Building in the Meterpreter .dll

Today we are releasing a few new modules that take a slightly different approach to payload delivery.  Please welcome the shellcode-less python/MeterHTTPContained and python/MeterHTTPSContained modules, which encapsulate the meterpreter .dll within a python payload.

These payloads read in the meterpreter metsrv.dll from the Metasploit install path, binary patch in some header information, an agent string, communication/expiration timeouts, ssl information, and finally the address/port of the metasploit handler. The binary data of the .dll is then compressed using zlib and transformed into a base64 string, and a launcher is built that decompresses the .dll and injects it into memory. Since the meterpreter .dll is built for reflective injection, it will take over execution from there.

reverse_http_contained

One detail that was glossed over: meterpreter’s checkin for reverse_http and reverse_https aren’t quite a simple as “connect and read”. Various URI’s with varying checksums are sent depending on communication state. Normally, a stager checks in with a handler, receives the meterpreter .dll as a response, and starts comms. So how do we ‘trick’ the handler into not sending the full .dll? We use the already-established comms checksum value, which will register the stager as an ‘orphaned session’ and reattach it to the particular handler.

reverse_http_checksum

For anyone interested in the technical details, the metasploit reverse_http/https handler is located at /usr/share/metasploit-framework/lib/msf/core/handler/reverse_http.rb . URI_CHECKSUM_CONN is the checksum value for established comms that we use to generate our initial URI, and generate_uri_checksum(sum) is the short checksum algorithm that the handler uses. The checksum was ported over to python so we can generate unique checkins instead of hardcoding values.

 

Powershell Payloads? Yes please!

With Veil’s 2.0 release, several powershell payloads were released which we wanted to detail a bit more here.

powershell/VirtualAlloc uses the VirtualAlloc() pattern to inject shellcode into memory. The concept was adapted from Matthew Graeber’s excellent article concerning powershell shellcode injection. The powershell string is then compressed and a .bat launcher is built, which will invoke the powershell binary with a command that decompresses and runs the original powershell file. The .bat launcher does basic x86/x64 architecture detection to attempt to work on multiple platforms.

powershell/DownloadVirtualAlloc takes adapts the technique from ObscureSecurity’s writeup to download a secondary powershell payload from a separate sever, which it then runs. A small encrypted command is output which will download a larger secondary powershell stage from a specified webserver and launch it in memory.

powershell/PsexecVirtualAlloc is similar to the VirtualAlloc module, but it builds a metasploit .rc resource file that’s compatible with metasploit’s psexec_command module. When you run the produced resource file in metasploit, the psexec_command module is selected and the COMMAND parameter is properly set to the powershell VirtualAlloc launcher. You can then set the RHOSTS, SMBUser and SMBPass and then psexec away, utilizing pure powershell for AV-evading goodness.

Also of note, Veil now has a development branch on its GitHub page. New bug fixes and features will be pushed here first, but with no guarantees to stability. If you have any questions, or if something breaks, please get in touch with us in #veil on freenode!