Execute .net Assembly (x64 only) - Metasploit

This page contains detailed information about how to use the post/windows/manage/execute_dotnet_assembly metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents

hide

Options

Module options (post/windows/manage/execute_dotnet_assembly):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   AMSIBYPASS      true             yes       Enable Amsi bypass
   ARGUMENTS                        no        Command line arguments
   DOTNET_EXE                       yes       Assembly file name
   ETWBYPASS       true             yes       Enable Etw bypass
   PID             0                no        Pid  to inject
   PPID            0                no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
   PROCESS         notepad.exe      no        Process to spawn
   SESSION                          yes       The session to run this module on.
   USETHREADTOKEN  true             no        Spawn process with thread impersonation
   WAIT            10               no        Time in seconds to wait

AMSIBYPASS

Enable or Disable Amsi bypass. This parameter is necessary due to the technique used. It is possible that subsequent updates will make the bypass unstable which could result in a crash. By setting the parameter to false the module continues to work.

ARGUMENTS

Command line arguments. The signature of the Main method must match with the parameters that have been set in the module, for example:

If the property ARGUMENTS is set to "antani sblinda destra" the main method should be "static void main (string [] args)"<br /> If the property ARGUMENTS is set to "" the main method should be "static void main ()"

DOTNET_EXE

Dotnet Executable to execute

PID

Pid to inject. If different from 0 the module does not create a new process but uses the existing process identified by the PID parameter.

PROCESS

Process to spawn when PID is equal to 0.

SESSION

The session to run this module on. Must be meterpreter session

WAIT

Time in seconds to wait before starting to read the output.

Required dotnet version not present
Assembly not found
Target has no .NET framework installed
CLR required for assembly not installed
Cannot select the current process as the injection target
No running processes found on the target host.
Process <PPID> was not found
Pid not found
Session invalid
Output unavailable
PID and PPID are mutually exclusive
Time out exception: wait limit exceeded (5 sec)

Output unavailable

Here is a relevant code snippet related to the "Output unavailable" error message:

193:	      fail_with(Failure::BadConfig, 'Session invalid')
194:	    else
195:	      print_status("Running module against #{sysinfo['Computer']}")
196:	    end
197:	    if datastore['PID'].positive? || datastore['WAIT'].zero? || datastore['PPID'].positive?
198:	      print_warning('Output unavailable')
199:	    end
200:	
201:	    if (datastore['PPID'] != 0) && (datastore['PID'] != 0)
202:	      print_error('PID and PPID are mutually exclusive')
203:	      return false

PID and PPID are mutually exclusive

Here is a relevant code snippet related to the "PID and PPID are mutually exclusive" error message:

197:	    if datastore['PID'].positive? || datastore['WAIT'].zero? || datastore['PPID'].positive?
198:	      print_warning('Output unavailable')
199:	    end
200:	
201:	    if (datastore['PPID'] != 0) && (datastore['PID'] != 0)
202:	      print_error('PID and PPID are mutually exclusive')
203:	      return false
204:	    end
205:	
206:	    if datastore['PID'] <= 0
207:	      process, hprocess = launch_process

Time out exception: wait limit exceeded (5 sec)

Here is a relevant code snippet related to the "Time out exception: wait limit exceeded (5 sec)" error message:

275:	          output.split("\n").each { |x| print_good(x) }
276:	        end
277:	        break if output.nil? || output.empty?
278:	      end
279:	    rescue Rex::TimeoutError => _e
280:	      vprint_warning('Time out exception: wait limit exceeded (5 sec)')
281:	    rescue ::StandardError => e
282:	      print_error("Exception: #{e.inspect}")
283:	    end
284:	
285:	    client.response_timeout = old_timeout

Exception: <E.INSPECT>

Here is a relevant code snippet related to the "Exception: <E.INSPECT>" error message:

277:	        break if output.nil? || output.empty?
278:	      end
279:	    rescue Rex::TimeoutError => _e
280:	      vprint_warning('Time out exception: wait limit exceeded (5 sec)')
281:	    rescue ::StandardError => e
282:	      print_error("Exception: #{e.inspect}")
283:	    end
284:	
285:	    client.response_timeout = old_timeout
286:	    print_status('End output.')
287:	  end

Go back to menu.

References

Authors

b4rtik

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.

Execute .net Assembly (x64 only) - Metasploit

Options

Output unavailable

PID and PPID are mutually exclusive

Time out exception: wait limit exceeded (5 sec)

Exception: <E.INSPECT>

References

See Also

Authors

Version

Nessus Plugin Library

Solving Problems with Office 365 Email from GoDaddy

Empire Module Library

CrackMapExec Module Library

Metasploit Android Modules

Top 10 Vulnerabilities: Internal Infrastructure Pentest

Terminal Escape Injection

Cisco Password Cracking and Decrypting Guide

Capture Passwords using Wireshark

SMB Brute Force Attack Tool in PowerShell (SMBLogin.ps1)

Port Scanner in PowerShell (TCP/UDP)

Nessus CSV Parser and Extractor

Default Password Scanner (default-http-login-hunter.sh)

Execute .net Assembly (x64 only) - Metasploit

Options

Output unavailable

PID and PPID are mutually exclusive

Time out exception: wait limit exceeded (5 sec)

Exception: <E.INSPECT>

Related Pull Requests

References

See Also

Authors

Version