Skip to content

Initial support for Malleable C2 Profiles in Windows Metepreter #759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: 6.5
Choose a base branch
from
Open

Initial support for Malleable C2 Profiles in Windows Metepreter #759

wants to merge 21 commits into from

Conversation

OJ
Copy link
Contributor

@OJ OJ commented Jul 28, 2025
edited by dledda-r7
Loading

This PR contains a bunch of changes to support malleable C2 features stored in a .profile file (such as this).

Given the nature of how Meterpreter works, and how payloads are generated, there are a lot of C2 profile features that can't be supported without drastic changes. The intent here is to focus on the transport-specific details around HTTP payloads.

For more information on what's supported, along with documentation, sample runs/etc, please see the associated Metasploit Framework PR.

In order to support the new features and configuration options the configuration block needed to change. Rather than expand on this rather rudimentary and outdated block of information, it was decided that the config block should be converted to a TLV Packet. That has been done as part of this PR, and is obviously a breaking change, and hence isn't backwards compatible.

This took a lot longer than I had hoped, so as of yet the other Meterpreters haven't been modified.

TODO:

  • Implement the code that handles the encoding flags (coming next).
  • Port breaking change to Python
  • Port breaking change to Java/Android
  • Port breaking change to PHP (PHP doesn't have HTTP)
  • Port breaking change to Mettle

OJ added 11 commits June 19, 2025 11:48
@OJ
Tidied up up the build for make.bat and make-cmake.bat builds
dc23aae 
Removing warnings as well as making the builds work properly outside of
Visual Studio and docker.
@OJ
Small tweak to the RDI cmake file
e424413 
Makes sure that things build correctly across environments.
@OJ
MC2 first pass clean compile
cf1086e 
Not read for push, some sections removed to avoid the pain of dev until
the rest of the work is done.
@OJ
Semi-working TLV-based configuration
636c322 
More to do, and transport stuff needs to be updated to include the C2
configuration options.
@OJ
Support for different GET/POST uris
dba68a6 
This actually stages/works as expected now. More fields to map, more
work to do. More configuration to handle. Then the changes need to also
be moved over to the WININET fallback version when done.

Still need to handle encoding as well.
@OJ
More C2 options support, migration work
b347997 
* Packet prefixes and suffixes now work as expected (at least outbound),
  more work to do to support inbound.
* Validated that migration works.
* Support encryption key transmission across migration (need to confirm
  if this is required).
@OJ
Tidying up, removal of TLVs and skip count support
1a94441 
Referrer and accept type headers no longer separate, despite what the
APIs say they do support inclusion of them with custom headers.

Skip counts now included so the incoming packets can be prefixed in the
C2 profile.

Various other code tidies/adjustments.
@OJ
Update WININET implementation for C2 support
19e6eaf
@OJ
UUID handling and transport refactoring
83aff75
@OJ
Better support for UUID in GET/HEADER/URI
63aa5d7 
Various tweaks to support it on the server side as well.
@OJ
Fix transport commands and timeout handling
5d4579b
@OJ OJ mentioned this pull request Jul 28, 2025
Open
20 tasks
OJ added 2 commits July 28, 2025 14:21
@OJ
Update workflow to use VS 2022 instead of VS 2019
89e5f41
@OJ
Read POST responses
b7e42f7 
POST requests were being killed off before reading the response. This
fixes that issue.
@OJ
Copy link
Contributor Author

OJ commented Jul 29, 2025

Hey @smcintyre-r7 or @dledda-r7 could you have a quick look at the windows-2022 target for the visual studio build in the github actions? I changed from windows-2019 to windows-2022 because of a deprecation warning, but it's still failing because of a file not found issue. Based on the documentation the path to the dev env should be correct. Thanks for the help!

@OJ
C2 encoding and content length for HTTP reads
56f981d 
C2 encoding now supported in the GET/POST based on the C2 configuration.

Changed up the way the body of an HTTP response is read, so that the
content length header is used instead. This means we can read in the
entire buffer, remove prefixes/suffixes and do decoding before passing
this on. Prior to this, we were using the packet header to figure out
how much data to read, and that doesn't makes sense any more.
@dledda-r7 dledda-r7 self-assigned this Aug 4, 2025
dledda-r7
dledda-r7 reviewed Aug 4, 2025
View reviewed changes
@OJ
Copy link
Contributor Author

OJ commented Aug 6, 2025

@dledda-r7 is there a way of getting the 141_xp toolset on here? That's why the build is currently failing.

