metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Msfvenom fails to generate stageless meterpreter dll

Open Slurpgeit opened this issue 10 years ago • 11 comments
trafficstars

When generating a stageless meterpreter dll with msfvenom it fails with the following error:

msfvenom -p windows/meterpreter_reverse_tcp -f dll
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 885806 bytes
The EXE generator now has a max size of 2048 bytes, please fix the calling module

Other formats seem to work fine.

Slurpgeit avatar Jul 16 '15 17:07 Slurpgeit

@Slurpgeit as a temporary workaround, please do:

./msfvenom -p windows/meterpreter/reverse_tcp -f dll

wchen-r7 avatar Jul 24 '15 15:07 wchen-r7

So it looks like some payload modules have a CachedSize, and that probably should be used instead of the hardcoded max_length value (2048). I just heard from @bcook-r7 that CachedSize is being changed to an actual min/max value, so maybe we need to wait for that to happen before implementing a fix for this one.

wchen-r7 avatar Jul 24 '15 15:07 wchen-r7

This is more of a request for enhancement.

bcook-r7 avatar Jul 27 '15 15:07 bcook-r7

This sounds like a similar issue to the one we had when we first worked on the exe format stuff. @hmoore-r7 is in a better position to comment than I :)

OJ avatar Sep 24 '15 06:09 OJ

Stageless DLL support is not currently implemented (the stage is too big for existing templates/methods).

hdm avatar Sep 24 '15 21:09 hdm

I ran across this on a pentest where for some reason stageless meterpreters would get past their detection, but the same payload in a normal staged meterpreter would get caught. When we tried building a DLL, it failed. We ended up having to scrap the method we were using :(

Even though we had to make sometimes 4-11MB payloads (once they were encoded in a verbose format), it was SUPER useful to have. It'd be nice if DLLs would work the same way.

mandreko avatar Oct 02 '15 01:10 mandreko

All in good time my friend, all in good time! :)

Stageless does indeed seem to be a winner for AV bypass. One thing I think we should probably add the ability to do is specify the name of the new section that is used when the exe is generated. Because $REASONS.

OJ avatar Oct 02 '15 02:10 OJ

Are there any plans for progress on this?

Edit: A workaround for others with this issue. You can recompile the .dll found in the templates directory (search for "template.c"), and use that as a template with msfvenom.

  1. Change SCSIZE to a value large enough for your payload
  2. Compile the dll (I used build.sh for an x86 one)
  3. Modify the size check in msf/util/exe.rb
  4. Use msfvenom and specify your new dll as a template

guffre avatar Nov 16 '18 03:11 guffre

Still an issue in 2021

dmaasland avatar Jun 28 '21 16:06 dmaasland

Still an issue in 2022

hwac121 avatar Dec 19 '22 15:12 hwac121

still an issue in 2023

shantanu561993 avatar Feb 02 '23 16:02 shantanu561993

@smcintyre-r7 are we good to close this one now?

OJ avatar Feb 16 '23 04:02 OJ

I can't believe my eyes! 😄

Slurpgeit avatar Feb 16 '23 08:02 Slurpgeit

Going to go ahead and close this since the original issue reported here should now be fixed with the changes above, which I went ahead and tested as part of landing this PR. Support for doing this with non-default DLLs however has not been fixed. If support for this is desired we should track this in a separate issue.

If I've made any mistakes though feel free to reopen this issue and clarify things 👍

gwillcox-r7 avatar Feb 16 '23 18:02 gwillcox-r7