METASPLOIT ADVANCED PART III

December 18, 2015 | Views: 5153

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Welcome Back Readers!

In my past Metasploit articles, we have discussed about Metasploit Framework including; how payload works?

Today we will dive into Second Stage (Stage 1) Meterpreter and the process involved in exploitation with staged payloads. We are giving instruction to Metasploit for the two staged payload preparation whenever we use the following;

msf> SET Payload Windows/Meterpreter(Second Stage)…

Note: Second stage gives Meterpreter Session.

For better understanding, we are using ms08_067_netapi exploit module for Windows Machine. The below Fig 1.0 represents the two machines, Attacker’s machine having Metasploit withms08_067_netapi exploit module loaded as staged Meterpreter payload (stage 0 set to reverse_tcp using port 4444). Other side we have Victim’s machine having Windows running with vulnerable SMB listening on port 445.

After payload execution Fig 2.0, Metasploit creates listener on the defined port, and establishes a connection to the victim SMB service. What happen actually, the time when target SMB receives the incoming connection, stack buffer function is invoked that the attacking machine will overflow.

m2

Attacking machine sends bigger data to victim against the expectation Fig 3.0. The data contains stage0 and a bit of exploit specific code, which overflows the victim’s target buffer. The exploit specific code allows the attacker to gain control over EIP Register and redirect process execution to stage0 shell code.

m3

Attacker has gained control of execution within the targeted SMB service, but he/she can’t have the ability to do much else with due to the size restriction. When stage0 (reverse_tcp) executes, it basically connects back to the attacker’s machine on defined port, which is ready and waiting with stage1. In the case if you are using Meterpreter, stage1 is a DLL called Metsrv, Fig 4.0.

m4

Now Metsrv DLL will then sent to the victim machine through this reverse connection. It usually happens when we see “Sending stage” message, Fig 5.0.

m5

The 882176 bytes shows the entire metsrv DLL. Once it pushed to the victim’s machine, the stage0 shellcode writes this dll into memory.

m6

Now stage0 passes control when stage1 is in the memory, by jumping to memory location where the payload was written to. In the case of metsrv, first 60(ish) bytes is an intellectual collection of shellcode that looks similar to DOS header. At execution, shellcode uses Reflective DLL Injection to re-map and load metsrv into memory in a way that allows it to function as a normal DLL without writing it to disk or register it with the victim machine’s (host) process, then it invokes DllMain() on this loaded DLL; at that time Meterpreter comes in for taking over.

Now metasploit pushes up two Meterpreter extension DLLs: stdapi and priv. Both are reflectively loaded in the same way the original metsrv DLL. At this point, Meterpreter is ready and willing to take your instructions.

Thanks.

 

Stay Linked ! ( More is about to come )

Ali Tabish

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
9 Comments
  1. can you explain when we setting a payload in veil evation we select a payload from the list and use it as our payload.when creating it ask msfvenom and create a metasploit payload default as windows/meterpreter/reverse_tcp. why is that? why we using again meterpreter? we already select a payload from the list of payload in veil evation? why again we are setting a payload? is it two payloads? we use veil evasion for avoid anti virus software already meterpreter payloads are caught by anti virus software.so why we use a payload from veil evation and again in metasploit payload to get a meterpreter session.? plese help

    Veil-Evasion | [Version]: 2.27.2
    =========================================================================
    [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
    =========================================================================
    [?] Use msfvenom or supply custom shellcode?
    1 – msfvenom (default)
    2 – custom shellcode string
    3 – file with shellcode (raw)
    [>] Please enter the number of your choice: 1
    [*] Press [enter] for windows/meterpreter/reverse_tcp
    [*] Press [tab] to list available payloads
    [>] Please enter metasploit payload:
    [>] Enter value for ‘LHOST’, [tab] for local IP:

    ### in here we selecting again a payload why is that?####

  2. in the previous post you showed second stage DLL injection payload send in the diagram. so what is the that DLL injection payload sending part in here?

    • When we set PAYLOAD windows/Meterpreter/… ,, We are basically asking Metasploit to prepare a payload that is broken into two stages i.e (Stage0 and Stage1). The second stage payload gives a Meterpreter session.

      When attacker sends data (Contains stage0 and a bit of exploit-specific code) bigger than the target expects will overflow the target buffer & exploit-specific code allows attacker to gain control over the pointer.

      Stage0(reverse_tcp) connects back to the attacker on the defined port which is ready and waiting with stage1 (Second stage payload). In case of Meterpreter, Stage1 (Second stage Payload) is a DLL called metsrv.

      Once stage1 is in memory, stage0 passes control to metsrv. At that time MSF pushes up two meterpreter extension DLLs, both reflectively loaded in the same way as the original metsrv DLL was.

      Refer Fig: 4,5,6 with description.

      Thanks !

      • can you explain when we setting a payload in veil evation we select a payload from the list and use it as our payload.when creating it ask msfvenom and create a metasploit payload default as windows/meterpreter/reverse_tcp. why is that? why we using again meterpreter? we already select a payload from the list of payload in veil evation? why again we are setting a payload? is it two payloads? we use veil evasion for avoid anti virus software already meterpreter payloads are caught by anti virus software.so why we use a payload from veil evation and again in metasploit payload to get a meterpreter session.? plese help

        • Veil-Evasion | [Version]: 2.27.2
          =========================================================================
          [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
          =========================================================================

          [?] Use msfvenom or supply custom shellcode?

          1 – msfvenom (default)
          2 – custom shellcode string
          3 – file with shellcode (raw)

          [>] Please enter the number of your choice: 1

          [*] Press [enter] for windows/meterpreter/reverse_tcp
          [*] Press [tab] to list available payloads
          [>] Please enter metasploit payload:
          [>] Enter value for ‘LHOST’, [tab] for local IP:

          ### in here we selecting again a payload why is that?####

  3. The step by step explanation of Metasploit process makes the tool easy to understand.

  4. My understanding of the Metasploit has improved after going through your article.

  5. Great reading keep up the great work

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel