.)
• Nowadays, it is virtually impossible to use public tools right out-of-the-box
• Including Meterpreter

• Security mechanisms have improved, which forces the offensive side to adapt and
look for ways to keep doing its job

• If your toolset is easily blocked by automated solutions…


• You cannot demonstrate impact
• You cannot assess efficacy
• You cannot train and improve security teams

attl4s.github.io
Modern Needs (cont.)
• While we can always ask clients to exclude/allow our toolset in certain types of
assessments, in many cases this simply slows things down

• Instead of giving up on great tools like Meterpreter, let’s adapt and see what we
can do…
• …and more importantly, what we can learn!

• Even if we end up not using Meterpreter, we will be able to extrapolate a lot of


knowledge towards other tools

attl4s.github.io
Over the next sections we are going to analyse the life of a Meterpreter payload,
from its generation to its execution

attl4s.github.io
Optional

Metsrv
Exploit/ Staging
Shellcode Reflective Metsrv
Executable Process
Loading

Optional

Extension1 Extension2
Reflective Reflective …
Loading Loading

1. Payload Generation

2. Payload Executables Extension1 Extension2 …


3. Payload Staging

4. Reflective Loading

attl4s.github.io
But first… let’s understand a few key concepts and general payload terminology

attl4s.github.io
About Terminology

attl4s.github.io
Exploit & Payload
• The terms “exploit” and “payload” are often used interchangeably, which leads to
confusion

• Focused on vulnerability exploitation, they are meant to decouple:


1. Exploit - the process of abusing a vulnerability

2. Payload - code that gets executed after exploitation, to achieve specific results

attl4s.github.io
Drawn by my dad! attl4s.github.io
Exploit & Payload (cont.)
• If facing a memory corruption vulnerability, code that gets executed is usually
called shellcode
• Sequence of bytes that represent assembly instructions

• If facing other types of vulnerabilities, payloads may have different looks


• In a SQL injection, a payload could be SQL code that shows the tables of a database
• In a XSS attack, a payload could be JavaScript code structured in a specific way
• In a broken access control flaw, a payload could be a specially crafted HTTP request

attl4s.github.io
In-memory Payloads
• We will stick to scenarios where you can execute code (shellcode) in memory
• Vulnerabilities like MS17-010, situations where you can run malicious executables, or post-
exploitation activities like process injection

• Meterpreter and a lot of MSF modules can be executed from memory due to the
use of reflective DLLs (reflective DLL injection)
• Reflective DLLs are “easy” to develop, as opposed to writing shellcode/assembly
• Similar execution processes can be used for a reflective DLL toolset

https://github.com/stephenfewer/ReflectiveDLLInjection attl4s.github.io
Reflective DLL Injection?
• Technique intended for in-memory execution of unmanaged or native DLL files
• Can also be extended to cover EXE files (Reflective PE injection)

• This technique is not MSF/Meterpreter-specific!


• Agents from modern frameworks are often designed as reflective DLLs (and do good use of
reflective PE injection)
• Their implementation is often focused on evading security solutions

https://github.com/stephenfewer/ReflectiveDLLInjection attl4s.github.io
https://github.com/rapid7/ReflectiveDLLInjection attl4s.github.io
https://www.cobaltstrike.com/blog/cobalt-strike-4-4-the-one-with-the-reconnect-button/ attl4s.github.io
https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/ attl4s.github.io
https://www.mdsec.co.uk/2021/12/nighthawk-0-1-new-beginnings/ attl4s.github.io
https://github.com/HavocFramework/Havoc/blob/main/WIKI.MD#agents attl4s.github.io
Interesting Fact
• Metasploit started using Fewer’s
technique from 2008 onwards

• Before that, another DLL injection


method was used that today can be
found as "patchupmeterpreter“

http://www.hick.org/code/skape/papers/remote-library-injection.pdf attl4s.github.io
Interesting Fact (cont.)

https://www.exploit-db.com/docs/english/13007-reflective-dll-injection.pdf attl4s.github.io
Payload Generation
Now let’s move on and analyse how Meterpreter payloads are generated by MSF!

attl4s.github.io
Payload Generation

attl4s.github.io
Introduction
• Popular payloads come in the form of shellcode
• E.g. full position independent code (PIC) or combination of PIC + loader

• Why? Due to its portability

• Shellcode can be used in exploits, post-exploitation tasks, and also from within a
myriad of executable formats

attl4s.github.io
Introduction (cont.)
• Frameworks like Metasploit automate the process of generating shellcodes

• All you need to do is populate a number of settings and press the button
• “I want a Meterpreter payload which connects back to a specific IP and Port using HTTP”

• We are going to analyse:


1. How to build static Meterpreter DLLs
2. How these DLLs are manipulated to generate our payloads

attl4s.github.io
Building Meterpreter

attl4s.github.io
Metflective DLLpreter
• Remember Meterpreter consists of multiple
reflective DLLs which can be loaded from memory
• Metsrv + Extensions

• Metasploit comes with those DLLs pre-compiled


and ready for use

attl4s.github.io
Building Meterpreter
• If you want to (modify and) compile those DLLs yourself:
• Visual Studio projects or Docker (Windows/Linux)
• The Metasploit-Payloads repo has nice documentation

