Build instructions for Meterpreter on Ubuntu 14.04 LTS

[todb-r7]

When I build meterpreter on Ubuntu 14.04, I appear to succeed, but I am unable to get a session with the results.

My procedure:

• make
• cp -r data/meterpreter/* ../metasploit-framework/data/meterpreter
• cd ../metasploit-framework
• ./msfconsole -Lqr /home/todb/.msf4/scripts/resource/linux-meterpreter.rc (source here)

With the most recent checkin, this all works great. With a build I try to make myself though, meterpreter.bin segfaults.

The target is metasploitable, which is a semi-jacked up version of Ubuntu 8.
My build machine is Ubuntu 14.04 LTS

I have my entire build log here.

I know that @jvazquez-r7 can build successfully, too, so it's not just @bcook-r7 magic.

[OJ]

I've had very similar issues building on Ubuntu in the past (12 and 13). I gave up in the end and built things on my Fedora 19 box, where I had way more success.

[jvazquez-r7]

How to compile Linux meterpreter on Ubuntu 12.04 / 13.10 / 14.04 (32 bits).

• Install dependencies:

sudo apt-get install build-essential jam wget flex bison binutils-gold

• Check which the gold linker is being used:

$ ls -la /usr/bin/ld
lrwxrwxrwx 1 root root 20 Jun 27 10:03 /usr/bin/ld -> /usr/bin/ld.gold

• Otherwise, configure update-alternatives:

sudo update-alternatives --install "/usr/bin/ld" "ld" "/usr/bin/ld.gold" 20
sudo update-alternatives --install "/usr/bin/ld" "ld" "/usr/bin/ld.bfd" 10

• And choose the gold version with update-alternatives --config ld:

$ sudo update-alternatives --config ld
There are 2 choices for the alternative ld (providing /usr/bin/ld).

  Selection    Path              Priority   Status
------------------------------------------------------------
* 0            /usr/bin/ld.gold   20        auto mode
  1            /usr/bin/ld.bfd    10        manual mode
  2            /usr/bin/ld.gold   20        manual mode

• If you had to configure update-alternatives, check /usr/bin/ld again:

$ ls -la /usr/bin/ld
lrwxrwxrwx 1 root root 20 Jun 27 10:03 /usr/bin/ld -> /etc/alternatives/ld
$ ls -la /etc/alternatives/ld
lrwxrwxrwx 1 root root 16 Jun 27 10:03 /etc/alternatives/ld -> /usr/bin/ld.gold

• Compile:

make

• The resulting objects should placed in data/meterpreter:

$ ls data/meterpreter/
ext_server_networkpug.lso  ext_server_sniffer.lso  ext_server_stdapi.lso  msflinker_linux_x86.bin

How to compile Linux meterpreter on Fedora 20 (32 bits)

• Install dependencies:

yum install make automake gcc gcc-c++ kernel-devel jam wget flex bison patch

• The default bfd linker on Fedora 20 has been used successfully, so there is
  no need to switch to the gold linker.
• Compile:

make

• The resulting objects should be placed in data/meterpreter:

# ls data/meterpreter/
ext_server_networkpug.lso  ext_server_sniffer.lso  ext_server_stdapi.lso  msflinker_linux_x86.bin

Hope it helps :)

[jvazquez-r7]

ping @todb-r7 ^^^^

[todb-r7]

ooo thanks @jvazquez-r7 I'll give it a shot!

[todb-r7]

Must be 32-bit?

[OJ]

@todb-r7 should work on x64 as well if you use -m32 and install the other 32-bit deps.

[bcook-r7]

I suspect this will be a matter of working from this list, bottom up, and turning off things until it works again: https://wiki.ubuntu.com/ToolChain/CompilerFlags

Personally, I built the last bins in an ubuntu 10.04 chroot using debootstrap.

[bcook-r7]

That's an interesting thing you bring up @jvazquez-r7 about the gold linker. Time to do some experimentation!

[jvazquez-r7]

@bcook-r7 , yup on moderns ubuntu the bfd linker doesn't work as "expected" I say expected between quotes because meterpreter is linking in a non "expected" way. You need exported entries to be there (so the meterpreter loader can load the object), but it isn't a shared library! (just reminding from the time I looked into that).

[bcook-r7]

Nice to know. I did some experimentation modifying ld.bfd's default linker script in ubuntu 14.04, to try changing its behavior. I didn't get it to work exactly, but managed to crash it a few times :)
/usr/bin/ld: internal error ../../ld/ldlang.c 5245

[todb-r7]

Results:

On Ubuntu 14.04:

Note, selecting 'binutils' instead of 'binutils-gold'

So that doesn't seem to make a lot of difference. For fun I apt-get removed binutils and tried again, same deal.

todb@mazikeen:~$ ls -la /usr/bin/ld
lrwxrwxrwx 1 root root 6 Apr 15  2014 /usr/bin/ld -> ld.bfd

Using the update-alternatives business seems to do the trick:

[ruby-2.1.5]
todb@mazikeen:~$ ls -la /usr/bin/ld
lrwxrwxrwx 1 root root 20 Jan  9 15:17 /usr/bin/ld -> /etc/alternatives/ld
[ruby-2.1.5]
todb@mazikeen:~$ ls -la /etc/alternatives/ld
lrwxrwxrwx 1 root root 16 Jan  9 15:17 /etc/alternatives/ld -> /usr/bin/ld.gold

So, trying make, oh no!

cc -Wl,-script=script -Wl,--hash-style=sysv -I/home/todb/git/rapid7/meterpreter/hack -I ../../bionic/libc/include -I ../../bionic/libc/kernel/common/linux/ -I ../../bionic/libc/kernel/common/ -I ../../bionic/libc/arch-x86/include/ -I ../../bionic/libc/kernel/arch-x86/ -I../../source/server/elf/headers -I../../bionic/libc/private -fPIC -DPIC -nostdinc -nostdlib -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t" -DANDROID_X86_LINKER -DMETSRV_RTLD -D_BYTE_ORDER=_LITTLE_ENDIAN -march=i386 -m32 -o msflinker msflinker.o basic_libc.o syscall.o linker_format.o dlfcn.o zlib.o metsrv_rtld.o -lgcc
([ "" != "true" ] && strip msflinker) || true
cc -march=i386 -m32 -o elf2bin elf2bin.c
In file included from /usr/include/bits/errno.h:24:0,
                 from /usr/include/errno.h:35,
                 from elf2bin.c:4:
/usr/include/linux/errno.h:1:23: fatal error: asm/errno.h: No such file or directory
 #include <asm/errno.h>
                       ^
compilation terminated.
make[1]: *** [msflinker.bin] Error 1
make[1]: Leaving directory `/home/todb/git/rapid7/meterpreter/source/server/rtld'
make: *** [source/server/rtld/msflinker.bin] Error 2

Looks like the Makefile already specifies -m32 so that's not it.

[todb-r7]

Hmm, tried this: sudo apt-get install libc6-dev-i386 and got past that error. Not sure how I lost that.

[todb-r7]

Welp, better -- meterpreter.bin doesn't segfault anymore, but it does exit(1). Hrmph.

I'll give it a shot on an older Ubuntu VM. If we're stuck on a distro, I'm okay with that as long as it's possible, but it does need to be documented.

[todb-r7]

I heard a rumor this morning that @bcook-r7 got this working now on Ubuntu 14?

[bcook-r7]

Yeah, I'll send a PR when I'm done with other cleanups. The global linker redirect doesn't seem to work, but specifying directly to GCC does. I'll need to check if that keeps things working on Fedora.

[OJ]

Nice work Buster. I'm happy to verify changes on Fedora a well.