Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for PPID spoofing #12736

Merged
merged 12 commits into from Jan 24, 2020
Merged

Add support for PPID spoofing #12736

merged 12 commits into from Jan 24, 2020

Conversation

phra
Copy link
Contributor

@phra phra commented Dec 17, 2019

will fix rapid7/metasploit-payloads#373

requires rapid7/metasploit-payloads#374

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • spawn meterpreter
  • use exploit/windows/local/payload_inject
  • set payload windows/x64/meterpreter/reverse_https
  • set lhost ...
  • set lport ...
  • set PPID ... (PPID to spoof for new agent)
  • a new agent is spawned under the specified PPID

@bwatters-r7 bwatters-r7 self-assigned this Dec 19, 2019
@bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Jan 17, 2020

I had some time to play with this today.... it is a neat feature, but it is prickly.
I was able to get it to work by choosing a notepad process as the PPID, but I was unable to get anything else to work. Calc failed and crashed calc; edge failed and crashed edge. Svchosts also failed. Occasionally I got Access Denied errors, but also, sometimes the spawned process just crashed and took the parent process with it.

@phra
Copy link
Contributor Author

@phra phra commented Jan 21, 2020

@bwatters-r7 yes, some processes are different from others. i have tested it with explorer.exe and that works too. basically it's not a bug of the code, but how the OS behaves.

@bwatters-r7 bwatters-r7 merged commit 8de8860 into rapid7:master Jan 24, 2020
2 checks passed
@bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Jan 24, 2020

Release Notes

This PR adds functionality to the process library and the exploit/windows/local/payload_inject module to specify a PPID value when creating a process.

@tperry-r7 tperry-r7 added the rn-enhancement label Feb 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement rn-enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants