Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION

[mmiller at hick.org (mmiller at hick.org)]

On Wed, Feb 16, 2005 at 02:58:52PM -0500, eip wrote:
> While this may not make a good payload it is something that you could do
> once you have command line access to the system. Many times I hear how the
> command line of a Win32 system is not as powerful as a *NIX system, but
> those people have not explored WMI, ADSI or any of the other things that MS
> has by default in any of it's OS's. Once you have command line access you
> could easy write this type of VBscript/Jscript to control IE.
>
> I would be interested in seeing some of the rootkits from rootkit.com make
> it into some type of DLL injected payload. It would be nice to be completely
> stealth once a system has been compromised. To be able to hide the
> connection, process, etc. would be great.

Indeed :)

The answer to this is Meterpreter.  It is an easily extensible base for
writing advanced target-side penetration platforms like the things 
you've listed.  All of the extensions, and the meterpreter server DLL 
itself, are injected into the exploited process and run entirely from 
memory (no touching the disk).  The fact that no new process is created 
and the DLLs run from memory make it quite stealthy.

You can write a meterpreter extension to accomplish pretty much anything
you can think of, with as much stealth as you would like, as far as the
host machine is concerned.  While detection of the client to server
communication is possible at the network layer, it's only a matter of
encapsulating the meterpreter communication protocol inside another
protocol, such as HTTP or SMTP, to avoid being flagged by IDS signatures
for not conforming to the RFC for a specific service that is exploited
and then repurposed (in the case of findsock).

The list of cool meterpreter extensions goes on and on, such as the what
you pointed out:

  - A meterpreter extension could expose an command handler on the
    server side that allows the client to transmit arbitrary
         vbscript/jscript to the target machine that is then executed and has
         its results returned to the client (via the IActiveScript
         interface).
  - A meterpreter extension could install a driver (CreateService) that
    does runtime patching in kernel mode to hide processes and network
         traffic from the view of the hostname.
  - A meterpreter extension could (as you pointed out) gather and set a
    whole magnitude of information via WMI.
  - Etc, etc, etc. :)

We have a few command handlers that we are planning on adding in
upcoming releases of meterpreter (such as pwdump support, channelized
VNC).  If anyone has ideas for things that they think would be 
particularly cool to add to meterpreter, feel free to post it to the 
list or drop us an E-mail off-list at msfdev [at] metasploit.com.