Meterpreter Internals

OJ Reeves - @TheColonial44con 2014

GoalsDispel some Meterpreter myths …

… expose the innards …

… encourage you to dive in!

Agenda• What is Meterpreter?

o VERY brief overview and history

• What is it made of?o Components, code, communications

• How does migration work?• Questions

What is Meterpreter?Shells are great, but we need more …

… enter the “Meta-Interpreter” …

… a payload, RAT, and post-exploitation tool.

What is Meterpreter?• Multi-platform

o POSIX, Win32, Win64, Python, PHP, Java,Android … OSX!

• Forensics “friendly”o In memoryo Encrypted communications

• Much more controlo Stacks of commandso Dynamically loadable extensionso Post modules

It’s huge!Can’t possibly cover it all …

… implementations very across platforms …

… we’ll focus on Windows x86 Native Meterpreter.

What is it made of?Large amounts of C and C++

What is it made of?Sprinklings of assembly

What is it made of?A good dose of Ruby

Sample ScenarioGetting a

Meterpreter session

via reverse_tcp

ExploitationTarget Machine

(SMB)

445

Attacking Machine (MSF)

Listener - 4444

ms08_067_netapi

BufferRET

Shellcode addr

Stage Construction

• Load metsrv.x86.dll from disk• Generate a bootstrapper• Patch metsrv:

o Bootstrapper DOS headero Comms config (for http/https)

Reflective DLL Injection

• Stephen Fewer (legend!)o Harmony Security

• Mini PE loader• No host process registration

o Sorry sysinternals!

• Doesn’t touch disk• Slightly adjusted in MSF

o “Asks” not to paged to disko Extra attach/detach

RDI Steps1. Locate the image in memory2. Find helpful libraries/functions

o Needed to do more work

3. Prepare memory for new image4. Process sections5. Process imported libs/functions6. Process relocations7. Call DllMain()

RDI WalkthroughTime to look at the guts of

ReflectiveLoader

Here comes the C

Step 0

Find the image’s location

Step 1

Find loaded modules andfunction pointers

… to be continued …

… to be continued …

Why hash?• Can’t put strings in PIC

o We don’t know where we are, we don’twhere the strings are either

• Strings bloat payload sizeo Not as important here, but it is elsewhere

• Contain NULLso Not important here, but important elsewhere

• Consistent with block_api (later)

… to be continued …

… etc …

Step 2

Prepare a new memory locationto host the image

Step 3

Copy and prepare sections

Step 4

Manually wire up thefunction imports

… to be continued …

… to be continued …

Step 5

Handle the lack of PIC supportand support relocations

Relocation• For each relocation block entry …• … for each relocation entry in the block …• … figure out the relocation offset …• … patch in the library address value:

o Add DWORDo Add HIWORDo Add LOWORD

Step 6

Finally… DllMain!

Metsrv StartupFinally… DllMain!

• Server thread created• Comms taken over & encrypted• Scheduler initialised• Dispatch loop executes

Not quite!

But we’re really close!

Metsrv is running, but wehave no commands!

stdapi and priv• Extensions to meterpreter• Stdapi provides the “guts”

o Execution, shells, uploads/downloads, etc

• Priv gives us the ability to elevateo Getsystem

• Both immediately uploaded & reflectively loaded

Command Definition

Command Registration

ExploitationTarget Machine

(SMB)

445

Attacking Machine (MSF)

Listener - 4444

ms08_067_netapi

BufferRET

Shellcode addr

privstdapimetsrvpriv

stdapi

metsrvmetsrv

stdapi

priv

mimikatzkiwi

incognito

sniffer

Yes!

We have a fully functionalMeterpreter session!

How does it feel?

http://securityreactions.tumblr.com/post/93792005074/how-i-felt-when-i-got-my-first-meterpreter-session

Migration• My favourite feature• “Jumping” across process boundaries• Doesn’t drop connectivity• Helps avoid process that:

o Are likely to crasho Are likely to be closed

• Helps maintain sessions!

Migration in Metasploit

1. Check process exists, isn’t “me” and we have permissions to touch

2. Get target process architecture3. Generate a new migration payload4. Send command to Meterpreter5. Wait for migration to finish6. Reload previously loaded extensions

… but what’s a TLV?

Type, Length, Value• Type – actually both type and identifier

o String, integer, binary, etco ID which says “which integer” (eg. PID)

• Length – size of the datao Integer – 4 byteso String – ASCII string length

• Value – the data itselfo Byte blog of “Length” bytes

• Packet = Header + TLV + TLV + TLV …

Migration TLVs

Back to Ruby …

Migration in Meterpeter

1. Read all the data from the TLVs2. Create synchronisation primitive3. Prepare the target process memory4. Hand over control

o Thread creation/hijacking and RDI

5. Shut down current Meterpreter

Migrate Context

Force 8-byte size

Used for synchronisation

Pointer to metsrv payload

Duplicated socket info

Migration in Meterpreter

Migrated Payload Exec

Migration Completes!

• The RDI stub is invoked• Metsrv is reflectively loaded• The rest is history …

The “links” Slide• https://github.com/rapid7/meterpreter• https://github.com/rapid7/metasploit-

framework• http://buffered.io/• #metasploit on Freenode• http://rapid7.com/ (No, I don’t work for them!)• http://beyondbinary.io/

I look forward to your PRs!

Thank you!

OJ Reeves - @TheColonial44con 2014