@dledda-r7
Copy link
Contributor

dledda-r7 commented Aug 11, 2025
edited
Loading

@OJ I think there is, looking up on google looks like VS2022 doesn't have XP support, but currently I am able to compiler metsrv with 141_xp on VS22. I think the steps could be:

  1. Create a new .vsconfig for VS2022

Create a file named: <metasploit-payloads>/c/meterpreter/vs-config/vs2022.config
Content:

{
  "version": "1.0",
  "components": [
    "Microsoft.VisualStudio.Component.CoreEditor",
    "Microsoft.VisualStudio.Workload.CoreEditor",
    "Microsoft.VisualStudio.Component.Roslyn.Compiler",
    "Microsoft.Component.MSBuild",
    "Microsoft.VisualStudio.Component.TextTemplating",
    "Microsoft.VisualStudio.Component.NuGet",
    "Microsoft.VisualStudio.Component.Debugger.JustInTime",
    "Microsoft.VisualStudio.Component.IntelliCode",
    "Microsoft.VisualStudio.Component.VC.CoreIde",
    "Microsoft.VisualStudio.Component.VC.Tools.x86.x64",
    "Microsoft.VisualStudio.Component.Graphics.Tools",
    "Microsoft.VisualStudio.Component.VC.DiagnosticTools",
    "Microsoft.VisualStudio.Component.Windows11SDK.26100",
    "Microsoft.VisualStudio.Component.VC.ATL",
    "Microsoft.VisualStudio.Component.VC.Redist.14.Latest",
    "Microsoft.VisualStudio.ComponentGroup.NativeDesktop.Core",
    "Microsoft.VisualStudio.Component.Windows11Sdk.WindowsPerformanceToolkit",
    "Microsoft.VisualStudio.Component.CppBuildInsights",
    "Microsoft.VisualStudio.ComponentGroup.WebToolsExtensions.CMake",
    "Microsoft.VisualStudio.Component.VC.CMake.Project",
    "Microsoft.VisualStudio.Component.VC.TestAdapterForBoostTest",
    "Microsoft.VisualStudio.Component.VC.TestAdapterForGoogleTest",
    "Microsoft.VisualStudio.Component.VC.ASAN",
    "Microsoft.VisualStudio.Component.Vcpkg",
    "Microsoft.VisualStudio.Component.VC.v141.x86.x64",
    "Microsoft.Component.VC.Runtime.UCRTSDK",
    "Microsoft.VisualStudio.Component.VC.Tools.ARM64EC",
    "Microsoft.VisualStudio.Component.VC.Tools.ARM64",
    "Microsoft.VisualStudio.Workload.NativeDesktop",
    "Microsoft.VisualStudio.Component.WinXP"
  ],
  "extensions": []
}

There is some stuff more, like ARM64 but i think it's fine, we are going to need it at some point.

  1. Update the container VS2022 installation.
    Now, as i was reading here I think we can update our VS2022 instance to include our XP build. doing something like:

C:\Program Files (x86)\Microsoft Visual Studio\Instaler\setup.exe modify --installPath "C:\Program Files\Microsoft Visual Studio\2022\Enterprise" --passive --config <metasploit-payloads>/c/meterpreter/vs-config/vs2022.config

@OJ
Copy link
Contributor Author

OJ commented Aug 12, 2025

  1. Update the container VS2022 installation.
    Now, as i was reading here I think we can update our VS2022 instance to include our XP build. doing something like:

C:\Program Files (x86)\Microsoft Visual Studio\Instaler\setup.exe modify --installPath "C:\Program Files\Microsoft Visual Studio\2022\Enterprise" --passive --config <metasploit-payloads>/c/meterpreter/vs-config/vs2022.config

Correct me if I'm wrong, but would this not cause the container to be updated every time we ran a build? And if so, is that a problem?