• Example of building Metsrv

https://github.com/rapid7/metasploit-payloads/tree/master/c/meterpreter attl4s.github.io
Building Meterpreter (cont.)
• Note that what makes these DLLs “reflective” is the result of building them along
with the ReflectiveLoader component

• Example (Metsrv):

https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/metsrv/metsrv.c attl4s.github.io
DLL Compile rDLL
Reflective Reflective Loader
Loader

attl4s.github.io
Reflective DLL Manipulation

attl4s.github.io
Using Reflective DLLs
• If you use the Meterpreter DLLs directly like regular shellcode, you won’t achieve
any results

• In order to initialise a DLL of this kind from memory, its “ReflectiveLoader” export
must be called
• Reflective DLLs are regular DLLs built together with a portable reflective loader!

https://github.com/stephenfewer/ReflectiveDLLInjection/blob/master/dll/src/ReflectiveLoader.c attl4s.github.io
Dissecting Metsrv

See? It is a DLL

https://github.com/hasherezade/pe-bear attl4s.github.io
Dissecting Metsrv (cont.)

Meterpreter uses ordinal values instead of the traditional “ReflectiveLoader” name


since Metasploit 6.0

https://github.com/rapid7/metasploit-framework/issues/16493 attl4s.github.io
Turning Into Shellcode
• So what the hell does MSF do to turn a rDLL into “shellcode”?

• MSF patches a small piece of code into the DOS header of the target DLL
• Usually referred to as “bootstrap code” or “initialisation stub”
• In the case of Meterpreter, MSF does this to Metsrv

• The main goal of that code is calling the reflective loader exported function
1. When position 0 of the shellcode is called, the bootstrap will be executed
2. The bootstrap will then call the export, initialising the reflective loading process

https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html attl4s.github.io
Process Memory

1
Bootstrap

2
rDLL
Reflective Loader

attl4s.github.io
Bootstrap - “invoke_metsrv”

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb attl4s.github.io
Bootstrap - DOS Header Patching

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb attl4s.github.io
Metsrv not Patched

https://github.com/hasherezade/pe-bear attl4s.github.io
Metsrv Patched

https://github.com/hasherezade/pe-bear attl4s.github.io
So…
• When a Meterpreter payload is generated, MSF patches bootstrap code into
Metsrv’s pre-compiled rDLL
• With this code, the whole piece can now be executed as “regular” shellcode

• But once again, with just this you would not receive any Meterpreter session

• There is an important piece still missing: CONFIGURATION SETTINGS!


• What about our LHOST, LPORT, extension settings, etc?

attl4s.github.io
Configuration Block
• Meterpreter uses a specific structure called Configuration Block which contains
the entire payload configuration

• When generating a payload, this block is created dynamically by MSF with all the
settings selected by the user

• MSF not only patches the bootstrap, it also appends the configuration block at
the end of Metsrv

attl4s.github.io
Bootstrap

rDLL
Reflective Loader

Configuration Block

attl4s.github.io
Configuration Block (cont.)

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb attl4s.github.io
Config Block Appended

https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html attl4s.github.io
What Does it Contain?
• Configuration Block Structure:
• One Session configuration block
• One or more Transport Configuration blocks, followed by a terminator
• One or more Extension configuration blocks, followed by a terminator

• Perfectly explained at MSF docs:


• https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-
configuration.html

https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-configuration.html attl4s.github.io
The Bootstrap Again!
• If paid special attention, you probably noticed that the bootstrap did more things
than just calling a DLL export
• Executing the export loads Metsrv in memory (DLL_PROCESS_ATTACH) - nothing else

• The bootstrap makes a second call to DllMain (DLL_METASPLOIT_ATTACH) and


passes a pointer to the configuration block

• With this, Metsrv has everything to start its job!

attl4s.github.io
Bootstrap - “invoke_metsrv”

Metsrv’s DllMain... huh?

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb attl4s.github.io
Custom “DllMain” - RDI

If a reflective DLL defines this, it will use a custom


DllMain rather that RDI’s default one…

https://github.com/rapid7/ReflectiveDLLInjection/blob/master/dll/src/ReflectiveLoader.c attl4s.github.io
Custom “DllMain” - Metsrv
• Metsrv specifies a custom DllMain, which is called by the
bootstrap with DLL_METASPLOIT_ATTACH

• As a result, Metsrv’s Init function is executed with a pointer


to the config block

https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/metsrv/metsrv.c attl4s.github.io
Session Opened!

NOW… If this shellcode is executed…

attl4s.github.io
Bonus: MSF Modules
• For exploits/modules that rely on using Windows API calls, MSF typically implements their logic in
one of the following two ways:
• C code + Railgun
• Reflective DLL

• Both techniques are capable of running the module logic within the current process

• Reflective DLLs have the added benefit of being able to be injected into other processes (if
needed)
• If something goes wrong, the original session keeps living!

attl4s.github.io
Bonus: JuicyPotato Module
• Pre-compiled rDLL injected into target
process
• Saves offset pointing to loader export
• We don’t need a bootstrap here!

