From 0f37bbe78ec0f167358785741ce0b81016a83674 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 2 Jul 2013 14:33:15 -0500 Subject: [PATCH 1/2] Add has_pid? function [SeeRM:#8123] - Add commonly used function has_pid?. Related to redmine issue 8123. --- lib/msf/core/post/common.rb | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb index f923b29ee0..46bc41ef37 100644 --- a/lib/msf/core/post/common.rb +++ b/lib/msf/core/post/common.rb @@ -7,6 +7,30 @@ class Post module Common + + # + # Checks if the remote machine has the process ID we want + # + def has_pid?(pid) + pid_list = [] + case client.type + when /meterpreter/ + pid_list = client.sys.process.processes.collect {|e| e['pid']} + when /shell/ + if client.platform =~ /win/ + o = cmd_exec('tasklist /FO LIST') + pid_list = o.scan(/^PID:\s+(\d+)/).flatten + else + o = cmd_exec('ps ax') + pid_list = o.scan(/^\s*(\d+)/).flatten + end + + pid_list = pid_list.collect {|e| e.to_i} + end + + pid_list.include?(pid) + end + # # Executes +cmd+ on the remote system # From a74f706bdb5a96d43fddb4c55c66ae2431950a64 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 2 Jul 2013 14:48:04 -0500 Subject: [PATCH 2/2] These modules should check PID before using it --- modules/post/windows/capture/keylog_recorder.rb | 10 ++++++---- modules/post/windows/manage/migrate.rb | 6 +++++- modules/post/windows/manage/payload_inject.rb | 5 ++++- modules/post/windows/manage/reflective_dll_inject.rb | 5 ++++- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/modules/post/windows/capture/keylog_recorder.rb b/modules/post/windows/capture/keylog_recorder.rb index b1f1b0857b..bf615ec89b 100644 --- a/modules/post/windows/capture/keylog_recorder.rb +++ b/modules/post/windows/capture/keylog_recorder.rb @@ -9,11 +9,13 @@ require 'msf/core' require 'rex' require 'msf/core/post/file' require 'msf/core/post/windows/priv' +require 'msf/core/post/common' class Metasploit3 < Msf::Post include Msf::Post::Windows::Priv include Msf::Post::File + include Msf::Post::Common def initialize(info={}) super( update_info( info, @@ -61,10 +63,10 @@ class Metasploit3 < Msf::Post when "winlogon" process_migrate(datastore['CAPTURE_TYPE'],datastore['LOCKSCREEN']) when "pid" - if datastore['PID'] + if datastore['PID'] and has_pid?(datastore['PID']) pid_migrate(datastore['PID']) else - print_error("If capture type is pid you must provide one") + print_error("If capture type is pid you must provide a valid one") return end end @@ -124,8 +126,8 @@ class Metasploit3 < Msf::Post # Method for migrating in to a PID def pid_migrate(pid) print_status("\tMigrating into #{pid}...") - session.core.migrate(pid) - print_status("Migration successful!") + session.core.migrate(pid) + print_status("Migration successful!") end # Method for starting the keylogger diff --git a/modules/post/windows/manage/migrate.rb b/modules/post/windows/manage/migrate.rb index 4e4a84d250..01474619cc 100644 --- a/modules/post/windows/manage/migrate.rb +++ b/modules/post/windows/manage/migrate.rb @@ -7,9 +7,12 @@ require 'msf/core' require 'rex' +require 'msf/core/post/common' class Metasploit3 < Msf::Post + include Msf::Post::Common + def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Process Migration', @@ -34,6 +37,7 @@ class Metasploit3 < Msf::Post # Run Method for when run command is issued def run print_status("Running module against #{sysinfo['Computer']}") + server = session.sys.process.open original_pid = server.pid print_status("Current server process: #{server.name} (#{server.pid})") @@ -49,7 +53,7 @@ class Metasploit3 < Msf::Post target_pid = session.sys.process[datastore['NAME']] end - if not target_pid + if not target_pid or not has_pid?(target_pid) print_error("Process or PID not found") return end diff --git a/modules/post/windows/manage/payload_inject.rb b/modules/post/windows/manage/payload_inject.rb index 40b5e33190..e348704ba1 100644 --- a/modules/post/windows/manage/payload_inject.rb +++ b/modules/post/windows/manage/payload_inject.rb @@ -7,9 +7,12 @@ require 'msf/core' require 'rex' +require 'msf/core/post/common' class Metasploit3 < Msf::Post + include Msf::Post::Common + def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Memory Payload Injection Module', @@ -62,7 +65,7 @@ class Metasploit3 < Msf::Post opts = datastore['OPTIONS'] # Create payload payload = create_payload(pay_name,lhost,lport,opts) - if pid == 0 + if pid == 0 or not has_pid?(pid) pid = create_temp_proc(payload) end if payload.arch.join =~ /64/ and client.platform =~ /x86/ diff --git a/modules/post/windows/manage/reflective_dll_inject.rb b/modules/post/windows/manage/reflective_dll_inject.rb index 7f9a39ab2e..8dd6fb9449 100644 --- a/modules/post/windows/manage/reflective_dll_inject.rb +++ b/modules/post/windows/manage/reflective_dll_inject.rb @@ -7,9 +7,12 @@ require 'msf/core' require 'rex' +require 'msf/core/post/common' class Metasploit3 < Msf::Post + include Msf::Post::Common + def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Reflective DLL Injection Module', @@ -73,7 +76,7 @@ class Metasploit3 < Msf::Post return end - if pid.nil? or pid == 0 + if pid.nil? or not has_pid?(pid) print_error("Invalid PID.") return end