Skip to content

Initial support for Malleable C2 Profiles in Windows Metepreter #759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: 6.5
Choose a base branch
from
Open

Initial support for Malleable C2 Profiles in Windows Metepreter #759

wants to merge 15 commits into from

Conversation

OJ
Copy link
Contributor

@OJ OJ commented Jul 28, 2025
edited
Loading

This PR contains a bunch of changes to support malleable C2 features stored in a .profile file (such as this).

Given the nature of how Meterpreter works, and how payloads are generated, there are a lot of C2 profile features that can't be supported without drastic changes. The intent here is to focus on the transport-specific details around HTTP payloads.

For more information on what's supported, along with documentation, sample runs/etc, please see the associated Metasploit Framework PR.

In order to support the new features and configuration options the configuration block needed to change. Rather than expand on this rather rudimentary and outdated block of information, it was decided that the config block should be converted to a TLV Packet. That has been done as part of this PR, and is obviously a breaking change, and hence isn't backwards compatible.

This took a lot longer than I had hoped, so as of yet the other Meterpreters haven't been modified.

TODO:

  • Implement the code that handles the encoding flags (coming next).
  • Add support to Python
  • Add support to Java/Android
  • Add support to PHP
  • Add support to Mettle

OJ added 11 commits June 19, 2025 11:48
@OJ
Tidied up up the build for make.bat and make-cmake.bat builds
dc23aae 
Removing warnings as well as making the builds work properly outside of
Visual Studio and docker.
@OJ
Small tweak to the RDI cmake file
e424413 
Makes sure that things build correctly across environments.
@OJ
MC2 first pass clean compile
cf1086e 
Not read for push, some sections removed to avoid the pain of dev until
the rest of the work is done.
@OJ
Semi-working TLV-based configuration
636c322 
More to do, and transport stuff needs to be updated to include the C2
configuration options.
@OJ
Support for different GET/POST uris
dba68a6 
This actually stages/works as expected now. More fields to map, more
work to do. More configuration to handle. Then the changes need to also
be moved over to the WININET fallback version when done.

Still need to handle encoding as well.
@OJ
More C2 options support, migration work
b347997 
* Packet prefixes and suffixes now work as expected (at least outbound),
  more work to do to support inbound.
* Validated that migration works.
* Support encryption key transmission across migration (need to confirm
  if this is required).
@OJ
Tidying up, removal of TLVs and skip count support
1a94441 
Referrer and accept type headers no longer separate, despite what the
APIs say they do support inclusion of them with custom headers.

Skip counts now included so the incoming packets can be prefixed in the
C2 profile.

Various other code tidies/adjustments.
@OJ
Update WININET implementation for C2 support
19e6eaf
@OJ
UUID handling and transport refactoring
83aff75
@OJ
Better support for UUID in GET/HEADER/URI
63aa5d7 
Various tweaks to support it on the server side as well.
@OJ
Fix transport commands and timeout handling
5d4579b
@OJ OJ mentioned this pull request Jul 28, 2025
Open
20 tasks
OJ added 2 commits July 28, 2025 14:21
@OJ
Update workflow to use VS 2022 instead of VS 2019
89e5f41
@OJ
Read POST responses
b7e42f7 
POST requests were being killed off before reading the response. This
fixes that issue.
@OJ
Copy link
Contributor Author

OJ commented Jul 29, 2025

Hey @smcintyre-r7 or @dledda-r7 could you have a quick look at the windows-2022 target for the visual studio build in the github actions? I changed from windows-2019 to windows-2022 because of a deprecation warning, but it's still failing because of a file not found issue. Based on the documentation the path to the dev env should be correct. Thanks for the help!

@OJ
C2 encoding and content length for HTTP reads
56f981d 
C2 encoding now supported in the GET/POST based on the C2 configuration.

