The libffi bindings are now working, which means that RustRAT is now able to execute WebAssembly binaries, and those binaries can call arbitrary functions from dlls. I have also uploaded the code to github, so it is possible to follow the progress at https://github.com/rustrat/rustrat. In this post I will briefly mention what has been done so far, the next step on the way to a full-fledged RAT, and finally a little guide on how to call MessageBoxA from a WebAssembly binary.

The present

Currently RustRAT is not very exciting, but it is possible to demonstrate the libffi capabilities. The “rustrat-client” executables can be used to execute WebAssembly binaries, for example from the “demo-messagebox” crate, which will call MessageBoxA. In the future, the possibility to execute WebAssembly binaries from a path will be moved into its own crate since the rustrat-client will attempt to connect back to a C2 server for its WebAssembly binaries.

The future

Now that RustRAT is able to do something useful from WebAssembly, the next step is to create a server and implement some form of connectivity from the client to the server. I will start with simple HTTP based callbacks, which hopefully can be expanded in the future. Initially, the traffic will not be encrypted, but it will eventually. The current plan is to have a key exchange where the client binaries have the server’s public key hard-coded.

While working on the libffi binding I realized that they are not very ergonomic to use. Therefore, I plan to create some helpers for the payload crates, which hopefully should make writing code for WebAssembly a bit more like writing for native targets. I will also attempt to decrease the size of the generated WebAssembly binaries. The demo-messagebox crate currently produces a 1.5MB+ WebAssembly binary, which is larger than I would want.

Any optimization and helper libraries will not be created until I have created some payload that is actually useful, however. After functioning and encrypted C2 is finished, I plan to create a payload crate that can execute arbitrary .net assemblies. Many offensive tools are being written in .net, and being able to load and execute .net assemblies will allow me to start being useful with RustRAT sooner. However, the goal is to eventually not require .net assemblies at all for most things.

Demonstration

Finally, I will show you how you can execute a WebAssembly binary that executes MessageBoxA. If you are somehow unable to follow my instructions, please contact me at aimes@wodinaz.com. In order to compile and run rustrat-client, you need the following:

  • Rust (stable should do)
  • 64-bit Windows
  • The wasm32-unknown-unknown target
    • Installed with rustup target add wasm32-unknown-unknown
  • Git

To display the beautiful MessageBoxA run the following commands:

  1. git clone https://github.com/rustrat/rustrat.git
  2. cd rustrat
  3. git checkout libffi-wasm-bindings
  4. cd payloads
  5. cargo build
  6. cd ..
  7. cargo build
  8. target\debug\rustrat-client-exe.exe payloads\target\wasm32-unknown-unknown\debug\demo_messagebox.wasm go
  9. rundll32 target\debug\rustrat_client.dll,rundll_run payloads\target\wasm32-unknown-unknown\debug\demo_messagebox.wasm go

Enjoy the beautiful message boxes.