• Module settings and selected payload


also injected to target process

• Execution via new thread


• Points to loader export
• Module config passed as parameter

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms16_075_reflection_juicy.rb attl4s.github.io
Other Generation Approaches

attl4s.github.io
Dynamic Building
• Some open-source frameworks include compilers in their automation processes
• E.g. Sliver, Havoc, Mythic, Covenant…

• Instead of manipulating pre-compiled files, these frameworks generate and


compile code dynamically

• This provides multiple benefits

attl4s.github.io
Let’s analyse the Havoc Framework as an example…

attl4s.github.io
Havoc Artifacts
• Demon EXEs and DLLs are directly
generated from source code

• This is not a template where rDLL code is


patched and executed (more on this on the
“Payload Executables” section)

• As such, Demon EXEs and DLLs do not use or


rely on reflective DLL injection by default

https://github.com/HavocFramework/Havoc/blob/master/Teamserver/pkg/common/builder/builder.go attl4s.github.io
Havoc Shellcode
Demon shellcode follows a similar approach to MSF’s - but with a builder

1. Config settings are set dynamically before compilation


• Avoids the use of a configuration block and code to find it

2. Demon’s DLL code is built along with the KaynLdr component (Havoc’s
reflective loader)

3. A little bootstrap code is prepended to the resulting rDLL, in charge of


calling the loader’s export

https://github.com/HavocFramework/Havoc/blob/master/Teamserver/pkg/common/builder/builder.go attl4s.github.io
Compiles DLL with the selected configuration

Prepends bootstrap to the resulting DLL

https://github.com/HavocFramework/Havoc/blob/master/Teamserver/pkg/common/builder/builder.go attl4s.github.io
A Note About Commercial Tools
• Commercial C2s tend not to provide source code to avoid leaking capabilities to
competitors, or making analysis of their agents/tools harder

• Unlikely that features like dynamic code generation and compilation will be
included in such frameworks

attl4s.github.io
Payload Decorations

attl4s.github.io
Payload Decorations
• Actions or modifications we perform on a payload after it has been generated

• The purpose is usually obfuscation, bad char removal or adding further


capabilities to protect the payload
• Payload encoding/encryption, execution guardrails, stomp/replace unnecessary data…

• Note that after these “decorations”, the whole payload usually remains one single
piece, suitable for exploits or post-exploitation activities

attl4s.github.io
Example - MSF Encoders
• The main purpose of encoding is avoiding chars that might not be allowed in our
attack scenario (MSF supports multiple encoders!)

• Encoding has also traditionally been used as a layer of obfuscation


• Note that signatures will reappear during execution, after the payload is decoded!

• Popular implementations require RWX permissions


• Decoding process (RW) + execution of decoded payload (RX)

https://github.com/rapid7/metasploit-framework/tree/master/modules/encoders attl4s.github.io
Example - MSF Encoders (cont.)
• When using a encoder in e.g. MSFVenom, the run_encoder() function is called
• This in turn calls the encode() method of the selected encoder

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload_generator.rb attl4s.github.io
Encodes the payload’s buffer and returns a new
shellcode with the self-decoding routine

Let’s see what do_encode() does…

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/encoder.rb attl4s.github.io
The payload needs code to auto-decode itself –
this is the “decoder stub”

E.g. this is the decoder stub associated to MSF’s x64/XOR decoder

https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x64/xor.rb attl4s.github.io
• The buffer is encoded in blocks, and the decoder
stub is prepended to resulting buffer

• Result = decoder stub + encoded payload

• A final bad char check is done, in case any had


been specified

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/encoder.rb attl4s.github.io
Payload

encode()

Decoder
Encoded Payload
Stub

attl4s.github.io
Example - SGN
• Reimplementation of Shikata Ga Nai in golang with x64 support
• This one is not integrated within the Metasploit Framework

• Serves a similar purpose to what we have already explained

• Nonetheless, good example of a modern encoder with some interesting features

https://github.com/EgeBalci/sgn attl4s.github.io
Example - SGN (cont.)

https://github.com/EgeBalci/sgn attl4s.github.io
Example – Nighthawk’s Keying
• Nighthawk offers a variety of ways to
ensure that a payload is only executed
under specific circumstances

• Implemented as additional shellcode


integrated with the agent’s

https://www.mdsec.co.uk/2022/05/nighthawk-0-2-catch-us-if-you-can/ attl4s.github.io
Example - CS’ Malleable PE
• Cobalt Strike also has capabilities to post-manipulate Beacon’s shellcode
• E.g. add/prepend/append/replace data associated to the Beacon DLL

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_main.htm attl4s.github.io
Example - CS’ Malleable PE (cont.)
• It also supports obfuscation methods and ways to configure specific data
leveraged by the reflective loader

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_main.htm attl4s.github.io
Now let’s move on into another section, and understand the art of inserting
payloads within executable recipients!

attl4s.github.io
Payload Executables

attl4s.github.io
Introduction
• As we have seen, popular payloads come in the form of shellcode

• Shellcode can be executed from within a myriad of executable formats


• AKA “shellcode loaders”