Changed up the way the body of an HTTP response is read, so that the
content length header is used instead. This means we can read in the
entire buffer, remove prefixes/suffixes and do decoding before passing
this on. Prior to this, we were using the packet header to figure out
how much data to read, and that doesn't makes sense any more.
@dledda-r7 dledda-r7 self-assigned this Aug 4, 2025
dledda-r7
dledda-r7 reviewed Aug 4, 2025
View reviewed changes
@OJ
Copy link
Contributor Author

OJ commented Aug 6, 2025

@dledda-r7 is there a way of getting the 141_xp toolset on here? That's why the build is currently failing.

@dledda-r7
Copy link
Contributor

dledda-r7 commented Aug 11, 2025
edited
Loading

@OJ I think there is, looking up on google looks like VS2022 doesn't have XP support, but currently I am able to compiler metsrv with 141_xp on VS22. I think the steps could be:

  1. Create a new .vsconfig for VS2022

Create a file named: <metasploit-payloads>/c/meterpreter/vs-config/vs2022.config
Content:

{
  "version": "1.0",
  "components": [
    "Microsoft.VisualStudio.Component.CoreEditor",
    "Microsoft.VisualStudio.Workload.CoreEditor",
    "Microsoft.VisualStudio.Component.Roslyn.Compiler",
    "Microsoft.Component.MSBuild",
    "Microsoft.VisualStudio.Component.TextTemplating",
    "Microsoft.VisualStudio.Component.NuGet",
    "Microsoft.VisualStudio.Component.Debugger.JustInTime",
    "Microsoft.VisualStudio.Component.IntelliCode",
    "Microsoft.VisualStudio.Component.VC.CoreIde",
    "Microsoft.VisualStudio.Component.VC.Tools.x86.x64",
    "Microsoft.VisualStudio.Component.Graphics.Tools",
    "Microsoft.VisualStudio.Component.VC.DiagnosticTools",
    "Microsoft.VisualStudio.Component.Windows11SDK.26100",
    "Microsoft.VisualStudio.Component.VC.ATL",
    "Microsoft.VisualStudio.Component.VC.Redist.14.Latest",
    "Microsoft.VisualStudio.ComponentGroup.NativeDesktop.Core",
    "Microsoft.VisualStudio.Component.Windows11Sdk.WindowsPerformanceToolkit",
    "Microsoft.VisualStudio.Component.CppBuildInsights",
    "Microsoft.VisualStudio.ComponentGroup.WebToolsExtensions.CMake",
    "Microsoft.VisualStudio.Component.VC.CMake.Project",
    "Microsoft.VisualStudio.Component.VC.TestAdapterForBoostTest",
    "Microsoft.VisualStudio.Component.VC.TestAdapterForGoogleTest",
    "Microsoft.VisualStudio.Component.VC.ASAN",
    "Microsoft.VisualStudio.Component.Vcpkg",
    "Microsoft.VisualStudio.Component.VC.v141.x86.x64",
    "Microsoft.Component.VC.Runtime.UCRTSDK",
    "Microsoft.VisualStudio.Component.VC.Tools.ARM64EC",
    "Microsoft.VisualStudio.Component.VC.Tools.ARM64",
    "Microsoft.VisualStudio.Workload.NativeDesktop",
    "Microsoft.VisualStudio.Component.WinXP"
  ],
  "extensions": []
}

There is some stuff more, like ARM64 but i think it's fine, we are going to need it at some point.

  1. Update the container VS2022 installation.
    Now, as i was reading here I think we can update our VS2022 instance to include our XP build. doing something like:

C:\Program Files (x86)\Microsoft Visual Studio\Instaler\setup.exe modify --installPath "C:\Program Files\Microsoft Visual Studio\2022\Enterprise" --passive --config <metasploit-payloads>/c/meterpreter/vs-config/vs2022.config

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dledda-r7 dledda-r7 dledda-r7 left review comments

@smcintyre-r7 smcintyre-r7 Awaiting requested review from smcintyre-r7

@adfoster-r7 adfoster-r7 Awaiting requested review from adfoster-r7

Assignees

@dledda-r7 dledda-r7

Labels
feature windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@OJ @dledda-r7