By guest blogger Shane Rudy, Information Security Manager, AOScloud, C|EH | E|CSA | L|PT | CPT | CEPT

About a month ago I wrote an article about the new anti-virus evasion capabilities in the latest release of Metasploit Pro 4.9. In this article I'll take this a step further and discuss another related feature: Dynamic Payload generation from the Metasploit Pro console using the auxiliary/pro/generate_dynamic_stager auxiliary module. This module has replaced the older exploit/pro/windows/dynamic_exe module.

I'll discuss using this module in conjunction with the bypassuac memory injection module over a public network scenario. I'm writing this article because it addresses some questions that I have seen posted around the net and have also pondered myself. My aim is to provide you a clearer understanding on the behavior of payloads, stagers and architecture and what to expect when attacking through NAT. Things aren't always what they seem...

In this article you will learn the following:

  • How to use the new auxiliary/pro/generate_dynamic_stager auxiliary module to create your stager executable that will bypass antivirus
  • Issues you could encounter if the proper architecture isn't specified or if you have a mismatch in the exploit target or payload
  • How to use the bypassuac memory injection technique to elevate your privileges on the target
  • How to perform all of the above through NAT

*Note: If you're using the free version of Metasploit, the auxiliary/pro/generate_dynamic_stager auxillary module will not be available. If this is the case have a look at downloading and using the Veil Framework for AV evasion for your initial payload.

There a couple caveats that need to be addressed. First when you use any of the Metasploit bypassuac modules, the account that your Meterpreter payload is running as needs to be a member of the Administrators group on the target. If you read the documentation on them you should notice this. Second you may ask, well if my account that Meterpreter is running under already has admin rights then why is this important? It's important for a couple of reasons. First UAC has multiple modes in which it can run that can hinder your progress. We want to bypass them altogether. Second, if your Meterpreter session doesn't have elevated rights then you may not get that far depending on your skill set. Many great articles have been written on the elevation of privilege which is outside the scope of this article, but I suggest you read them so you don't get lazy. A good place to start reading up on the basics is here.

To begin we have setup a simple network for this exercise that looks like this:

In the scenario above the attacker located behind a firewall and has been given a public IP address of 74.222.220.166. Port 4444 is open on the external interface of the firewall to allow traffic from the Internet to be forwarded to his attack system located behind the firewall at IP 10.2.0.125.

First I will create the initial stager using the new auxiliary/pro/generate_dynamic_stager that replaced the old standalone exploit/pro/windows/dynamic_exe.

I will be using the following version of Metasploit Pro:

Next I will load the new dynamic stager auxiliary by typing use auxiliary/pro/generate_dynamic_stager I then configure it once it's loaded as shown:

Notice above the ARCH setting is set to x86_64. Most systems these days are 64-bit. If you do not set this and use a 32-bit stager with this exercise you will need to migrate to a 64-bit process or you could  see the error Exploit Failed: Rex:: TimeoutError Operation timed out. So just make a mental note that if you see this, more than likely it's was usually because you were using a  64-bit-only piece of meterpreter functionality while in a 32-bit process space. To avoid issues make sure you know whether you require 64-bit functionality or not. For example If you're using a 32-bit meterpreter you will want to migrate up to a 64-bit process if you require something like a memory read using mimikatz on a 64-bit system. This may seem trivial to some of you, but I have seen that error posted a ton on a lot of blogs so I wanted to address it.

Once I type exploit my stager is now ready for the victim. Next I type exploit and the stager executable is created as shown:

Once the stager is created I can upload it to my victim host for testing demonstrating this proof of concept. In real life this could be a social engineering expedition or some other form of awesome hacktivism (powersploit invoke shellcode anyone?) but for demo purposes this will suffice.

Next I will go back to my attacker box and fire up Metasploit's multi/handler utility as shown:

Next I will start a listener using Metasploit's multi/handler utility to handle the inbound connection from the victim machine as shown:

Again notice here that I have used the 64-bit version of Meterpreter. I have set my LHOST to 10.2.0.125. This is fine for my first connection. However as you will see I will change this IP address to the attacker's public IP address once I setup and execute the bypassuac exploit. Just keep this in the back of your mind for right now.

Now I will type exploit and then go to the victim machine and run the stager executable to establish my initial connection and Meterpreter session as shown:

Above you can see that I have established my first session. Now I am going to background this session, but I will use it to launch the bypassuac attack.

Next I search metasploit for bypassuac exploits and I get two hits as shown:

In this exercise I will use the bypassuac_injection exploit. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. My options will be set as shown below. Notice that I have set the session to 1 because that is the first session I established and will use to exploit UAC to gain a second elevated session. I have also created a new Meterpreter payload and set the LHOST setting to the public IP address of the attacker. What is important to note on this, is that when this actually executes, the initial bind to that public IP will look like it fails on the screen and it will be set to 0.0.0.0. But remember how I said that things aren't what they seem? Even though this happens, that public address will still be written to the payload and connect back to the attacker's public IP address from the victim sitting behind their corporate firewall with a private IP address behind a NAT.

Now all that is left is to type exploit and I should be good to go.

Notice above that the handler failed to bind to the public IP address and instead started the reverse handler on 0.0.0.0:4444. This is expected. But he exploit succeeds and I now have a new session called session 2 that has been opened. This is the new elevated session. Let's check this to be sure:

And there you have it.

In this article I introduced you to the new auxiliary/pro/generate_dynamic_stager that replaced the old standalone exploit/pro/windows/dynamic_exe, I demonstrated setting up your Meterpreter payload when dealing with NAT as well as discussing the dreaded Exploit Failed: Rex:: TimeoutError message and finally using the bypassuac injection technique to gain elevated privileges.  I hope you enjoyed this article. --Happy Hackin'.