2013-07-04 16:44:44 +00:00
|
|
|
# -*- coding: binary -*-
|
2014-12-06 21:07:20 +00:00
|
|
|
require 'rex/powershell'
|
2013-07-04 16:44:44 +00:00
|
|
|
|
|
|
|
module Msf
|
|
|
|
module Exploit::Powershell
|
2013-07-20 23:55:01 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super
|
|
|
|
register_advanced_options(
|
|
|
|
[
|
2014-03-02 19:07:13 +00:00
|
|
|
OptBool.new('Powershell::persist', [true, 'Run the payload in a loop', false]),
|
2014-04-23 06:29:51 +00:00
|
|
|
OptInt.new('Powershell::prepend_sleep', [false, 'Prepend seconds of sleep']),
|
2014-04-23 04:03:16 +00:00
|
|
|
OptBool.new('Powershell::strip_comments', [true, 'Strip comments', true]),
|
|
|
|
OptBool.new('Powershell::strip_whitespace', [true, 'Strip whitespace', false]),
|
|
|
|
OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
|
|
|
|
OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]),
|
2014-07-20 20:07:59 +00:00
|
|
|
OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w(net reflection old msil)]),
|
2013-07-20 23:55:01 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
2015-05-20 22:09:28 +00:00
|
|
|
#
|
|
|
|
# Return a script from path or string
|
|
|
|
#
|
|
|
|
def read_script(script_path)
|
|
|
|
return Rex::Powershell::Script.new(script_path)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Return an array of substitutions for use in make_subs
|
|
|
|
#
|
|
|
|
def process_subs(subs)
|
|
|
|
return [] if subs.nil? or subs.empty?
|
|
|
|
new_subs = []
|
|
|
|
subs.split(';').each do |set|
|
|
|
|
new_subs << set.split(',', 2)
|
|
|
|
end
|
|
|
|
|
|
|
|
new_subs
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Insert substitutions into the powershell script
|
|
|
|
# If script is a path to a file then read the file
|
|
|
|
# otherwise treat it as the contents of a file
|
|
|
|
#
|
|
|
|
def make_subs(script, subs)
|
|
|
|
subs.each do |set|
|
|
|
|
script.gsub!(set[0],set[1])
|
|
|
|
end
|
|
|
|
|
|
|
|
script
|
|
|
|
end
|
2013-09-20 12:47:51 +00:00
|
|
|
#
|
|
|
|
# Return an encoded powershell script
|
|
|
|
# Will invoke PSH modifiers as enabled
|
|
|
|
#
|
2014-04-22 23:15:12 +00:00
|
|
|
# @param script_in [String] Script contents
|
|
|
|
#
|
|
|
|
# @return [String] Encoded script
|
2015-05-20 22:09:28 +00:00
|
|
|
def encode_script(script_in, eof = nil)
|
2014-12-06 21:07:20 +00:00
|
|
|
opts = {}
|
|
|
|
datastore.select { |k, v| k =~ /^Powershell::(strip|sub)/ && v }.keys.map do |k|
|
2013-09-20 12:47:51 +00:00
|
|
|
mod_method = k.split('::').last.intern
|
2014-12-06 21:07:20 +00:00
|
|
|
opts[mod_method.to_sym] = true
|
2013-09-20 12:47:51 +00:00
|
|
|
end
|
2014-03-02 19:07:13 +00:00
|
|
|
|
2015-05-20 22:09:28 +00:00
|
|
|
Rex::Powershell::Command.encode_script(script_in, eof, opts)
|
2013-09-20 12:47:51 +00:00
|
|
|
end
|
2013-09-27 11:45:48 +00:00
|
|
|
|
2013-07-20 23:55:01 +00:00
|
|
|
#
|
|
|
|
# Return a gzip compressed powershell script
|
|
|
|
# Will invoke PSH modifiers as enabled
|
|
|
|
#
|
2014-04-22 23:15:12 +00:00
|
|
|
# @param script_in [String] Script contents
|
|
|
|
# @param eof [String] Marker to indicate the end of file appended to script
|
|
|
|
#
|
|
|
|
# @return [String] Compressed script with decompression stub
|
2014-12-06 21:07:20 +00:00
|
|
|
def compress_script(script_in, eof=nil)
|
|
|
|
opts = {}
|
|
|
|
datastore.select { |k, v| k =~ /^Powershell::(strip|sub)/ && v }.keys.map do |k|
|
2013-07-20 23:55:01 +00:00
|
|
|
mod_method = k.split('::').last.intern
|
2014-12-06 21:07:20 +00:00
|
|
|
opts[mod_method.to_sym] = true
|
2013-07-20 23:55:01 +00:00
|
|
|
end
|
2014-03-02 19:07:13 +00:00
|
|
|
|
2014-12-06 21:07:20 +00:00
|
|
|
Rex::Powershell::Command.compress_script(script_in, eof, opts)
|
2013-07-20 23:55:01 +00:00
|
|
|
end
|
|
|
|
|
2013-09-27 11:45:48 +00:00
|
|
|
#
|
2014-04-22 23:15:12 +00:00
|
|
|
