Add RDI mixin module and refactor things to use it

[OJ]

Rationale

MSF was starting to see more modules using RDI to load binaries into remote processes, so it made sense to create a mixin which contained the functionality that was being used in various locations.

This commit contains the new mixin, and adjustments to all the existing exploits and modules which use RDI.

I haven't done a mixin before, so I picked a spot which I thought made sense and put it there. As always, this PR is open to lots of critique to make sure we get it right.

Validation

• Kitrap0d works
• ppr_flatten_rec works
• reflective_dll_inject works
• payloads continue to work in x86
• payloads continue to work in x64
• RDI mixin doesn't look like it's written by a noob

Test Runs

HTTP Payload

msf exploit(handler) > exploit

[*] Started HTTP reverse handler on http://10.5.26.40:8000/
[*] Starting the payload handler...
[*] 10.5.26.43:49303 Request received for /JGaj...
[*] 10.5.26.43:49303 Staging connection for target /JGaj received...
[*] Patched user-agent at offset 678544...
[*] Patched transport at offset 678208...
[*] Patched URL at offset 678272...
[*] Patched Expiration Timeout at offset 679144...
[*] Patched Communication Timeout at offset 679148...
[*] Meterpreter session 10 opened (10.5.26.40:8000 -> 10.5.26.43:49303) at 2013-12-04 16:07:12 +1000

meterpreter > sysinfo
Computer        : WIN-P73NLAJOYFH
OS              : Windows Vista (Build 6002, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32

KiTrap0D

msf exploit(ms10_015_kitrap0d) > rexploit
[*] Reloading module...

[*] Started reverse handler on 10.5.26.40:4444 
[*] Launching notepad to host the exploit...
[+] Process 2508 launched.
[*] Reflectively injecting the exploit DLL into 2508...
[*] Injecting exploit into 2508 ...
[*] Exploit injected. Injecting payload into 2508...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (786432 bytes) to 10.5.26.40
[*] Meterpreter session 5 opened (10.5.26.40:4444 -> 10.5.26.40:43928) at 2013-12-04 15:46:00 +1000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

ppr_flatten_rec

msf exploit(ppr_flatten_rec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 10.5.26.40:4444 
[*] Launching notepad to host the exploit...
[+] Process 3928 launched.
[*] Reflectively injecting the exploit DLL into 3928...
[*] Injecting exploit into 3928 ...
[*] Exploit injected. Injecting payload into 3928...
[*] Payload injected. Executing exploit...
[*] Exploit thread executing (can take a while to run), waiting 10 sec ...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (786432 bytes) to 10.5.26.43
[*] Meterpreter session 8 opened (10.5.26.40:4444 -> 10.5.26.43:49201) at 2013-12-04 16:00:53 +1000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Reflective Loading x86

msf post(reflective_dll_inject) > rexploit
[*] Reloading module...

[*] Running module against WIN-S45GUQ5KGVK
[*] Injecting /home/oj/code/metasploit-framework/data/meterpreter/ext_server_extapi.x86.dll into 4080 ...
[*] DLL injected. Executing ReflectiveLoader ...
[+] DLL injected and invoked.
[*] Post module execution completed

Reflective Loading x64

msf post(reflective_dll_inject) > rexploit
[*] Reloading module...

[*] Running module against WIN-S45GUQ5KGVK
[*] Injecting /home/oj/code/metasploit-framework/data/meterpreter/ext_server_extapi.x64.dll into 3856 ...
[*] DLL injected. Executing ReflectiveLoader ...
[+] DLL injected and invoked.
[*] Post module execution completed

[Meatballs1]

The 'mixin' bit is redundant? I think this should just be Msf::ReflectiveDLLInjection, or Msf::RDI, or Msf::RDLI or Msf::RDLInjection.

[OJ]

While I agree, I was copying the an existing mixin, such as PostMixin.

[Meatballs1]

I would suggest renaming the file as well

[OJ]

to ... msf/core/reflecivedllinjection_mixin.rb ? :)

[Meatballs1]

Everything working here, my only reservation is whether it should be split into two modules.

The current module keeps load_rdi_dll

and an Msf::Post::Windows::ReflectiveDLLInjection for those that rely on post methods e.g. inject_dll_into_process

I'm not sure about inject_into_process I think this should maybe be moved into Msf::Post::Windows::Process which already has execute_shellcode(shellcode, base_addr=nil, pid=nil)

Maybe just move the inject_dll_into_process into Windows::Process?

[Meatballs1]

Oops wrong button

[jlee-r7]

Yardoc standards, please.

# @param dll_path [String] Path to the DLL to load.
#
# @return [Array] Tuple of ...

[OJ]

My bad. I took a shot in the dark rather than proper research here. Will fix, thank you!

[jlee-r7]

msf/core/reflective_dll_injection.rb should really be under msf/core/post/windows somewhere.

[Meatballs1]

But its used by payloads so shouldn't be under post...

[OJ]

What @Meatballs1 said. I didn't really think that it belonged there thanks to the RDI payloads using it. Is there anywhere better to put it?

[OJ]

Maybe just move the inject_dll_into_process into Windows::Process?

Herein lies the problem, as it's still an injection concern, not just a process concern. So is it worth it? I kind of like the "one place" for RDI related things.

[Meatballs1]

I was thinking that execute_shellcode could be refactored to use inject_into_process as presumably most of the code is the same there too. It would also be available if you wanted to inject shellcode but not use RDI etc.

Msf::Post::Windows::RDI then depends upon Msf::Post::Windows::Process and Msf::RDI.

You cant RDI without a process or the process functions (well you could railgun them).

nb RDI is just shorthand I think it looks too ugly as a module name.

[OJ]

Agreed, I'm using the full name in modules.

So I'm splitting it into two:

• msf/core/reflective_dll_loader - contains a small mixin with the load_rdi_dll function that loads from disk and finds the ReflectiveLoader entry, returning the DLL contents and offset.
• msf/core/post/windows/reflective_dll_injection - contains the other functions which deal with the actual injection of the DLL into a remote process, and makes use of the msf/core/reflective_dll_loader mixin.

I'll take a look at the execute_shellcode function shortly.

[Meatballs1]

Redundant now?

[Meatballs1]

This if/else block should be redundant now also as we will hit exception on line 46?

[Meatballs1]

Retested kitrapo0d ppr_flatten_rec and reflective_dll_injection and all still working.

Just want to check with @jlee-r7 that he's happy with current file structure.

[OJ]

Yup! Me too.

[jlee-r7]

Might be nice to expose the spawned process name as a datastore option, but not necessary for this PR

[OJ]

Aye true. This could apply to a lot of other modules outside of this PR. Happy to do it after though.

[Meatballs1]

For that rabbit hole:

grep -r -i "notepad.exe" . | wc -l
39

[jlee-r7]

# @param process [Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process]
#   The process to inject the shellcode into.

[jlee-r7]

A few style nitpicks, but otherwise this looks shiny. Great work folks.

[OJ]

Done. Thanks @jlee-r7 !

@Meatballs1 said he'd merge in the morning if you were cool with it.

Thanks to all for their help! First Ruby mixin for me, learned lots. Much appreciated.

[OJ]

Legend @Meatballs1 ! Thank you sir.