Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

after migrate explorer.exe, how to emergency #18498

Open
freedom-wy opened this issue Nov 1, 2023 · 2 comments
Open

after migrate explorer.exe, how to emergency #18498

freedom-wy opened this issue Nov 1, 2023 · 2 comments
Labels
confirmed Issues confirmed by a committer question Questions about Metasploit Usage

Comments

@freedom-wy
Copy link

freedom-wy commented Nov 1, 2023
edited
Loading

hi
i am a emergency response engineer,I did an experiment

I generated the Trojan through kali metasploit and executed it in win7.
The PID after execution was 2001,
In kali I execute
ps | grep explorer.exe
result is 2890,
I executed
migrate 2890
then I checked
netstat -ano
and I could see that the PID was 2001 network connection,But process 2001 is dead
I cannot see the network connection with PID 2890.

at kali,i execute
getpid
result is 2890

How should I emergency in this case? Restart the server?
@freedom-wy freedom-wy added the question Questions about Metasploit Usage label Nov 1, 2023
@adfoster-r7 adfoster-r7 added the confirmed Issues confirmed by a committer label Nov 21, 2023
@adfoster-r7
Copy link
Contributor

adfoster-r7 commented Nov 21, 2023
edited
Loading

Confirmed; Created a Meterpreter session:

We start of as pid 1360:

meterpreter > getpid
Current pid: 1360

Migrating to spooler:

meterpreter > migrate 1708
[*] Migrating from 1360 to 1708...
[*] Migration completed successfully.

netstat shows the 1360 is still connected:

c:\metasploit-framework>netstat -ano | findstr 1708
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1708
  TCP    [::]:49667             [::]:0                 LISTENING       1708

c:\metasploit-framework>netstat -ano | findstr 1360
  TCP    192.168.123.132:49706  192.168.1.178:4444     ESTABLISHED     1360

But the original process is dead:

C:\Users\vagrant>tasklist | findstr 1708
spoolsv.exe                   1708 Services                   0     17,824 K

C:\Users\vagrant>tasklist | findstr 1360

I'm not sure if this is a bug or feature without code diving, maybe @zeroSteiner happens to know the answer without digging into things 🤞

@zeroSteiner
Copy link
Contributor

Assuming that the reverse_tcp or bind_tcp stager is in use, I would guess that it's due to migrate duplicating the socket with WSADuplicateSocketA in server_transport_tcp.c#L847. The socket is probably marked as owned by the original process that created it before it was duplicated as part of the migration process. I don't think this is a bug and from my understanding of the question, nothing is broken. It's just undocumented how the transport socket is reported via netstat.

If your objective is to make the socket look like it's from the process that Meterpreter is running in, then sleep would probably do the trick by closing it for a couple of seconds and then reopening it in. That'd cause the socket to be closed and reopened so it'd be accurate until the Meterpreter migrates again.

If your objective is to find the process that Meterpreter is actually running in from the socket, maybe looking at the open handles with something like Process Hacker might help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
confirmed Issues confirmed by a committer question Questions about Metasploit Usage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zeroSteiner @freedom-wy @adfoster-r7