Meterpreter: Kickstarting Windows ARM64 and Reducing Memory Footprint
This Metasploit-Framework release includes two important milestones for our payloads capability. The first, spearheaded by community contributor Alexander "xaitax" Hagenah, is an enhancement of our ReflectiveLoader, a crucial component in our Windows Implant to support ARM64 binaries. This pivotal update is not merely an incremental improvement, but represents a foundational step towards the future development and implementation of an ARM64-native Windows Meterpreter.
The ability to load and execute Windows ARM64 binaries through our ReflectiveLoader opens up new avenues for tool development and continues the project’s commitment to expand the scope of our toolsets to a broader range of modern computing architectures. As the adoption of ARM-based processors in Windows environments continues to grow, we expect this enhancement will prove invaluable to our developers and users. The second milestone is the separation of the standard API (stdapi) extension into sub-component extensions that can be loaded individually. The full stdapi extension was (and still is) loaded automatically by default to expand Meterpreter's in-system capabilities.
The current change allows advanced users to opt out of loading the full stdapi extension and instead load one or more smaller, lighter extensions containing a topically-similar subset of the stdapi methods:
- stdapi_audio: Manages audio-related tasks, like playing sounds on the remote system.
- stdapi_fs (File System): Handles file system operations, including directory navigation, file editing, and file transfers.
- stdapi_net (Network): Facilitates network operations, providing commands for retrieving network configurations and setting up tunneling channels (e.g., port forwarding).
- stdapi_sys (System): Performs operations on local and remote processes, offering low-level APIs for post modules to allocate and write to memory regions, execute remote threads, and investigate processes.
- stdapi_railgun: Enables the execution of post modules developed with our protocol, Railgun. This subcomponent grants low-level access to Windows API functions, allowing for flexible chaining of these functions.
- stdapi_ui (User Interface): Extends Meterpreter's functionality to gather information about the desktop environment, such as enumerating windows and taking screenshots. Webcam: Provides access to the installed webcams on the system, enabling operations like taking webcam shots.
To use the new standard api you can follow this workflow:
Start msfconsole and pick one of the windows meterpreters for example use payload/windows/x64/meterpreter/reverse_tcp
Remove the autoloaded extensions doing set AutoLoadExtensions ''
Now generate the payload and execute it on the target system. Load any of the subcomponents by doing load stdapi_<subcomponent> inside the meterpreter session, for example:
msf payload(cmd/windows/http/x64/meterpreter/reverse_tcp) > sessions -i -1 [*] Starting interaction with 1... meterpreter > sysinfo [-] The "sysinfo" command requires the stdapi extension to be loaded or the relative subcomponent (run: `load stdapi` or `load stdapi_audio/_fs/_net/_sys/_railgun/_ui/_webcam`) meterpreter > load stdapi_sys Loading extension stdapi_sys...Success. meterpreter > sysinfo Computer : WIN10_22H2_7FD2 OS : Windows 10 22H2+ (10.0 Build 19045). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter >
New module content (2)
Listmonk Insecure Sprig Template Functions Environment Disclosure
Author: Tarek Nakkouch
Type: Auxiliary
Pull request: #20579 contributed by nakkouchtarek
Path: gather/listmonk_env_disclosure
AttackerKB reference: CVE-2025-49136
Description: This adds an auxiliary scanner module for an insecure template function vulnerability in Listmonk versions >= v4.0.0 and < v5.0.2. This allows authenticated users with minimal permissions to read arbitrary environment variables on the host system through campaign template previews. Environment variables in Listmonk deployments often contain sensitive information such as database credentials, SMTP passwords, API keys, and admin credentials, leading to potential full system compromise.
Malicious Windows Script Host Script File (.wsf)
Author: bcoles bcoles@gmail.com
Type: Exploit
Pull request: #20586 contributed by bcoles
Path: windows/fileformat/windows_script_host_wsf
Description: This adds a windows fileformat module able to generate malicious Windows Script Host files.
Enhancements and features (3)
- #20527 from h00die - This moves the plist exploit module into the new persistence directory. It leverages the new functionality for persistence modules, by adding the persistence mixin.
- #20568 from bcoles - This adds a new library for VBS payload obfuscation and updates the windows/fileformat/windows_script_host_vbscript module to make use of the new library.
- #20595 from zeroSteiner - This adds missing CVEs to 331 different modules.
- #19975 from dledda-r7 - Splits the stdapi extension into subcomponents that can be loaded individually to lessen the footprint of the Windows Meterpreter Payload in memory. The original stdapi extension can still be loaded as well, and the default behavior to autoload stdapi when the Windows Meterpreter payload is loaded remains unchanged.
Bugs fixed (2)
- #20563 from jheysel-r7 - The ldap_esc_vulnerable_cert_finder now checks the CAs and DC, when running registry check.
- #20582 from xHector1337 - This fixes a regression in the random identifier library that was causing failures when processing PHP code.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
- Metasploit
- Metasploit Weekly Wrapup