Add shellcode_inject post module

[phra]

This module injects an arbitrary shellcode into a target process.
Combined with https://github.com/TheWover/donut it enables arbitrary execution in memory of any kind of executable.

https://twitter.com/phraaaaaaa/status/1179785130539458561
https://twitter.com/phraaaaaaa/status/1181237284345143296

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Spawn meterpreter
• use post/windows/manage/shellcode_inject
• set session 1
• donut -f mimikatz.exe -a 2 -o /tmp/payload.bin
• set SHELLCODE /tmp/payload.bin
• run
• Mimikatz is interactively executed

[bwatters-r7]

I'm looking at this module, https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/manage/payload_inject.rb, and https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/payload_inject.rb and trying to work out why we need all of them, and how we might be able to consolidate them and reduce code duplication.

From our own definitions, a module that generates a shell should not be a post module; it should be a local exploit, so I'm struggling to see why we have https://github.com/rapid7/metasploit-framework/blame/master/modules/post/windows/manage/payload_inject.rb. I feel like that one should be gone, though it has nothing to do with this module per se. It looks like maybe @wchen-r7 moved it long ago to be in the right place, but the original never got deleted?

After some thought yesterday, I feel like having two modules makes sense, though we should limit code reuse. I think injecting a payload is enough of a different case that it should have its own module in local/exploits, but a more generic version of shellcode_inject, like this should have its own module in post/windows/manage. At the same time, there's a huge amount of code duplication between these modules, and that's unfortunate. I wonder if offloading some of this code to Msf::Post::Windows::Process library would shrink the footprint of both modules and make code maintenance easier.

[phra]

I have added support for injecting the unhook Reflective DLL before the provided shellcode, for more info see 74ae445

[secu77]

Hello! I found a small bug in this module:

If I run the module by setting the PID to 0 (new process), everything works correctly, but when you put another value in the PID != 0 (for example in the process of the meterpreter itself), it skips an exception.

First exception happends in 'run' function because you print process pid attribute before open process (easy fix, y correct on local).

But the Second exception happends at 'inject' function when you try to read process channel. I have try to fix this error but I don't know how channels (core) works on metasploit. If you could help me with these fix this will be great!

Thanks in advance and greetings!

[secu77]

Okay, I was reviewing the previous commits and I've seen changes (precisely fixing what I was warning), I've tried the latest local version and it works perfectly (I understand you won't be able to get the interaction by injecting yourself into your own process), but running it runs correctly!

Thank you very much!

[bwatters-r7]

@phra I PR'd a few changes to try and deduplicate code and standardize checks with the payload_inject module:
phra#3

Let me know what you think

[phra]

reviewed 👍

[bwatters-r7]

Release Notes

This module allows a user to inject arbitrary shellcode into the memory of an existing process on Windows.

[timwr]

@phra we should totally add OSX support
https://rpis.ec/blog/mach_inject_32-writeup/ @CouleeApps

[phra]

nice idea! but does it work on catalina and/or 64-bit?

[CouleeApps]

@phra Nope, that repo is specifically 32-bit. There are already other injection libraries for 64/catalina

[phra]

@CouleeApps thanks for the info.