Execute .net Assembly (x64 only) - Metasploit
This page contains detailed information about how to use the post/windows/manage/execute_dotnet_assembly metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Options
Module options (post/windows/manage/execute_dotnet_assembly):
Name Current Setting Required Description
---- --------------- -------- -----------
AMSIBYPASS true yes Enable Amsi bypass
ARGUMENTS no Command line arguments
DOTNET_EXE yes Assembly file name
ETWBYPASS true yes Enable Etw bypass
PID 0 no Pid to inject
PPID 0 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
PROCESS notepad.exe no Process to spawn
SESSION yes The session to run this module on.
USETHREADTOKEN true no Spawn process with thread impersonation
WAIT 10 no Time in seconds to wait
AMSIBYPASS
Enable or Disable Amsi bypass. This parameter is necessary due to the technique used. It is possible that subsequent updates will make the bypass unstable which could result in a crash. By setting the parameter to false the module continues to work.
ARGUMENTS
Command line arguments. The signature of the Main method must match with the parameters that have been set in the module, for example:
If the property ARGUMENTS is set to "antani sblinda destra" the main method should be "static void main (string [] args)"<br /> If the property ARGUMENTS is set to "" the main method should be "static void main ()"
DOTNET_EXE
Dotnet Executable to execute
PID
Pid to inject. If different from 0 the module does not create a new process but uses the existing process identified by the PID parameter.
PROCESS
Process to spawn when PID is equal to 0.
SESSION
The session to run this module on. Must be meterpreter session
WAIT
Time in seconds to wait before starting to read the output.
- Required dotnet version not present
- Assembly not found
- Target has no .NET framework installed
- CLR required for assembly not installed
- Cannot select the current process as the injection target
- No running processes found on the target host.
- Process <PPID> was not found
- Pid not found
- Session invalid
- Output unavailable
- PID and PPID are mutually exclusive
- Time out exception: wait limit exceeded (5 sec)
Output unavailable
Here is a relevant code snippet related to the "Output unavailable" error message:
193: fail_with(Failure::BadConfig, 'Session invalid')
194: else
195: print_status("Running module against #{sysinfo['Computer']}")
196: end
197: if datastore['PID'].positive? || datastore['WAIT'].zero? || datastore['PPID'].positive?
198: print_warning('Output unavailable')
199: end
200:
201: if (datastore['PPID'] != 0) && (datastore['PID'] != 0)
202: print_error('PID and PPID are mutually exclusive')
203: return false
PID and PPID are mutually exclusive
Here is a relevant code snippet related to the "PID and PPID are mutually exclusive" error message:
197: if datastore['PID'].positive? || datastore['WAIT'].zero? || datastore['PPID'].positive?
198: print_warning('Output unavailable')
199: end
200:
201: if (datastore['PPID'] != 0) && (datastore['PID'] != 0)
202: print_error('PID and PPID are mutually exclusive')
203: return false
204: end
205:
206: if datastore['PID'] <= 0
207: process, hprocess = launch_process
Time out exception: wait limit exceeded (5 sec)
Here is a relevant code snippet related to the "Time out exception: wait limit exceeded (5 sec)" error message:
275: output.split("\n").each { |x| print_good(x) }
276: end
277: break if output.nil? || output.empty?
278: end
279: rescue Rex::TimeoutError => _e
280: vprint_warning('Time out exception: wait limit exceeded (5 sec)')
281: rescue ::StandardError => e
282: print_error("Exception: #{e.inspect}")
283: end
284:
285: client.response_timeout = old_timeout
Exception: <E.INSPECT>
Here is a relevant code snippet related to the "Exception: <E.INSPECT>" error message:
277: break if output.nil? || output.empty?
278: end
279: rescue Rex::TimeoutError => _e
280: vprint_warning('Time out exception: wait limit exceeded (5 sec)')
281: rescue ::StandardError => e
282: print_error("Exception: #{e.inspect}")
283: end
284:
285: client.response_timeout = old_timeout
286: print_status('End output.')
287: end
Go back to menu.
Related Pull Requests
- #14806 Merged Pull Request: Rubocop recently landed modules continued
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #14304 Merged Pull Request: execute_dotnet_assembly fix parameters managing
- #13279 Merged Pull Request: execute_dotnet_assembly Some fix for rubocop verification
- #13261 Merged Pull Request: Rubocop recently landed modules
- #12405 Merged Pull Request: Add execute_assembly post module
References
See Also
Check also the following modules related to this module:
- post/windows/manage/add_user
- post/windows/manage/archmigrate
- post/windows/manage/change_password
- post/windows/manage/clone_proxy_settings
- post/windows/manage/delete_user
- post/windows/manage/dell_memory_protect
- post/windows/manage/download_exec
- post/windows/manage/driver_loader
- post/windows/manage/enable_rdp
- post/windows/manage/enable_support_account
- post/windows/manage/exec_powershell
- post/windows/manage/forward_pageant
- post/windows/manage/hashcarve
- post/windows/manage/ie_proxypac
- post/windows/manage/inject_ca
- post/windows/manage/inject_host
- post/windows/manage/install_python
- post/windows/manage/install_ssh
- post/windows/manage/killav
- post/windows/manage/migrate
- post/windows/manage/mssql_local_auth_bypass
- post/windows/manage/multi_meterpreter_inject
- post/windows/manage/nbd_server
- post/windows/manage/peinjector
- post/windows/manage/persistence_exe
- post/windows/manage/portproxy
- post/windows/manage/pptp_tunnel
- post/windows/manage/priv_migrate
- post/windows/manage/pxeexploit
- post/windows/manage/reflective_dll_inject
- post/windows/manage/remove_ca
- post/windows/manage/remove_host
- post/windows/manage/rid_hijack
- post/windows/manage/rollback_defender_signatures
- post/windows/manage/rpcapd_start
- post/windows/manage/run_as
- post/windows/manage/run_as_psh
- post/windows/manage/sdel
- post/windows/manage/shellcode_inject
- post/windows/manage/sshkey_persistence
- post/windows/manage/sticky_keys
- post/windows/manage/vmdk_mount
- post/windows/manage/vss
- post/windows/manage/vss_create
- post/windows/manage/vss_list
- post/windows/manage/vss_mount
- post/windows/manage/vss_set_storage
- post/windows/manage/vss_storage
- post/windows/manage/wdigest_caching
- post/windows/manage/webcam
Authors
b4rtik
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.