@dledda-r7
Copy link
Contributor

You are not wrong. the alternative would be having local runners but I am not sure we can go through that way, also including @adfoster-r7 to the loop as probably he has more knowladge on CI/CD than me.

dledda-r7
dledda-r7 reviewed Aug 12, 2025
View reviewed changes
@dledda-r7
Copy link
Contributor

Just to keep this in the loop #761

@dledda-r7
Copy link
Contributor

dledda-r7 commented Aug 14, 2025
edited
Loading

Hey @OJ , I have tried metsrv and it work fine with Windows 10, however i tried to test it against older systems and on windows 7 it does a weird bug:

meterpreter > ls
[-] The "ls" command requires the "stdapi" extension to be loaded (run: `load stdapi`)
meterpreter > secure
[*] Negotiating new encryption key ...
[-] Meterpreter session 2 is not valid and will be closed

[*] 10.5.132.191 - Meterpreter session 2 closed.
[!] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Without a database connected that payload UUID tracking will not work!
[*] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Attaching orphaned/stageless session...
[!] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Without a database connected that payload UUID tracking will not work!

[-] Meterpreter session 3 is not valid and will be closed
[*] 10.5.132.191 - Meterpreter session 3 closed.
[!] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Without a database connected that payload UUID tracking will not work!
[*] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Attaching orphaned/stageless session...
[!] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Without a database connected that payload UUID tracking will not work!
[-] Meterpreter session 4 is not valid and will be closed
[*] 10.5.132.191 - Meterpreter session 4 closed.
[!] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Without a database connected that payload UUID tracking will not work!
[*] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Attaching orphaned/stageless session...
[!] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Without a database connected that payload UUID tracking will not work!
[-] Meterpreter session 5 is not valid and will be closed
[*] 10.5.132.191 - Meterpreter session 5 closed.
[!] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Without a database connected that payload UUID tracking will not work!
[*] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Attaching orphaned/stageless session...
[!] http://192.168.3.10:8080/ handling request from 10.5.132.191; (UUID: aidpuybj) Without a database connected that payload UUID tracking will not work!

We can sync in Metasploit slack if you need more details, i can prepare the debug log and share it over if is useful?

@OJ
Copy link
Contributor Author

OJ commented Aug 18, 2025

Hey @dledda-r7 I'll spin up a Windows 7 VM and have a look. But if you're happy to share some details that'd be great. Thanks!

@smcintyre-r7
Copy link
Contributor

I just checked as well. I used psexec to deliver a windows/x64/meterpreter/reverse_http payload and the session failed to establish. There's no Malleable C2 Profile option, but I can see using Wireshark that it's failing with 404s when the stager sends the GET request to Metasploit. I'm guessing this is similar to what @dledda-r7 is seeing with Python.

@OJ
Copy link
Contributor Author

OJ commented Aug 18, 2025

I admit I haven't looked at non-native windows yet because I wanted to make sure that the approach we're taking is ok.

@OJ
Copy link
Contributor Author

OJ commented Aug 18, 2025

But non-modified payloads should still work, so that's on me :)

@dledda-r7
Copy link
Contributor

dledda-r7 commented Aug 19, 2025
edited
Loading

@OJ we updated the GitHub runners. Now is working with Visual Studio 2022.
You can rebase this PR

@OJ
Copy link
Contributor Author

OJ commented Aug 20, 2025

Excellent, thanks!

@dledda-r7
Copy link
Contributor

@zeroSteiner, I've updated the TODO on the PR, IIRC on the PHP meterpreter nothing was needed because there is no HTTP stager / transport. Should we do at least the porting of the TLV values to avoid having incosistency among the other meterpreters?

@smcintyre-r7
Copy link
Contributor

@dledda-r7 I don't think there's any more work to do on PHP. I switched the one TLV constant that needed to be switched in zeroSteiner@a42e962#diff-e7dda2cb450fafb8131b3c7918aa29e070f138cefdc5f27d8d67aecea08cc2b4 (COMMAND_ID_CORE_PATCH_URL -> COMMAND_ID_CORE_PATCH_UUID). It doesn't look like PHP supports HTTP(S) as a transport, or even managing transports. I see the COMMAND_ID_CORE_TRANSPORT_* commands are defined as constants, but they're not registered for use. The 430-442 range of constants isn't even defined in PHP.

We can and maybe should look at adding an HTTP transport for PHP in the future but we don't need to block on that now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dledda-r7 dledda-r7 dledda-r7 left review comments

@smcintyre-r7 smcintyre-r7 Awaiting requested review from smcintyre-r7

@adfoster-r7 adfoster-r7 Awaiting requested review from adfoster-r7

Assignees

@dledda-r7 dledda-r7

Labels

feature windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@OJ @dledda-r7 @smcintyre-r7 @zeroSteiner