Meterpreter Kiwi Post Module #8458
Conversation
|
Keeping everyone on their toes. Definitely didn't delete the branch on accident ;) |
|
Thanks @TheNaterz for the submission. I do like this idea, but I'm concerned about the code duplication. As someone who has the I'm guessing not, but I think it's worth having the conversation now. What do you think @bcook-r7 ? |
|
It definitely pained me inside to have so much duplication. If it's possible to implement this higher up the code chain, so to speak, it may also give us insight into running ALL meterpreter commands from a module, and not just those from Kiwi. I didn't see anything obvious, but I'm sure there's gotta be a way. |
|
So, the underlying need for a lot of people is to automatically run a meterpreter commands on connect. That's actually the thing you want, right? Where is the warning about IO conflicts found? |
|
Don't we have rc files for that? Or are we trying to move away from that? |
|
Well, RC files also don't run meterpreter commands directly. That's an unfortunate thing, its not easy to script interactions with a meterpreter session at all. That is, translating what you type in an interactive session into something that is scripted. |
|
Ah fizzer. OK so is it time to consider that kind of abstraction at this point? |
|
Yeah, it seems it. We give scripting at the level of post API in resource scripts. To add confusion, 'scripts/meterpreter/multi_console_command.rb' exists, but seems to not work very well these days, and it's a deprecated meterpreter script to boot. |
|
I hate computers :) |
@busterb, warnings about IO conflicts show up here and here. Also noted in the RemoteAPI PDF and the standard reference. So, basically anywhere that meterpreter_read and meterpreter_write are explained ;) I can confirm that interacting with the same session and running a meterpreter command from RPC and from msfconsole yields unpredictable behavior. |
|
Shot in the dark here, but what about creating a post module that borrow methods from lib/rex/ui/text/dispatcher_shell.rb? run_single(), run_command(), and populating the dispatcher_stack from the defined session looks like it would do the job, albeit a little odd for really just running a single command. Would need all the proper dependencies of course. Let me know if this is barking up the wrong tree! |
|
Someone reminded me today about 'sessions -C' |
|
Yeah I thought about 'sessions -C' but it's interacting with sessions the same way as a normal user, so you still get IO problems when also running meterpreter_read/write commands on those sessions from the RPC. It's perfectly feasible to just say "hey, don't concurrently interact with meterpreter," because the use case where one is automating tasks in a meterpreter session from the RPC while also interacting with the session from msfconsole is pretty specific. Would just be nice to have that option if it was available. |
|
Ah, understood. |
|
I'm going to close this since we want to fix that core problem instead. We'll look at adding some sort of mutex on the meterpreter session stream so it is RPC-safe. |
This PR adds a Post module that allows a user to run Kiwi commands from a module instead of having to run commands within a Meterpreter session. Why would you want to do that? Simple. MSFRPC. Documentation suggests that when scripting with MSFRPC and interacting with a Meterpreter session, to avoid I/O conflicts between concurrent users, one should use Post modules or Meterpreter scripts. And since Meterpreter scripts are deprecated, here we are.
Discussing with @jennamagius, perhaps a better alternative would be to create an entire Meterpreter Post module to interact with. But this was way easier to implement considering it's a pretty clear copypasta of Kiwi's implementation provided by @OJ. Naturally, he's credited :)
Verification
msfconsoleuse post/windows/gather/meterpreter_kiwiset CMD creds_allorlsa_dump_secretsor evenkiwi_cmd coffee.run