Metasploit mailing list archives
Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION
From: mmiller at hick.org (mmiller at hick.org)
Date: Wed, 16 Feb 2005 14:34:04 -0600
On Wed, Feb 16, 2005 at 02:58:52PM -0500, eip wrote:
While this may not make a good payload it is something that you could do once you have command line access to the system. Many times I hear how the command line of a Win32 system is not as powerful as a *NIX system, but those people have not explored WMI, ADSI or any of the other things that MS has by default in any of it's OS's. Once you have command line access you could easy write this type of VBscript/Jscript to control IE. I would be interested in seeing some of the rootkits from rootkit.com make it into some type of DLL injected payload. It would be nice to be completely stealth once a system has been compromised. To be able to hide the connection, process, etc. would be great.
Indeed :) The answer to this is Meterpreter. It is an easily extensible base for writing advanced target-side penetration platforms like the things you've listed. All of the extensions, and the meterpreter server DLL itself, are injected into the exploited process and run entirely from memory (no touching the disk). The fact that no new process is created and the DLLs run from memory make it quite stealthy. You can write a meterpreter extension to accomplish pretty much anything you can think of, with as much stealth as you would like, as far as the host machine is concerned. While detection of the client to server communication is possible at the network layer, it's only a matter of encapsulating the meterpreter communication protocol inside another protocol, such as HTTP or SMTP, to avoid being flagged by IDS signatures for not conforming to the RFC for a specific service that is exploited and then repurposed (in the case of findsock). The list of cool meterpreter extensions goes on and on, such as the what you pointed out: - A meterpreter extension could expose an command handler on the server side that allows the client to transmit arbitrary vbscript/jscript to the target machine that is then executed and has its results returned to the client (via the IActiveScript interface). - A meterpreter extension could install a driver (CreateService) that does runtime patching in kernel mode to hide processes and network traffic from the view of the hostname. - A meterpreter extension could (as you pointed out) gather and set a whole magnitude of information via WMI. - Etc, etc, etc. :) We have a few command handlers that we are planning on adding in upcoming releases of meterpreter (such as pwdump support, channelized VNC). If anyone has ideas for things that they think would be particularly cool to add to meterpreter, feel free to post it to the list or drop us an E-mail off-list at msfdev [at] metasploit.com.
Current thread:
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION ALLAIN Yann (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION mmiller at hick.org (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION eip (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION mmiller at hick.org (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION eip (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION mmiller at hick.org (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION eip (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION mmiller at hick.org (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION mmiller at hick.org (Feb 17)