• Frameworks like Metasploit automate the process of generating those


executables

attl4s.github.io
Automation
• MSF’s automation comprises two main steps:
1. Generating payload with specific characteristics
2. Including payload within an executable template

1. Shellcode Generation
• Executable formats include
• Scripts (e.g. PowerShell or VBA)
• Compiled binaries (e.g. EXE or DLL)
2. Insert into template

HERE

attl4s.github.io
Templates
• Default MSF templates are stored within /data/templates

• As an example, the following image shows precompiled EXE templates


• The source of these templates is also available in /data/templates/src

https://github.com/rapid7/metasploit-framework/tree/master/data/templates attl4s.github.io
EXE Class
• Metasploit’s Msf::Util::EXE class implements all the logic
• Abstraction through “to_executable_fmt” function

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/exe.rb attl4s.github.io
Scripts

attl4s.github.io
Scripts
• For scripts, a simple string
substitution approach is followed

• Templates with placeholders

• Placeholders are replaced by the


payload’s code

https://github.com/rapid7/rex/blob/master/lib/rex/powershell/payload.rb attl4s.github.io
Scripts (cont.)

https://github.com/rapid7/rex-powershell/blob/master/data/templates/to_mem_pshreflection.ps1.template attl4s.github.io
Compiled Artifacts

attl4s.github.io
Compiled Artifacts
• For compiled artifacts, MSF manipulates pre-compiled templates
• We are going to focus on PEs

• Two main approaches:

1. String substitution (AKA “sub_method”)

2. PE struct manipulation

attl4s.github.io
String Substitution
• Pre-compiled templates with buffers where the payload is patched
• Buffers have fixed sizes set before compilation

• MSF uses placeholders to locate the beginning of said buffers


• “PAYLOAD:”

• Payload size must be lower or equal than the one specified in the buffer
• Otherwise patching the payload breaks the executable!

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/exe.rb attl4s.github.io
Placeholder “PAYLOAD:” with fixed size of 4096

https://github.com/rapid7/metasploit-framework/blob/master/data/templates/src/pe/exe/template.c attl4s.github.io
1. Finds placeholder
2. If payload’s length is ok, packs data and writes it

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/exe.rb#L549 attl4s.github.io
String Substitution (cont.)
• Nowadays, the only MSF (PE) formats that use “sub_method” by default are:
• exe-service (x86, x64)
• dll (x86, x64)
• exe-small (x86)

• Due to the requirement of fixed sizes, not all payloads are supported when
selecting those formats
• Big payloads will fail (MSF team is working on this!)
• Related -> https://github.com/rapid7/metasploit-framework/pull/17594

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/exe.rb attl4s.github.io
The placeholder is not present because if was filled with the shellcode!

attl4s.github.io
• Generation fails when selecting a big payload (e.g. stageless Meterpreter)
• UPDATE (08/03/2023): DLLs now can use new templates with bigger buffer sizes
• Small payload? → template_x64_windows.dll
• Big payload? → template_x64_windows.256kib.dll

https://github.com/rapid7/metasploit-framework/tree/master/data/templates attl4s.github.io
PE Struct Manipulation
• Parse PE template and modify its structure and fields
• MSF uses Metasm or Rex (PeParsey)

• Different ways to patch your payload (MSF supports multiple)


• Add it into a new section and modify the entrypoint
• Overwrite the original entrypoint location with the payload

• Does not require placeholders / fixed sizes on templates


• As such, arbitrary templates and payloads can be used - which is handy!

attl4s.github.io
The placeholder is present because the payload is not stored there!

New RWX section with new Entrypoint

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exe/segment_appender.rb attl4s.github.io
x64 EXE using the exe-only approach (overwrite EP location) and Procmon as the template

.text section switched to RWX

https://blog.scrt.ch/2014/06/13/metasploit-psexec-resurrect/ attl4s.github.io
A Bit of a Mess
• Generation of executables in MSF is not very consistent
• Depending the options you select, MSF might support (or not) certain approaches

• In the past, the predominant method used to be “sub_method”


• It made sense given the prevalence of stagers and their (more or less) standard sizes

• MSF nowadays prefers PE struct manipulation approaches by default


• Support arbitrary templates and don’t require fixed sizes or placeholders

https://www.blackhillsinfosec.com/advanced-msfvenom-payload-generation/ attl4s.github.io
A Bit of a Mess (cont.)

exe exe-small exe-only exe-service dll

“sub_method”, PE sub_method, PE
PE manipulation sub_method, PE
x86 manipulation sub_method manipulation
(overwrite EP) manipulation (inject)
(inject, append) (overwrite EP)

PE manipulation PE manipulation PE manipulation


x64 sub_method sub_method
(inject, append) (inject, append) (overwrite EP)

attl4s.github.io
A Note About Formats
• MSF also supports transforming/encoding a selected payload in different
languages and formats via the REX library

• This is useful when you are developing your own executables, instead of using
MSF’s automation

https://github.com/rapid7/rex/blob/master/lib/rex/text.rb attl4s.github.io
What About Other Frameworks?

