44con 2014 - meterpreter internals, oj reeves
DESCRIPTION
44CON 2014 - Meterpreter Internals, OJ Reeves Everyone has heard of Metasploit, the Open Source exploitation framework, and most have probably come into contact with it on the attacking and/or receiving end. Meterpreter, Metasploit’s most frequently used payload for Windows systems, enables a tester who has gained control of one machine to perform further exploitation, pivoting and penetration with relative ease. But how does Meterpreter work? What goes on ‘under the hood’ when certain commands are executed? How does it avoid touching the disk and survive happily in memory? How does it hide from the operating system, and how could you locate it if it’s running? Let’s dive into the plumbing that makes Meterpreter tick. I will explain in relative detail its lifecycle, along with some of the ins and outs of topics such as Reflective DLL Injection and Migration. Bring your low-level knowledge and interest in technical details as we pop the hood of one of the most loved parts of Metasploit.TRANSCRIPT
Meterpreter Internals
OJ Reeves - @TheColonial44con 2014
GoalsDispel some Meterpreter myths …
… expose the innards …
… encourage you to dive in!
Agenda• What is Meterpreter?
o VERY brief overview and history
• What is it made of?o Components, code, communications
• How does migration work?• Questions
What is Meterpreter?Shells are great, but we need more …
… enter the “Meta-Interpreter” …
… a payload, RAT, and post-exploitation tool.
What is Meterpreter?• Multi-platform
o POSIX, Win32, Win64, Python, PHP, Java,Android … OSX!
• Forensics “friendly”o In memoryo Encrypted communications
• Much more controlo Stacks of commandso Dynamically loadable extensionso Post modules
It’s huge!Can’t possibly cover it all …
… implementations very across platforms …
… we’ll focus on Windows x86 Native Meterpreter.
What is it made of?Large amounts of C and C++
What is it made of?Sprinklings of assembly
What is it made of?A good dose of Ruby
Sample ScenarioGetting a
Meterpreter session
via reverse_tcp
ExploitationTarget Machine
(SMB)
445
Attacking Machine (MSF)
Listener - 4444
ms08_067_netapi
BufferRET
Shellcode addr
Stage Construction
• Load metsrv.x86.dll from disk• Generate a bootstrapper• Patch metsrv:
o Bootstrapper DOS headero Comms config (for http/https)
Reflective DLL Injection
• Stephen Fewer (legend!)o Harmony Security
• Mini PE loader• No host process registration
o Sorry sysinternals!
• Doesn’t touch disk• Slightly adjusted in MSF
o “Asks” not to paged to disko Extra attach/detach
RDI Steps1. Locate the image in memory2. Find helpful libraries/functions
o Needed to do more work
3. Prepare memory for new image4. Process sections5. Process imported libs/functions6. Process relocations7. Call DllMain()
RDI WalkthroughTime to look at the guts of
ReflectiveLoader
Here comes the C
Step 0
Find the image’s location
Step 1
Find loaded modules andfunction pointers
… to be continued …
… to be continued …
Why hash?• Can’t put strings in PIC
o We don’t know where we are, we don’twhere the strings are either
• Strings bloat payload sizeo Not as important here, but it is elsewhere
• Contain NULLso Not important here, but important elsewhere
• Consistent with block_api (later)
… to be continued …
… etc …
Step 2
Prepare a new memory locationto host the image
Step 3
Copy and prepare sections
Step 4
Manually wire up thefunction imports
… to be continued …
… to be continued …
Step 5
Handle the lack of PIC supportand support relocations
Relocation• For each relocation block entry …• … for each relocation entry in the block …• … figure out the relocation offset …• … patch in the library address value:
o Add DWORDo Add HIWORDo Add LOWORD
Step 6
Finally… DllMain!
Metsrv StartupFinally… DllMain!
• Server thread created• Comms taken over & encrypted• Scheduler initialised• Dispatch loop executes
Not quite!
But we’re really close!
Metsrv is running, but wehave no commands!
stdapi and priv• Extensions to meterpreter• Stdapi provides the “guts”
o Execution, shells, uploads/downloads, etc
• Priv gives us the ability to elevateo Getsystem
• Both immediately uploaded & reflectively loaded
Command Definition
Command Registration
ExploitationTarget Machine
(SMB)
445
Attacking Machine (MSF)
Listener - 4444
ms08_067_netapi
BufferRET
Shellcode addr
privstdapimetsrvpriv
stdapi
metsrvmetsrv
stdapi
priv
mimikatzkiwi
incognito
sniffer
Yes!
We have a fully functionalMeterpreter session!
How does it feel?
http://securityreactions.tumblr.com/post/93792005074/how-i-felt-when-i-got-my-first-meterpreter-session
Migration• My favourite feature• “Jumping” across process boundaries• Doesn’t drop connectivity• Helps avoid process that:
o Are likely to crasho Are likely to be closed
• Helps maintain sessions!
Migration in Metasploit
1. Check process exists, isn’t “me” and we have permissions to touch
2. Get target process architecture3. Generate a new migration payload4. Send command to Meterpreter5. Wait for migration to finish6. Reload previously loaded extensions
… but what’s a TLV?
Type, Length, Value• Type – actually both type and identifier
o String, integer, binary, etco ID which says “which integer” (eg. PID)
• Length – size of the datao Integer – 4 byteso String – ASCII string length
• Value – the data itselfo Byte blog of “Length” bytes
• Packet = Header + TLV + TLV + TLV …
Migration TLVs
Back to Ruby …
Migration in Meterpeter
1. Read all the data from the TLVs2. Create synchronisation primitive3. Prepare the target process memory4. Hand over control
o Thread creation/hijacking and RDI
5. Shut down current Meterpreter
Migrate Context
Force 8-byte size
Used for synchronisation
Pointer to metsrv payload
Duplicated socket info
Migration in Meterpreter
Migrated Payload Exec
Migration Completes!
• The RDI stub is invoked• Metsrv is reflectively loaded• The rest is history …
The “links” Slide• https://github.com/rapid7/meterpreter• https://github.com/rapid7/metasploit-
framework• http://buffered.io/• #metasploit on Freenode• http://rapid7.com/ (No, I don’t work for them!)• http://beyondbinary.io/
I look forward to your PRs!
Thank you!
OJ Reeves - @TheColonial44con 2014