Powershell import #2075
Powershell import #2075
Conversation
If the regex fails then the entire moudle would too
Add Rex powershell parser: reads PSH, determines functions, variables, blocks compresses and cleans up the code it's read, obfuscates handles string literals and reserved variable names extracts code blocks and functions for reuse turns powersploit into a useful sub-component for MSF Rewire Msf powershell modules Make use of Rex parser Handles payload generation, substituions Brings convenience methods - byte array generation and download Re-add .NET compiler Compiles .NET code (C#/VB.NET) in memory Can generate binary output file (dynamic persistence) Handles code-signing (steal cert with mimikatz, sign your bin) Not detected by AV (still...) Update payload generation GZip compression and decompression (see Rex module as well) msftidy violations for space efficiency - each char counts Re-submit psexec-psh Makes use of updated Msf and Rex modules Runs shellcode in-memory (in a hidden PSH window) Completely bypasses all AVs tested for the last year...
|
I fear that such a large pull is going to go the way of the previous one... Can we start off simple with 1 module (e.g. psexec) and just the dependencies for that? There's also #2037 which will cause conflicts at some stage. |
|
We can probably split this into core/exploit & post PRs (along with removing g0tm1lk's work which somehow made this branch). As far as the variable repetition issue, i think that's resolved in my code already. I think we should be able to comfortably convert the other PSH related PRs into this codebase and make use of the Rex parser/builder for dealing with PSH down the line. |
|
@sempervictus I think this pull is waiting on:
Hopefully @dark0perator and @obsuresec will drum up more powershell demand ;) |
|
How did my stuff end up here!? :s |
|
@sempervictus's bad branch management ;) |
@g0tm1lk: no clue, you must've pwned me in your sl33p. :)
Resolve conflicts from old code being pulled into master. Conflicts: lib/msf/core/exploit/powershell.rb modules/exploits/windows/smb/psexec_psh.rb
Remove .NET compiler, post lib and modules.
This is temporary and rather messy. Since the internals for dealing with PSH code have moved to Rex there may be a hiccup or two here. This was my original attempt at basic PSH integration and does not make use of the new libraries and namespaces in this PR. Will introduce the updated modules and libraries in separate PR.
|
Lets see how this goes - i've cut out post and .NET work for now, leaving just the core requirements. I need to finish with some client related work and i'll cut up new PRs for the post libs, PSH modules (execute in memory to your heart's content), and the in-mem .NET compiler. @devs: for testing, shoot something running powershell with the new psexec_psh module for functional purposes. and so forth. |
|
lib/msf/core/exploit/powershell.rb has lots of merge conflicts in it |
|
modules/exploits/windows/smb/psexec_psh.rb also appears to be overwritten with a completely different file! 🐙 |
|
They are overwrites, problem is that the PR resurrecting psexec_psh is based on old code from my framework, which has been superceded by these components as well as other private libs. As you can see by my commit/PR history there's a ton of work in my framework which isnt in master. I tend to make large PRs and work in lib which probably doesnt help. This is the first time i've run into the problem of having someone resurrect conflicting (out of date) work. Sorry for all the confusion. |
|
Unfortunately, you're going to have to untangle these conflicts before we can start to validate it. Otherwise, it's a guessing game to determine your intent. |
|
@todb-r7: any chance i can put back the post lib and modules? They all run off the same base in Rex::Exploitation and Msf::Core::Exploit. Intent is for us to have a unified mechanism for working with powershell code. Allow framework and modules to have a central interface and reduce hackery. |
|
@sempervictus sorry it's just hard to see what the changes intended are in my phone, I'll (or someone) will take a look on a proper computer. |
|
@sempervictus I'm happy to help get this landed but psexec_psh is still overwritten with completely the wrong file. |
Replace powershell lib which snuck in as psexec_psh. Introduce psexec_psh module which uses the Rex and Msf PSH methods provided in the lib import.
|
Thank you @Meatballs1. Too many branches, not nearly enough time these days. |
| def exploit | ||
| command = cmd_psh_payload(payload.encoded) | ||
| register_options([ | ||
| OptBool.new('PERSIST', [false, 'Run the payload in a loop']), |
There was a problem hiding this comment.
I re-factored these to the mixin library as they are not referenced in the module but are referenced in the mixin so it makes more sense, to me, for them to be there?
|
I'll see if I can correct the merge issues with psexec_psh should be pretty straightforward |
… psh_merge Conflicts: modules/exploits/windows/smb/psexec_psh.rb
Looks good from here, though we may want to address the all caps opt names.
| # Build script object | ||
| psh = PshScript.new(script_in) | ||
| # Invoke enabled modifiers | ||
| datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k| |
There was a problem hiding this comment.
Will this work with the renaming of the functions?
There was a problem hiding this comment.
Yup, i run with sub_vars and sub_funcs all the time. This was written before the recent commits adding unique random var generation, so handles that in the psh Rex lib. If you're seeing bugs in testing, would love to reproduce and fix in the Rex layer.
… into powershell_import
…t-framework into powershell_import
This is the core post component broken out from rapid7#2075. Includes new post library leveraging the rex and msf namespace changes in lib. Includes basic modules for script and command execution. These modules can be used a simple base for complex powershell execution from post modules and RC scripts.
| @@ -68,16 +68,21 @@ def initialize(info = {}) | |||
| [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ] | |||
| ] | |||
| )) | |||
|
|
|||
| register_options([ | |||
| OptBool.new('DryRun',[false,'dry run',false]), | |||
There was a problem hiding this comment.
This needs a better description
|
Dev Required
Testing Required, doesn't look like this affects too much existing functionality - post modules/scripts not affected.
|
| fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}") | ||
| ensure |
There was a problem hiding this comment.
This disconnect causes the module to fail, should be placed back within the rescue. My bad!
Retab/pr/2075
|
I have submitted a PR to sempervictus repository to advance this sempervictus#18 |
|
According to github there are conflics to solve before we can proceed with this. Please fix them or warn us if github is wrong :) |
|
I have merged some of the conflicts in #2557 but that is also in need of some deconfliction! |
|
This pull request is creating conflicts and can't be landed, please @sempervictus feel free to fix the conflicts and reopen again once ready. In Addition, according to @Meatballs1 , some of the conflicts are already merged on #2557, which as far as I understand is the same thing than this pull request. So I guess work can be done on #2557, right? |
Thank you @meatballs for kicking me in the posterior to do this properly (#2073).