While Windows has always been well supported with Metasploit's Meterpreter payload, other platforms have not historically had similarly sophisticated options available. Metasploit has four alternative Meterpreter implementations, targeting Android, Java, Python and PHP, but these also are not always usable, since they target a particular software platform as well. This is especially a problem with embedded devices, where one must fall back to a simple unencrypted TCP shell. While this is fine for research purposes, it is not optimal for practical exploitation or red-teaming, where an offensive security professional would prefer to maintain as high operational safety and integrity as possible. In this talk, I will explore the process of designing and developing a new cross-OS and cross-platform Meterpreter payload for Metasploit. It uses very few resources, making it suitable for targets from routers to phones to mainframes. At the same time, it offers more functionality, confidentiality, and security than a reverse shell. It is fully relocatable and self-contained, making it reusable in many contexts. I will also demonstrate the payload using diverse C2 transports to evade detection, and its target flexibility, running on an S390 mainframe, an iPhone, and a SOHO consumer router.

Brent Cook is the Engineering Manager for Metasploit at Rapid7, as well as one of the core Meterpreter payload developers. He is also a contributor to the LibreSSL and OpenNTP projects, maintaining the portable versions for several operating systems. Brent has over 15 years experience as a software and firmware developer, having developed high-performance networking and embedded software at Applied Materials, BreakingPoint, Calxeda, and Ixia.

Recorded at NolaCon 2017