Welcome Back Readers!
In my past Metasploit articles, we have discussed about Metasploit Framework including; how payload works?
Today we will dive into Second Stage (Stage 1) Meterpreter and the process involved in exploitation with staged payloads. We are giving instruction to Metasploit for the two staged payload preparation whenever we use the following;
msf> SET Payload Windows/Meterpreter(Second Stage)…
Note: Second stage gives Meterpreter Session.
For better understanding, we are using ms08_067_netapi exploit module for Windows Machine. The below Fig 1.0 represents the two machines, Attacker’s machine having Metasploit withms08_067_netapi exploit module loaded as staged Meterpreter payload (stage 0 set to reverse_tcp using port 4444). Other side we have Victim’s machine having Windows running with vulnerable SMB listening on port 445.
After payload execution Fig 2.0, Metasploit creates listener on the defined port, and establishes a connection to the victim SMB service. What happen actually, the time when target SMB receives the incoming connection, stack buffer function is invoked that the attacking machine will overflow.
Attacking machine sends bigger data to victim against the expectation Fig 3.0. The data contains stage0 and a bit of exploit specific code, which overflows the victim’s target buffer. The exploit specific code allows the attacker to gain control over EIP Register and redirect process execution to stage0 shell code.
Attacker has gained control of execution within the targeted SMB service, but he/she can’t have the ability to do much else with due to the size restriction. When stage0 (reverse_tcp) executes, it basically connects back to the attacker’s machine on defined port, which is ready and waiting with stage1. In the case if you are using Meterpreter, stage1 is a DLL called Metsrv, Fig 4.0.
Now Metsrv DLL will then sent to the victim machine through this reverse connection. It usually happens when we see “Sending stage” message, Fig 5.0.
The 882176 bytes shows the entire metsrv DLL. Once it pushed to the victim’s machine, the stage0 shellcode writes this dll into memory.
Now stage0 passes control when stage1 is in the memory, by jumping to memory location where the payload was written to. In the case of metsrv, first 60(ish) bytes is an intellectual collection of shellcode that looks similar to DOS header. At execution, shellcode uses Reflective DLL Injection to re-map and load metsrv into memory in a way that allows it to function as a normal DLL without writing it to disk or register it with the victim machine’s (host) process, then it invokes DllMain() on this loaded DLL; at that time Meterpreter comes in for taking over.
Now metasploit pushes up two Meterpreter extension DLLs: stdapi and priv. Both are reflectively loaded in the same way the original metsrv DLL. At this point, Meterpreter is ready and willing to take your instructions.
Stay Linked ! ( More is about to come )