Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add shellcode_inject post module #12391

Merged
merged 8 commits into from Dec 12, 2019
Merged

Add shellcode_inject post module #12391

merged 8 commits into from Dec 12, 2019

Conversation

@phra
Copy link
Contributor

@phra phra commented Oct 3, 2019

This module injects an arbitrary shellcode into a target process.
Combined with https://github.com/TheWover/donut it enables arbitrary execution in memory of any kind of executable.

https://twitter.com/phraaaaaaa/status/1179785130539458561
https://twitter.com/phraaaaaaa/status/1181237284345143296

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Spawn meterpreter
  • use post/windows/manage/shellcode_inject
  • set session 1
  • donut -f mimikatz.exe -a 2 -o /tmp/payload.bin
  • set SHELLCODE /tmp/payload.bin
  • run
  • Mimikatz is interactively executed

image

This module injects an arbitrary shellcode into a target process.
@bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Oct 8, 2019

I'm looking at this module, https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/manage/payload_inject.rb, and https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/payload_inject.rb and trying to work out why we need all of them, and how we might be able to consolidate them and reduce code duplication.

From our own definitions, a module that generates a shell should not be a post module; it should be a local exploit, so I'm struggling to see why we have https://github.com/rapid7/metasploit-framework/blame/master/modules/post/windows/manage/payload_inject.rb. I feel like that one should be gone, though it has nothing to do with this module per se. It looks like maybe @wchen-r7 moved it long ago to be in the right place, but the original never got deleted?

After some thought yesterday, I feel like having two modules makes sense, though we should limit code reuse. I think injecting a payload is enough of a different case that it should have its own module in local/exploits, but a more generic version of shellcode_inject, like this should have its own module in post/windows/manage. At the same time, there's a huge amount of code duplication between these modules, and that's unfortunate. I wonder if offloading some of this code to Msf::Post::Windows::Process library would shrink the footprint of both modules and make code maintenance easier.

The module will now first inject the unhook dll and then the provided shellcode.
@phra
Copy link
Contributor Author

@phra phra commented Oct 10, 2019

I have added support for injecting the unhook Reflective DLL before the provided shellcode, for more info see 74ae445

@bwatters-r7 bwatters-r7 removed their assignment Oct 24, 2019
@bwatters-r7 bwatters-r7 self-assigned this Nov 21, 2019
@secu77
Copy link

@secu77 secu77 commented Dec 2, 2019

Hello! I found a small bug in this module:

If I run the module by setting the PID to 0 (new process), everything works correctly, but when you put another value in the PID != 0 (for example in the process of the meterpreter itself), it skips an exception.

error_launch_meterpreter

First exception happends in 'run' function because you print process pid attribute before open process (easy fix, y correct on local).

first_exception

But the Second exception happends at 'inject' function when you try to read process channel. I have try to fix this error but I don't know how channels (core) works on metasploit. If you could help me with these fix this will be great!

second_exception

Thanks in advance and greetings!

@secu77
Copy link

@secu77 secu77 commented Dec 2, 2019

Okay, I was reviewing the previous commits and I've seen changes (precisely fixing what I was warning), I've tried the latest local version and it works perfectly (I understand you won't be able to get the interaction by injecting yourself into your own process), but running it runs correctly!

Thank you very much!

solved_autoinyect

@bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Dec 4, 2019

@phra I PR'd a few changes to try and deduplicate code and standardize checks with the payload_inject module:
phra#3

Let me know what you think

@phra
Copy link
Contributor Author

@phra phra commented Dec 4, 2019

reviewed 👍

Inject shellcode changes
bwatters-r7 added a commit that referenced this issue Dec 12, 2019
Merge branch 'land-12391' into upstream-master
@bwatters-r7 bwatters-r7 merged commit e11f64f into rapid7:master Dec 12, 2019
3 checks passed
msjenkins-r7 added a commit that referenced this issue Dec 12, 2019
Merge branch 'land-12391' into upstream-master
@bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Dec 12, 2019

Release Notes

This module allows a user to inject arbitrary shellcode into the memory of an existing process on Windows.

@timwr
Copy link
Contributor

@timwr timwr commented Mar 2, 2020

@phra
Copy link
Contributor Author

@phra phra commented Mar 2, 2020

nice idea! but does it work on catalina and/or 64-bit?

@CouleeApps
Copy link

@CouleeApps CouleeApps commented Mar 2, 2020

@phra Nope, that repo is specifically 32-bit. There are already other injection libraries for 64/catalina

@phra
Copy link
Contributor Author

@phra phra commented Mar 2, 2020

@CouleeApps thanks for the info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants