Meterpreter script to auto-migrate

[jeffs at speakeasy.net (jeffs)]

This happens to me also.  I believe Data Execution Protection in windows 
must be turned off in order to migrate a process, at least in XP that's 
how it works for me.


Lukas Kuzmiak wrote:
> Hi, great idea!
>
> However, i'm having some problems with migrations at all .. If I run
> "migrate <pid>" or "run <your script>" in meterpreter session, IE
> crashes and migration wont be completed, it looks like:
>
> meterpreter > migrate 1076
> [*] Migrating to 1076...
>
> or
>
> [*] Launching hidden cmd.exe...
> [*] Process 4988 created.
> [*] Current process is iexplore.exe (4768).  Migrating to 4988.
>
>
> anyone knows if its possible to fix this?
>
> another problem is with AutoRunScript and launch_and_migrate.rb, while
> I run it from meterpreter session manually, it launches cmd.exe
> without problems, but if i try to run it via AutoRunScript it hangs on
> [*] Launching hidden cmd.exe...
> and that's all .. whole session is gone :) however fe. scraper.rb runs
> without problems, but it takes too long to do something, everyone will
> kill that frozen IE :)
>
> thanks for any advices.
>
> lukash
>
> On Fri, Dec 12, 2008 at 11:44 PM, natron <natron at invisibledenizen.org> wrote:
>   
> > Playing with the new ie_xml_corruption module, I needed a way to
> > automatically migrate outside of the current process (iexplore.exe),
> > because iexplore locks up on exploitation.  Should a user taskkill
> > iexplore.exe, I didn't want to lose the session.  Additionally, if
> > meterpreter crashes (or you close it), it'll kill the whole process,
> > so you don't want to migrate to an existing process automatically
> > (e.g. scripts/meterpreter/migrate.rb).
> >
> > If anyone else would find this useful:
> >
> > http://sites.google.com/a/invisibledenizen.org/upload/asdf/launch_and_migrate.rb
> > http://blog.invisibledenizen.org/2008/12/automatic-migration-to-new-process-with.html
> >
> > Also, I was unable to get the advanced AutoRunScript option to work on
> > Windows with this script.  Has anyone successfully used this on
> > Windows?  I'm suspecting some path issues ("\\", "\", or "/"..
> > relative vs absolute, etc).
> >
> > -n
> >
> > run launch_and_migrate
> > [*] Launching hidden cmd.exe...
> > [*] Process 2340 created.
> > [*] Current process is IEXPLORE.EXE (4520).  Migrating to 2340.
> > [*] Migration completed successfully.
> > [*] New server process: cmd.exe (2340)
> > [*] Old process 4520 killed.
> >
> > run launch_and_migrate mspaint.exe
> > [*] Launching hidden mspaint.exe...
> > [*] Process 5420 created.
> > [*] Current process is cmd.exe (2340).  Migrating to 5420.
> > [*] Migration completed successfully.
> > [*] New server process: mspaint.exe (5420)
> > [*] Old process 2340 killed.
> > _______________________________________________
> > http://spool.metasploit.com/mailman/listinfo/framework
> >
> >     
>
>
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081213/656be6a1/attachment.htm>