44con 2014 - meterpreter internals, oj reeves
Post on 22-Apr-2015
1.270 Views
Preview:
DESCRIPTION
TRANSCRIPT
Meterpreter Internals
OJ Reeves - @TheColonial44con 2014
GoalsDispel some Meterpreter myths …
… expose the innards …
… encourage you to dive in!
Agenda• What is Meterpreter?
o VERY brief overview and history
• What is it made of?o Components, code, communications
• How does migration work?• Questions
What is Meterpreter?Shells are great, but we need more …
… enter the “Meta-Interpreter” …
… a payload, RAT, and post-exploitation tool.
What is Meterpreter?• Multi-platform
o POSIX, Win32, Win64, Python, PHP, Java,Android … OSX!
• Forensics “friendly”o In memoryo Encrypted communications
• Much more controlo Stacks of commandso Dynamically loadable extensionso Post modules
It’s huge!Can’t possibly cover it all …
… implementations very across platforms …
… we’ll focus on Windows x86 Native Meterpreter.
What is it made of?Large amounts of C and C++
What is it made of?Sprinklings of assembly
What is it made of?A good dose of Ruby
Sample ScenarioGetting a
Meterpreter session
via reverse_tcp
ExploitationTarget Machine
(SMB)
445
Attacking Machine (MSF)
Listener - 4444
ms08_067_netapi
BufferRET
Shellcode addr
Stage Construction
• Load metsrv.x86.dll from disk• Generate a bootstrapper• Patch metsrv:
o Bootstrapper DOS headero Comms config (for http/https)
Reflective DLL Injection
• Stephen Fewer (legend!)o Harmony Security
• Mini PE loader• No host process registration
o Sorry sysinternals!
• Doesn’t touch disk• Slightly adjusted in MSF
o “Asks” not to paged to disko Extra attach/detach
RDI Steps1. Locate the image in memory2. Find helpful libraries/functions
o Needed to do more work
3. Prepare memory for new image4. Process sections5. Process imported libs/functions6. Process relocations7. Call DllMain()
RDI WalkthroughTime to look at the guts of
ReflectiveLoader
Here comes the C
Step 0
Find the image’s location
Step 1
Find loaded modules andfunction pointers
… to be continued …
… to be continued …
Why hash?• Can’t put strings in PIC
o We don’t know where we are, we don’twhere the strings are either
• Strings bloat payload sizeo Not as important here, but it is elsewhere
• Contain NULLso Not important here, but important elsewhere
• Consistent with block_api (later)
… to be continued …
… etc …
Step 2
Prepare a new memory locationto host the image
Step 3
Copy and prepare sections
Step 4
Manually wire up thefunction imports
… to be continued …
… to be continued …
Step 5
Handle the lack of PIC supportand support relocations
Relocation• For each relocation block entry …• … for each relocation entry in the block …• … figure out the relocation offset …• … patch in the library address value:
o Add DWORDo Add HIWORDo Add LOWORD
Step 6
Finally… DllMain!
Metsrv StartupFinally… DllMain!
• Server thread created• Comms taken over & encrypted• Scheduler initialised• Dispatch loop executes
Not quite!
But we’re really close!
Metsrv is running, but wehave no commands!
stdapi and priv• Extensions to meterpreter• Stdapi provides the “guts”
o Execution, shells, uploads/downloads, etc
• Priv gives us the ability to elevateo Getsystem
• Both immediately uploaded & reflectively loaded
Command Definition
Command Registration
ExploitationTarget Machine
(SMB)
445
Attacking Machine (MSF)
Listener - 4444
ms08_067_netapi
BufferRET
Shellcode addr
privstdapimetsrvpriv
stdapi
metsrvmetsrv
stdapi
priv
mimikatzkiwi
incognito
sniffer
Yes!
We have a fully functionalMeterpreter session!
How does it feel?
http://securityreactions.tumblr.com/post/93792005074/how-i-felt-when-i-got-my-first-meterpreter-session
Migration• My favourite feature• “Jumping” across process boundaries• Doesn’t drop connectivity• Helps avoid process that:
o Are likely to crasho Are likely to be closed
• Helps maintain sessions!
Migration in Metasploit
1. Check process exists, isn’t “me” and we have permissions to touch
2. Get target process architecture3. Generate a new migration payload4. Send command to Meterpreter5. Wait for migration to finish6. Reload previously loaded extensions
… but what’s a TLV?
Type, Length, Value• Type – actually both type and identifier
o String, integer, binary, etco ID which says “which integer” (eg. PID)
• Length – size of the datao Integer – 4 byteso String – ASCII string length
• Value – the data itselfo Byte blog of “Length” bytes
• Packet = Header + TLV + TLV + TLV …
Migration TLVs
Back to Ruby …
Migration in Meterpeter
1. Read all the data from the TLVs2. Create synchronisation primitive3. Prepare the target process memory4. Hand over control
o Thread creation/hijacking and RDI
5. Shut down current Meterpreter
Migrate Context
Force 8-byte size
Used for synchronisation
Pointer to metsrv payload
Duplicated socket info
Migration in Meterpreter
Migrated Payload Exec
Migration Completes!
• The RDI stub is invoked• Metsrv is reflectively loaded• The rest is history …
The “links” Slide• https://github.com/rapid7/meterpreter• https://github.com/rapid7/metasploit-
framework• http://buffered.io/• #metasploit on Freenode• http://rapid7.com/ (No, I don’t work for them!)• http://beyondbinary.io/
I look forward to your PRs!
Thank you!
OJ Reeves - @TheColonial44con 2014
top related