# Generate a powershell command line, options are passed on to
|
|
|
|
# generate_psh_args
|
2013-09-27 11:45:48 +00:00
|
|
|
#
|
2014-04-22 23:15:12 +00:00
|
|
|
# @param opts [Hash] The options to generate the command line
|
|
|
|
# @option opts [String] :path Path to the powershell binary
|
|
|
|
# @option opts [Boolean] :no_full_stop Whether powershell binary
|
|
|
|
# should include .exe
|
|
|
|
#
|
|
|
|
# @return [String] Powershell command line with arguments
|
2013-09-27 11:45:48 +00:00
|
|
|
def generate_psh_command_line(opts)
|
2014-12-06 21:07:20 +00:00
|
|
|
Rex::Powershell::Command.generate_psh_command_line(opts)
|
2013-09-27 11:45:48 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Generate arguments for the powershell command
|
2014-03-02 20:37:08 +00:00
|
|
|
# The format will be have no space at the start and have a space
|
|
|
|
# afterwards e.g. "-Arg1 x -Arg -Arg x "
|
2013-09-27 11:45:48 +00:00
|
|
|
#
|
2014-04-22 23:15:12 +00:00
|
|
|
# @param opts [Hash] The options to generate the command line
|
|
|
|
# @option opts [Boolean] :shorten Whether to shorten the powershell
|
|
|
|
# arguments (v2.0 or greater)
|
|
|
|
# @option opts [String] :encodedcommand Powershell script as an
|
|
|
|
# encoded command (-EncodedCommand)
|
|
|
|
# @option opts [String] :executionpolicy The execution policy
|
|
|
|
# (-ExecutionPolicy)
|
|
|
|
# @option opts [String] :inputformat The input format (-InputFormat)
|
|
|
|
# @option opts [String] :file The path to a powershell file (-File)
|
|
|
|
# @option opts [Boolean] :noexit Whether to exit powershell after
|
|
|
|
# execution (-NoExit)
|
|
|
|
# @option opts [Boolean] :nologo Whether to display the logo (-NoLogo)
|
|
|
|
# @option opts [Boolean] :noninteractive Whether to load a non
|
|
|
|
# interactive powershell (-NonInteractive)
|
|
|
|
# @option opts [Boolean] :mta Whether to run as Multi-Threaded
|
|
|
|
# Apartment (-Mta)
|
|
|
|
# @option opts [String] :outputformat The output format
|
|
|
|
# (-OutputFormat)
|
|
|
|
# @option opts [Boolean] :sta Whether to run as Single-Threaded
|
|
|
|
# Apartment (-Sta)
|
|
|
|
# @option opts [Boolean] :noprofile Whether to use the current users
|
|
|
|
# powershell profile (-NoProfile)
|
|
|
|
# @option opts [String] :windowstyle The window style to use
|
|
|
|
# (-WindowStyle)
|
|
|
|
#
|
|
|
|
# @return [String] Powershell command arguments
|
2013-09-27 11:45:48 +00:00
|
|
|
def generate_psh_args(opts)
|
2014-07-20 20:07:59 +00:00
|
|
|
return '' unless opts
|
2014-03-02 20:37:08 +00:00
|
|
|
|
2014-07-20 20:07:59 +00:00
|
|
|
unless opts.key? :shorten
|
2014-03-02 20:37:08 +00:00
|
|
|
opts[:shorten] = (datastore['Powershell::method'] != 'old')
|
|
|
|
end
|
|
|
|
|
2014-12-06 21:07:20 +00:00
|
|
|
Rex::Powershell::Command.generate_psh_args(opts)
|
2013-09-27 11:45:48 +00:00
|
|
|
end
|
2014-03-02 19:07:13 +00:00
|
|
|
|
2013-07-20 23:55:01 +00:00
|
|
|
#
|
2014-04-22 23:15:12 +00:00
|
|
|
# Wraps the powershell code to launch a hidden window and
|
|
|
|
# detect the execution environment and spawn the appropriate
|
|
|
|
# powershell executable for the payload architecture.
|
2013-07-20 23:55:01 +00:00
|
|
|
#
|
2014-04-22 23:15:12 +00:00
|
|
|
# @param ps_code [String] Powershell code
|
|
|
|
# @param payload_arch [String] The payload architecture 'x86'/'x86_64'
|
|
|
|
# @param encoded [Boolean] Indicates whether ps_code is encoded or not
|
|
|
|
#
|
2014-04-23 06:29:51 +00:00
|
|
|
# @return [String] Wrapped powershell code
|
2014-02-08 21:34:51 +00:00
|
|
|
def run_hidden_psh(ps_code, payload_arch, encoded)
|
2013-09-27 11:45:48 +00:00
|
|
|
arg_opts = {
|
2014-12-06 21:07:20 +00:00
|
|
|
noprofile: true,
|
|
|
|
windowstyle: 'hidden',
|
2013-09-27 11:45:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# Old technique fails if powershell exits..
|
2014-12-06 21:07:20 +00:00
|
|
|
arg_opts[:noexit] = (datastore['Powershell::method'] == 'old')
|
|
|
|
arg_opts[:shorten] = (datastore['Powershell::method'] != 'old')
|
2013-07-04 16:44:44 +00:00
|
|
|
|
2014-12-06 21:07:20 +00:00
|
|
|
Rex::Powershell::Command.run_hidden_psh(ps_code, payload_arch, encoded, arg_opts)
|
2013-07-20 23:55:01 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
2014-04-22 23:15:12 +00:00
|
|
|
# Creates a powershell command line string which will execute the
|
|
|
|
# payload in a hidden window in the appropriate execution environment
|
|
|
|
# for the payload architecture. Opts are passed through to
|
|
|
|
# run_hidden_psh, generate_psh_command_line and generate_psh_args
|
|
|
|
#
|
|
|
|
# @param pay [String] The payload shellcode
|
|
|
|
# @param payload_arch [String] The payload architecture 'x86'/'x86_64'
|
|
|
|
# @param opts [Hash] The options to generate the command
|
|
|
|
# @option opts [Boolean] :persist Loop the payload to cause
|
|
|
|
# re-execution if the shellcode finishes
|
|
|
|
# @option opts [Integer] :prepend_sleep Sleep for the specified time
|
|
|
|
# before executing the payload
|
|
|
|
# @option opts [String] :method The powershell injection technique to
|
|
|
|
# use: 'net'/'reflection'/'old'
|
|
|
|
# @option opts [Boolean] :encode_inner_payload Encodes the powershell
|
|
|
|
# script within the hidden/architecture detection wrapper
|
|
|
|
# @option opts [Boolean] :encode_final_payload Encodes the final
|
|
|
|
# powershell script
|
|
|
|
# @option opts [Boolean] :remove_comspec Removes the %COMSPEC%
|
|
|
|
# environment variable at the start of the command line
|
|
|
|
# @option opts [Boolean] :use_single_quotes Wraps the -Command
|
|
|
|
# argument in single quotes unless :encode_final_payload
|
2013-07-20 23:55:01 +00:00
|
|
|
#
|
2014-04-22 23:15:12 +00:00
|
|
|
# @return [String] Powershell command line with payload
|
2014-07-20 20:07:59 +00:00
|
|
|
def cmd_psh_payload(pay, payload_arch, opts = {})
|
2014-03-02 19:07:13 +00:00
|
|
|
opts[:persist] ||= datastore['Powershell::persist']
|
|
|
|
opts[:prepend_sleep] ||= datastore['Powershell::prepend_sleep']
|
2014-03-02 20:56:55 +00:00
|
|
|
opts[:method] ||= datastore['Powershell::method']
|
2014-02-09 12:15:02 +00:00
|
|
|
|
2014-12-06 21:07:20 +00:00
|
|
|
unless opts.key? :shorten
|
|
|
|
opts[:shorten] = (datastore['Powershell::method'] != 'old')
|
2013-12-16 15:13:13 +00:00
|
|
|
end
|
2014-12-06 21:07:20 +00:00
|
|
|
template_path = File.join(Msf::Config.data_directory,
|
|
|
|
"templates",
|
|
|
|
"scripts")
|
2013-12-16 15:13:13 +00:00
|
|
|
|
2014-12-06 21:07:20 +00:00
|
|
|
command = Rex::Powershell::Command.cmd_psh_payload(pay,
|
|
|
|
payload_arch,
|
|
|
|
template_path,
|
|
|
|
opts)
|
2014-02-08 22:10:33 +00:00
|
|
|
vprint_status("Powershell command length: #{command.length}")
|
2014-02-09 12:15:02 +00:00
|
|
|
|
2014-03-02 19:07:13 +00:00
|
|
|
command
|
2013-07-20 23:55:01 +00:00
|
|
|
end
|
|
|
|
|
2014-12-06 21:07:20 +00:00
|
|
|
|
2013-07-20 23:55:01 +00:00
|
|
|
#
|
|
|
|
# Useful method cache
|
|
|
|
#
|
|
|
|
module PshMethods
|
2014-12-06 21:07:20 +00:00
|
|
|
include Rex::Powershell::PshMethods
|
2013-07-20 23:55:01 +00:00
|
|
|
end
|
2013-07-04 16:44:44 +00:00
|
|
|
end
|
|
|
|
end
|