attl4s.github.io
The Artifact Kit
• Capability provided by Cobalt Strike to aid in the generation of executables with
custom templates
• “Cobalt Strike uses the Artifact Kit to generate its executables and DLLs”

• Although it may not look like it at first glance, the Artifact Kit works pretty much
in the same way as some things we have seen in MSF

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/artifacts-antivirus_artifact-kit-main.htm attl4s.github.io
The Artifact Kit (cont.)
• The Artifact Kit uses Sleep and Aggressor Script to automate the generation and
decoration of executables
• And also to register the specified templates on Cobalt Strike’s client menus

• Aggressor Script has a lot of functionality to parse PE files, modify/update


attributes, generate Beacon shellcode programmatically, mask data…

https://download.cobaltstrike.com/aggressor-script/functions.html attl4s.github.io
The Artifact Kit (cont.)
• The default approach of the Artifact Kit is similar to MSF’s “sub_method”
1. Write your templates with a payload buffer and a placeholder to find it
2. Build your templates
3. Automate the process of finding the placeholder and patching the payload on the buffer

• Of course, this is the DEFAULT approach… the limit is your own imagination
• Sleep is based on Java and is able to create, access, and query Java objects
• You can also call other programs from Sleep if you want (e.g. python scripts)

https://hstechdocs.helpsystems.com/ attl4s.github.io
Dynamic Building
• On the other hand, some frameworks can generate code and compile it
dynamically
• Most likely open source frameworks like Havoc, Sliver, Mythic, Covenant…

• A lot of limitations seen when using static templates don’t apply here
• No need for pre-compiled binaries with buffers and placeholders
• No fixed sizes, we can hold shellcodes with different sizes
• We have fresh executables every time we generate them

attl4s.github.io
Dynamic Building (cont.)
• However, it must be noted that not all these frameworks expose functionality to
ease the process of modifying how executables are generated (à la Artifact Kit)

• Most frameworks usually just provide a way to export their agents in shellcode
format, so that they can be inserted into external loaders

attl4s.github.io
Independent Generators
• There are also independent tools, outside of frameworks, which perform this kind
of automation
• Some use similar techniques to those we have seen, and others use other ways!

• Some examples:
• Shellter - https://www.shellterproject.com/
• OST Payload Generator - https://outflank.nl/services/outflank-security-tooling/
• Inceptor - https://github.com/klezVirus/inceptor
• ScareCrow - https://github.com/optiv/ScareCrow
• PEzor - https://github.com/phra/PEzor
• Freeze - https://github.com/optiv/Freeze

attl4s.github.io
So...
• We understand how Meterpreter shellcodes are typically generated

• We understand how Meterpreter shellcodes are included within executable


recipients like EXEs or DLLs

• Now, before executing anything yet… let’s talk about PAYLOAD STAGING

attl4s.github.io
Payloads Staging

attl4s.github.io
Execution Restrictions
• In certain scenarios, the (big) size of our payload might be an issue

• That’s why there exist two popular ways of execution:


• Staged execution – executing our payload in different phases
• Stageless execution – executing our payload directly

• This is not something specific to MSF, Meterpreter, Reflective DLLs or even


memory corruption vulnerabilities

attl4s.github.io
Staged Execution
Execution in different phases through the use of:

1. Staging Server: in charge of serving stage payloads

2. Stager: typically a small program that connects to a staging server, and


downloads and executes a stage payload

3. Stage Payload(s): the final payload(s) we want to execute

attl4s.github.io
Staged Execution (cont.)
1. Artifact/exploit is run, so the stager code is executed

2. Stager downloads stage from staging server, and pass execution to it

3. The payload’s action is performed (e.g. running Meterpreter)

Exploit/Exe Staging Stage Payload


cutable Process Payload Result

attl4s.github.io
Stageless Execution
Execution is done by running the intended payload directly

1. Artifact/exploit is run, so the payload code gets executed

2. Payload’s action is performed (e.g. running Meterpreter)

Exploit/Exe Payload
Payload
cutable Result

attl4s.github.io
So…
• A staged execution is done in different phases by employing stagers and
downloading stage payloads

• A stageless execution is done in a single phase, as everything needed is in place


an ready to be executed

attl4s.github.io
Staging… or Not?

attl4s.github.io
When Staged?
• Entirely dependent on your needs!

• Scenarios with size limitations (e.g. memory corruption exploits)

• Staging provides a lot of flexibility, as different payloads can be used with the
same stager

• Stage payloads are sent over the network (watchout unencrypted comms!)

https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/ attl4s.github.io
When Staged? (cont.)
• As a result of aiming for small sizes, popular stager implementations don’t have
authentication nor payload verification

• Stages can be downloaded by anyone from the staging server

• The staging process can be hijacked to serve arbitrary stages that won’t be verified

• Popular staging processes and stagers also have known behaviours that may
trigger network/endpoint detection and response solutions

https://www.cobaltstrike.com/blog/talk-to-your-children-about-payload-staging/ attl4s.github.io
When Staged? (cont.)
• To avoid some limitations, you can develop a custom staging process or leverage/modify existing
ones

• The Sliver framework is an example of this, extending MSF’s staging process with features like
stage encryption and compression
• Other nice feature could be environmental keying!

• Popular stagers are written as shellcode so they can be easily used within exploits
• For other scenarios you might find easier to develop stagers in higher level languages (and their size
may not matter that much!)

https://github.com/BishopFox/sliver/wiki/Stagers attl4s.github.io
Useful Links
• https://www.cobaltstrike.com/blog/staged-payloads-what-pen-testers-should-know/
• https://www.cobaltstrike.com/blog/talk-to-your-children-about-payload-staging/
• https://www.cobaltstrike.com/blog/a-loader-for-metasploits-meterpreter/
• https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/
• https://github.com/BishopFox/sliver/wiki/Stagers
• https://github.com/rsmudge/metasploit-loader
• https://github.com/tothi/stager_libpeconv
• https://github.com/DiabloHorn/undetected-meterpreter-stagers

attl4s.github.io
When Stageless?
• Entirely dependent on your needs!

• If you don’t have size restrictions, stageless is pretty cool

• Everything self-contained and ready to be executed


• No stagers and their potential limitations (but also less flexibility)

• If working from disk, there is more surface to be scanned for static signatures

https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/ attl4s.github.io
Back to Meterpreter!

attl4s.github.io
Back to Meterpreter
• Let's see how everything fits with MSF and Meterpreter

• First, we should know how to choose between staged and stageless payloads
within Metasploit:

https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/ attl4s.github.io
Staged Execution - Example
• Example with windows/x64/meterpreter/reverse_https

attl4s.github.io
Back to Meterpreter (cont.)
• We can now wisely choose the appropriate payload depending the scenario we
face:

o Memory corruption vulnerability with little space?


o Probably use staged

o Privilege escalation via DLL hijack?


o Stageless might fit well

https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/ attl4s.github.io
Remember!
• Meterpreter is not a single piece!

• In order to benefit from its full potential we have to execute:


• Meterpreter’s core component: Metsrv
• One or more extensions? (e.g. Sdtapi & Priv)

• This translates into the execution of multiple reflective DLLs


• In the example above, a total of three: Metsrv, Stdapi & Priv
(In fact, when you use a default Meterpreter payload, it loads those three components)

attl4s.github.io
Optional

Metsrv
Exploit/ Staging
Shellcode Reflective Metsrv
Executable Process
Loading

Optional

Extension1 Extension2
Reflective Reflective …
Loading Loading

1. Payload Generation

2. Payload Executables Extension1 Extension2 …


3. Payload Staging

4. Reflective Loading

attl4s.github.io
What’s Being Staged?
• If we choose a staged Meterpreter, all components will be staged
• windows/x64/meterpreter/reverse_tcp

• If we use a default stageless Meterpreter, only extensions will be staged


• windows/x64/meterpreter_reverse_tcp

• If we choose a stageless Meterpreter and include some extensions, those will not
be staged (but any other will be)
• windows/x64/meterpreter_reverse_tcp EXTENSIONS=stdapi,priv

attl4s.github.io
attl4s.github.io
What’s Being Staged? (cont.)
• Note that extension “staging” will be done by Metsrv
Metsrv

Optional

Extension1 Extension2
Reflective Reflective …
Loading Loading

Extension1 Extension2 …

https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/metsrv/remote_dispatch.c attl4s.github.io
MSF Stagers
• If you are curious about Windows MSF stagers, you can find them here:
• https://github.com/rapid7/Metasploit-framework/tree/master/lib/msf/core/payload/windows

• Examples:
• reverse_http.rb
• reverse_tcp.rb
• reverse_win_http.rb
• …

attl4s.github.io
MSF Stagers (cont.)
• Example – reverse_tcp_x64.rb (ref to footnotes link)

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/x64/reverse_tcp_x64.rb attl4s.github.io
Paranoid Mode
• Some MSF stagers (WinHTTP) support security features like Payload UUID
tracking and whitelisting with TLS pinning

https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/the-ins-and-outs-of-http-and-https-communications-in-meterpreter-and-metasploit-stagers.html attl4s.github.io
MSF Staging Protocol
• Also Metasploit’s staging process explained by the great OJ Reeves:

https://buffered.io/posts/staged-vs-stageless-handlers/ attl4s.github.io
MSF Stageless
• Remember Meterpreter’s Configuration Block?
• One Session configuration block
• One or more Transport Configuration blocks, followed by a terminator
• One or more Extension Configuration blocks, followed by a terminator

• MSF can include extensions as Extension blocks within the Configuration Block

• With the address of the Configuration Block in memory, Metsrv is able to find and
initialise those extensions

attl4s.github.io
Moving Forward
Metsrv
Exploit/ Staging
Shellcode Reflective Metsrv
Executable Process
Loading

Extension1 Extension2
Reflective Reflective …
Loading Loading

Extension1 Extension2 …

attl4s.github.io
Reflective Loading

attl4s.github.io
Recap
• Meterpreter components are reflective DLLs
• Metsrv + extensions

• Reflective DLLs are intended to be loaded from memory


• As opposed to regular DLLs/PEs, which are designed to be loaded from disk

• A reflective DLL is just a regular DLL built together with a “portable” PE loader
• The loader is in charge of loading the whole DLL into memory

attl4s.github.io
You can see this as a custom implementation of LoadLibrary(), avoiding the module-on-disk
limitation

https://github.com/stephenfewer/ReflectiveDLLInjection attl4s.github.io
DLL Compile rDLL
Reflective Reflective Loader
Loader

attl4s.github.io
Process Memory

2
rDLL DLL
Entrypoint
Reflective Loader
1 3

attl4s.github.io
Recap (cont.)
• Traditional reflective DLLs implement the loader functionality as an exported
function

• These DLLs cannot be run like shellcode by executing position 0


• Instead, the loader function must be located and executed

• To address this limitation, frameworks like MSF leverage bootstrap code


• With the bootstrap, a reflective DLL can be executed like shellcode

attl4s.github.io
Process Memory

1
Bootstrap

3
2 rDLL DLL
Entrypoint
Reflective Loader
4

attl4s.github.io
Recap (cont.)
• The main goal of this bootstrap is executing the reflective loader export, although
it may have additional purposes

• For example, we’ve seen this with Metsrv’s bootstrap


1. Executes Reflective Loader export, which loads Metsrv DLL in memory
2. Executes Metsrv’s dllmain with a pointer to the Config Block, which holds all user-defined
configuration (what Metsrv needs to create a new Meterpreter session)

attl4s.github.io
Reflective Loading
• All this is nice but… what does the Reflective Loader actually do?

• The only things we know so far…


1. The loader is built into the target DLL we want to load

2. It is in charge of loading such DLL into memory à la LoadLibrary()

3. Everybody talks about reflective DLLs and loaders on the Internet

attl4s.github.io
Traditional
Reflective DLL Loading

attl4s.github.io
Disclaimer
• Don't let these slides fool you!
• I am not a programmer nor an expert on this area
• I might have done wrong assumptions in certain things

• This section is only intended as an overview

• Largely based on Raphael Mudge’s explanation from:


• “Red Team Operations with Cobalt Strike”

attl4s.github.io
https://www.exploit-db.com/docs/english/13007-reflective-dll-injection.pdf attl4s.github.io
Process Memory

rDLL 1. Reflective Loader is executed

Reflective Loader

Red Team Ops with Cobalt Strike (4 of 9): Weaponization attl4s.github.io


Process Memory

MZ

2. Moves backwards from current position until finding


rDLL MS-DOS header (beginning of the DLL)
• This is done as the whole DLL is going to be
Reflective Loader copied into new memory

Red Team Ops with Cobalt Strike (4 of 9): Weaponization attl4s.github.io


Process Memory

PEB

3. Resolves any functions needed for the loading process


• Locates PEB and *typically* finds Kernel32.dll in
Kernel32 memory
1
• *Typically* gets LoadLibrary() and GetProcAddress()
Export Table
addresses from kernel32’s EAT
• Finds or resolves any other functions needed by the
rDLL implementation
RL
2

Red Team Ops with Cobalt Strike (4 of 9): Weaponization attl4s.github.io


Process Memory

4. Prepares new memory for the DLL


rDLL • E.g. with VirtualAlloc
• Size is typically based on
Reflective Loader
OptionalHeader -> SizeOfImage

Red Team Ops with Cobalt Strike (4 of 9): Weaponization attl4s.github.io


Process Memory

rDLL DLL
5. Copies the original DLL into the new
memory (i.e. headers and sections)
Reflective Loader

Red Team Ops with Cobalt Strike (4 of 9): Weaponization attl4s.github.io


Process Memory

6. Loads all dependencies and updates


the IAT of the memory injected DLL
rDLL • LoadLibraryA DLL • Browses original IAT and
• GetProcAddress loads/resolves all DLLs/functions
Reflective Loader

Import Address Table


Import Address Table
• Updates data on the new DLL

Red Team Ops with Cobalt Strike (4 of 9): Weaponization attl4s.github.io


Process Memory

Delta = real_ImageBase - nt->OptionalHeader.ImageBase


7. Relocations
• DLL will probably not be loaded at the
PE expected base address
• “Hardcoded” addresses broken

rDLL DLL
• Gets ImageBase from OptionalHeader,
and calculates the delta with the real
base address of the DLL
2 Relocation Table • Fixes relocations using the calculated
Relocation Table offset

Red Team Ops with Cobalt Strike (4 of 9): Weaponization attl4s.github.io


Process Memory

rDLL DLL 8. Calls the entry point!


