Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add shellcode_inject post module #12391

Open
wants to merge 3 commits into
base: master
from

Conversation

@phra
Copy link
Contributor

commented Oct 3, 2019

This module injects an arbitrary shellcode into a target process.
Combined with https://github.com/TheWover/donut it enables arbitrary execution in memory of any kind of executable.

https://twitter.com/phraaaaaaa/status/1179785130539458561
https://twitter.com/phraaaaaaa/status/1181237284345143296

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Spawn meterpreter
  • use post/windows/manage/shellcode_inject
  • set session 1
  • donut -f mimikatz.exe -a 2 -o /tmp/payload.bin
  • set SHELLCODE /tmp/payload.bin
  • run
  • Mimikatz is interactively executed

image

This module injects an arbitrary shellcode into a target process.
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Oct 8, 2019

I'm looking at this module, https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/manage/payload_inject.rb, and https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/payload_inject.rb and trying to work out why we need all of them, and how we might be able to consolidate them and reduce code duplication.

From our own definitions, a module that generates a shell should not be a post module; it should be a local exploit, so I'm struggling to see why we have https://github.com/rapid7/metasploit-framework/blame/master/modules/post/windows/manage/payload_inject.rb. I feel like that one should be gone, though it has nothing to do with this module per se. It looks like maybe @wchen-r7 moved it long ago to be in the right place, but the original never got deleted?

After some thought yesterday, I feel like having two modules makes sense, though we should limit code reuse. I think injecting a payload is enough of a different case that it should have its own module in local/exploits, but a more generic version of shellcode_inject, like this should have its own module in post/windows/manage. At the same time, there's a huge amount of code duplication between these modules, and that's unfortunate. I wonder if offloading some of this code to Msf::Post::Windows::Process library would shrink the footprint of both modules and make code maintenance easier.

The module will now first inject the unhook dll and then the provided shellcode.
@phra

This comment has been minimized.

Copy link
Contributor Author

commented Oct 10, 2019

I have added support for injecting the unhook Reflective DLL before the provided shellcode, for more info see 74ae445

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.