Agent Auto Injection

In certain situations, the process in which the agent is currently executing has a limited lifetime. For instance, when exploiting client side vulnerabilities in Internet Explorer (IE), it is fairly common for IE to stop responding. This situation typically causes the user to re-start IE, thereby killing the deployed agent. Similarly, if the user finishes using the application that was exploited he or she might close it, once again killing the deployed agent.

To accommodate these cases, Core Impact includes functionality to allow the agent to escape to an alternate process in the exploited host after successful exploitation. This functionality is known as agent auto injection.

Technical Details

Agent auto injection is implemented within the exploitlib library in the agentEscape() method. This method runs right after a client-side exploit has added the agent to the database. The agentEscape() method:

1. Enumerates running processes on the compromised host.
2. Searches for the PIDs of explorer.exe by default.
3. Injects a new agent into the process found in the previous step. This new agent connects directly to the source agent (i.e., it doesn't chain with the existing agent) using the same connection method used by the original agent ("HTTP Tunnel" in client-side exploits).
4. Disconnects and terminates the original agent once a connection with the second agent is established.

As mentioned in step 2, the agent will search for explorer.exe by default. This is specified within the exploit.py file located in %ProgramData%\IMPACT\components\modules\exploits\site-packages\impact\exploitlib, and can be edited to include any other preferred destination processes.

The list is defined within the escapeToProcess attribute in the Exploit.__init__() method as follows:

self.escapeToProcesses = [ 'explorer.exe', 'svchost.exe', iexplore.exe' ]      

If you escape to a system process, the agent will not be able to determine the local user's proxy settings (if needed).