Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/b4rtik/metasploit-execute-assembly

Custom Metasploit post module to executing a .NET Assembly from Meterpreter session
https://github.com/b4rtik/metasploit-execute-assembly

Last synced: 21 days ago
JSON representation

Custom Metasploit post module to executing a .NET Assembly from Meterpreter session

Awesome Lists containing this project

README

        

# Execute assembly via Meterpreter session

This is a custom Metasploit post module to execute a .NET Assembly from Meterpreter session

This project target

Windows 10 64bit

.Net 4.0

Metasploit Framework 5

It spawn a process (or use an existing process providing pid) and use Reflective dll injection to load HostingCLRx64.dll needed to run .Net assembly
The unmanaged injected dll takes care of verifying if the process has already loaded the clr, and loads it if necessary. The version of the CLR to be loaded is determined by executing the parsing of the assembly provided searching for a known signature. Then run the assembly from memory.
Before loading the assembly in the context of the clr, Amsi is bypassed using the [AmsiScanBuffer patching technique](https://rastamouse.me/2018/10/amsiscanbuffer-bypass-part-1/)

You'll find details at [Execute assembly via Meterpreter session](https://b4rtik.github.io/posts/execute-assembly-via-meterpreter-session/) and [Execute assembly via Meterpreter session - Part 2](https://b4rtik.github.io/posts/execute-assembly-via-meterpreter-session-part-2/)

## Install

Create $HOME/.msf4/modules/post/windows/manage

Copy execute-assembly.rb in $HOME/.msf4/modules/post/windows/manage/

Create $HOME-METASPLOIT-DATADIR/execute-assembly

Copy HostingCLRx64.dll in $HOME-METASPLOIT-DATADIR/post/execute-assembly/

## Module options and execution

```
Module options (post/windows/manage/execute_assembly):

Name Current Setting Required Description
---- --------------- -------- -----------
AMSIBYPASS true yes Enable Amsi bypass
ARGUMENTS no Command line arguments
ASSEMBLY yes Assembly file name
ASSEMBLYPATH no Assembly directory
ETWBYPASS true yes Enable Etw bypass
PID 0 no Pid to inject
PPID 0 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
PROCESS notepad.exe no Process to spawn
SESSION yes The session to run this module on.
USETHREADTOKEN true no Spawn process with thread impersonation
WAIT 10 no Time in seconds to wait

Module advanced options (post/windows/manage/execute_assembly):

Name Current Setting Required Description
---- --------------- -------- -----------
KILL false yes Kill the injected process at the end of the task
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module

```

AMSIBYPASS

Enable or Disable Amsi bypass. This parameter is necessary due to the technique used. It is possible that subsequent updates will make the bypass unstable which could result in a crash. By setting the parameter to false the module continues to work.

ARGUMENTS

Command line arguments. The signature of the Main method must match with the parameters that have been set in the module, for example:

If the property ARGUMENTS is set to "antani sblinda destra" the main method should be "static void main (string [] args)"

If the property ARGUMENTS is set to "" the main method should be "static void main ()"

ASSEMBLY

Assembly file name. This will be searched in ASSEMBLYPATH

ASSEMBLYPATH

Assembly directory where to serach ASSEMBLY

ETWBYPASS

Enable or Disable Etw bypass. This parameter is necessary due to the technique used. It is possible that subsequent updates will make the bypass unstable which could result in a crash. By setting the parameter to false the module continues to work.

PID

Pid to inject. If different from 0 the module does not create a new process but uses the existing process identified by the PID parameter.

PPID

Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)

PROCESS

Process to spawn when PID is equal to 0.

SESSION

The session to run this module on. Must be meterpreter session

USETHREADTOKEN

Spawn process with thread impersonation

WAIT

Time in seconds to wait before starting to read the output.

KILL

Kill the injected process at the end of the task

```
msf post(windows/manage/execute-assembly) > exploit

[*] Launching notepad to host CLR...
[+] Process 4708 launched.
[*] Reflectively injecting the Host DLL into 4708...
[*] Injecting Host into 4708...
[*] Host injected. Copy assembly into 4708...
[*] Assembly copied. Executing...
[*] Start reading output
[+]
[+] .#####. mimikatz 2.1.1 (x64) built on Oct 22 2018 16:32:27
[+] .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
[+] ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
[+] ## \ / ## > http://blog.gentilkiwi.com/mimikatz
[+] '## v ##' Vincent LE TOUX ( [email protected] )
[+] '#####' > http://pingcastle.com / http://mysmartlogon.com ***/
[+]
[+] mimikatz(powershell) # coffee
[+]
[+] ( (
[+] ) )
[+] .______.
[+] | |]
[+] \ /
[+] `----'
[+]
[*] End output.
[+] Killing process 4708
[+] Execution finished.
[*] Post module execution completed
msf post(windows/manage/execute-assembly) >
```