Reflective Loader Entrypoint

Red Team Ops with Cobalt Strike (4 of 9): Weaponization attl4s.github.io


Your DLL has been loaded without touching disk!

attl4s.github.io
Improvements to the
Original Recipe

attl4s.github.io
Limitations
• Stephen Fewer’s technique is awesome, but has two big limitations:

• It requires the source code of the DLL (to build the loader into it)

• It only supports calling the entry point of the injected DLL (i.e. DllMain)

• How could these be addressed?

https://mez0.cc/posts/exploring-dll-loads/ attl4s.github.io
Improvements
• Different people have made improvements to this technique, but – from my quick
investigation – two stand out:

1. Dan Staples with “An Improved Reflective DLL Injection Technique”


• Fixes the only-entry-point limitation

2. Nick Landers with “sRDI – Shellcode Reflective DLL Injection”


• Fixes the source code limitation

https://mez0.cc/posts/exploring-dll-loads/ attl4s.github.io
Dan Staples
• Dan Staples’ approach is a clear example of “bootstrap code can have additional
purposes” (refer to Slide 150)

https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html attl4s.github.io
Dan Staples (cont.)
• Dan changed the Loader function to support new parameters:
1. Export name in hashed format
2. Arguments for the export

• This allowed not only the execution of the entry point (i.e. DllMain), but also an
arbitrary export
• Note that Microsoft recommends not working from DllMain!

• How was this new data passed to the Loader? With the bootstrap

https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html attl4s.github.io
Nick Landers
• Nick and his team went ahead and wrote the reflective loader piece as shellcode
• Released around Aug 2017

• They also leveraged the approach shown by Dan Staples


• Using the bootstrap to pass a an export name and arguments to the Loader

• The result: sRDI


• Does not require source code (because the loader is shellcode)

• Can execute an arbitrary export with user-defined arguments

https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/ attl4s.github.io
https://github.com/monoxgas/sRDI attl4s.github.io
Other Interesting Approaches

attl4s.github.io
Cobalt Strike – UDRL
• One of the most interesting aspects of Cobalt Strike is its malleability and ability
to automate things
• Sleep + Aggressor Script

• Cobalt Strike 4.4 added support for using customized reflective loaders for
beacon payloads

• How it works?

https://www.cobaltstrike.com/blog/cobalt-strike-4-4-the-one-with-the-reconnect-button/ attl4s.github.io
Cobalt Strike – UDRL (cont.)
• Users have to write their custom loaders in C, in such a way that shellcode can be
extracted from the resulting compiled file
• (Not working anymore) http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html
• (Copy of the previous post) https://phasetw0.com/malware/writing-optimized-windows-shellcode-in-c/

• (This is also the approach Nick Landers and its team employed for developing
sRDI’s loader shellcode)

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_user-defined-rdll.htm attl4s.github.io
Cobalt Strike – UDRL (cont.)
• The extracted shellcode is then patched into the Beacon reflective DLL, at the
ReflectiveLoader export position

• Cobalt Strike offers Aggressor Script functions to ease the automation of this
process

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_user-defined-rdll.htm attl4s.github.io
Cobalt Strike – UDRL (cont.)
• Since the release of this feature, various interesting loaders have been released
with different approaches and capabilities

• Some of them:
• (@ilove2pwn_) https://github.com/benheise/TitanLdr

• (@0xBoku) https://github.com/boku7/BokuLoader

• (@kyleavery_) https://github.com/kyleavery/AceLdr

• (@C5pider) https://github.com/Cracked5pider/KaynStrike

attl4s.github.io
Cobalt Strike – UDRL (cont.)
• I highly recommend reading Bobby Cooke’s “Defining the Cobalt Strike Reflective
Loader” post (and future posts in this series)
• https://securityintelligence.com/posts/defining-cobalt-strike-reflective-loader/

• Great explanations and details on the Reflective Loading subject, from a


developer point of view

• BokuLoader link again:


• https://github.com/boku7/BokuLoader

https://twitter.com/0xBoku attl4s.github.io
Donut
• Initially focused on providing in-memory execution of .NET programs as shellcode
• Developed by Odzhan (@modexpblog) and TheWover
• First version was released on May 2019

• Evolved over time to provide - among other things - great reflective PE execution capabilities
(both DLLs and EXEs!)
• Starting from version 0.9.2 - Bear Claw

• Version 1.0 was recently released (March 2023) with multiple improvements mostly focused on
the reflective PE execution side!

https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/ attl4s.github.io
NightHawk – Dependency Loading
• Finally, worth mentioning how NightHawk has significantly improved dependency
loading in their reflective loading process

https://www.mdsec.co.uk/2022/11/nighthawk-0-2-1-haunting-blue/ attl4s.github.io
Acknowledgements

attl4s.github.io
Standing on the Shoulders of Giants

Thanks to all links and people referred across the slides

attl4s.github.io
Standing on the Shoulders of Giants
Key resources
• Metasploit docs and open source repositories
• https://docs.metasploit.com/
• https://github.com/rapid7/metasploit-framework
• https://github.com/rapid7/metasploit-payloads

• Skape’s paper
• http://www.hick.org/code/skape/papers/meterpreter.pdf

• OJ Reeves’ stuff
• https://buffered.io/

• Raphael Mudge’s stuff


• https://www.youtube.com/@DashnineMedia

attl4s.github.io
Standing on the Shoulders of Giants

Special thanks (for reviewing the presentation and providing great feedback)
• Manuel León (@ElephantSe4l)

• Spencer McIntyre (@zeroSteiner)

• Borja Merino (@BorjaMerino)

attl4s.github.io
MANY THANKS!
Any Question?

Is anybody still awake?

You might also like