carnal0wnage [Shared Reader]

Friday, July 26, 2013

Metasploit Standalone psexec

mubix has a great post here on using the standalone psexec in the tools folder for metasploit.

couple of notes since i had to use it this week.

1.  its now librex instead of rex that should save you a few minutes of debugging the cant find rex/proto error :-)

2. make sure you comment out the stuff Rob mentions to  here:

3. the ocra stuff works as described.

4. the exe option is important as the metasploit psexec doesn't behave like sysinternals psexec.

The exe needs to be a service binary, so you cant just call cmd.exe like you can with the sysinternals psexec.
Normally metasploit uploads a service binary that kicks off your msf payload so in this case you need a binary that behaves like a service. Rob gives us a hint with the one he uses in the example (adduser.exe).

so find yourself a service bin to do whatever it is you want it to do and use that with your standalone psexec. I ended up using an exe that made a local admin user and then used that for follow on stuff, not optimal but was in a tight spot (hence using the standalone psexec to start with)

yup i stole mubix's pictures...he said it was ok.



egypt said...

You can use an executable without the Service* calls if you use a payload with PrependMigrate=true, which will spawn a new rundll32.exe process and migrate into it before the service manager kills the original process. The downside is that getting killed leaves an entry in the eventlog that's different from what you get with a regular service start.

agix said...

Why not adding service stuff shellcode behind classic one to transform any binary into a valid service one ? A pull request is still waiting ;)

Marqo09 said...

Used this same technique last week and works like charm sans the opsec issues. Kudos for making this more publicly known.