Powershell Improvements - Auto Arch Detection, Size Reduction #2557
Conversation
If the regex fails then the entire moudle would too
Add Rex powershell parser: reads PSH, determines functions, variables, blocks compresses and cleans up the code it's read, obfuscates handles string literals and reserved variable names extracts code blocks and functions for reuse turns powersploit into a useful sub-component for MSF Rewire Msf powershell modules Make use of Rex parser Handles payload generation, substituions Brings convenience methods - byte array generation and download Re-add .NET compiler Compiles .NET code (C#/VB.NET) in memory Can generate binary output file (dynamic persistence) Handles code-signing (steal cert with mimikatz, sign your bin) Not detected by AV (still...) Update payload generation GZip compression and decompression (see Rex module as well) msftidy violations for space efficiency - each char counts Re-submit psexec-psh Makes use of updated Msf and Rex modules Runs shellcode in-memory (in a hidden PSH window) Completely bypasses all AVs tested for the last year...
@g0tm1lk: no clue, you must've pwned me in your sl33p. :)
Resolve conflicts from old code being pulled into master. Conflicts: lib/msf/core/exploit/powershell.rb modules/exploits/windows/smb/psexec_psh.rb
Remove .NET compiler, post lib and modules.
This is temporary and rather messy. Since the internals for dealing with PSH code have moved to Rex there may be a hiccup or two here. This was my original attempt at basic PSH integration and does not make use of the new libraries and namespaces in this PR. Will introduce the updated modules and libraries in separate PR.
Replace powershell lib which snuck in as psexec_psh. Introduce psexec_psh module which uses the Rex and Msf PSH methods provided in the lib import.
… psh_merge Conflicts: modules/exploits/windows/smb/psexec_psh.rb
Looks good from here, though we may want to address the all caps opt names.
… into powershell_import
…t-framework into powershell_import
|
@Meatballs1 check your repo, i think we got out of sync in Post. I've re-added my Post module to your branch with some fixup. I'll PR DotNet and associated Psh/DotNet modules once this lands, so as not to keep this held up any longer. |
|
Will look to merge in your Post stuff when we get this landed :) |
|
Please whack me when we have a window? I should have some more code to push On Fri, Jun 20, 2014 at 5:50 PM, Meatballs1 [email protected]
|
|
Did this die on the vine or are we rebasing somewhere? There's a lot of useful work in here... |
|
I'm going to re-open it when other PR gets landed. I cant keep updating 19 PRs when they are just sat around gathering no love :( |
|
@Meatballs1 I feel your pain on the open PRs, though i've learned to see it as a sort of compliment that our work requires serious review. However, if we drop this out of the active queue it will never hit, and i assume you probably have derived work internally as well by now. I spend too much time merging upstream with my work, and have moved most of my really scandalous code into plugins, but if this doesnt merge then at least you and i will, again, be cleaning out interrim-submitted hackery to get around PSH idiosyncrasies to accomplish what we have here (without the "good practices"). @r7 This is a healthy body of work with a ton of value. It comes up in almost every discussion i have with client security staff and AV vendors have asked about it after realizing it walks lazy circles around them. Moreover, since R7 bases the commercial offering on the framework, one could reason that the capabilities this exposes would be of significant value to paying customers. @devs, aside from the need to sleep and eat on occasion, is there anything we can address which is holding up this PR? |
| end | ||
|
|
||
| vprint_status("Powershell command length: #{command.length}") | ||
| if command.length > 8191 |
There was a problem hiding this comment.
8191 or 8192? In the unlikely event that the command is exactly 8192 characters, this will incorrectly raise (or the error message is incorrect, depending on your POV)
There was a problem hiding this comment.
CR space? I think the original code was 8192, but this actually makes more sense. I believe we can thank @Meatballs1 for catching that.
(sorry for the edit, original response was sent from mobile mail client)
On Jul 16, 2014 3:19 PM, "Jon Hart" [email protected] wrote:
In lib/msf/core/exploit/powershell.rb:
final_payload = "'#{final_payload}'"end
command_args[:command] = final_payload- end
- psh_command = generate_psh_command_line(command_args)
- if opts[:remove_comspec]
command = psh_command- else
command = "%COMSPEC% /b /c start /min #{psh_command}"- end
- vprint_status("Powershell command length: #{command.length}")
- if command.length > 8191
8191 or 8192? In the unlikely event that the command is exactly 8192
characters, this will incorrectly raise (or the error message is incorrect,
depending on your POV)—
Reply to this email directly or view it on GitHub
https://github.com/rapid7/metasploit-framework/pull/2557/files#r15021129
.
There was a problem hiding this comment.
I think this was probably the case but I can't remember for sure now :)
|
@sempervictus My plan was to re-open this as my only PR except @scriptjunkie had some momentum on my other pull so was hoping for that to land. Then I can continue with just one PR at a time. Having this open was also making me not want to land any other Powershell stuff as it just meant more additional work and testing for me :( This needs fixing up against: modules/exploits/multi/script/web_delivery as well as potential conflicts with #2585 |
| # @param target [String] Location to save the file | ||
| # | ||
| # @return [String] Powershell code to download a file | ||
| def self.download(src,target=nil) |
There was a problem hiding this comment.
What is the behavior when no location to save the file to? I'm assuming that it it just drops it in pwd much like most downloader-like tools, but it might be worth being explicit here in the documentation (since you took the time to write it and it is so nice)
There was a problem hiding this comment.
It should throw a 'WebException' if filename is null or Empty.
I will modify this so it doesn't take a default
|
Offhand, the use of str[start...end] versus str[start,length] seems wrong in a few places. It seems a few exploit modules are still broken or not compatible with this change based on the checkboxes above. As for why it is blocked @sempervictus , see @Meatballs1 comment above. |
|
Nb the unchecked modules above probably are compatible, just i havent had environment to test (a few I have tested in previous iterations but haven't got round to in latest commit). I dont forsee any issues with these |
|
@hmoore-r7 Whats wrong with string[range]? |
|
I have come to the conclusion this is just pre-commit fixes to @sempervictus's code originally submitted in January 2013 and there's no reason to delay any further. |
This is basically my PR to @sempervictus's branch #2075
It builds a better framework for performing Powershell command execution -> shellcode execution.
One of the main features I'm trying to do is that powershell will spawn the correct process for the payload architecture.
More and more modules are starting to poke at the powershell functionality so I would rather get these in earlier rather than later.
Specced
Some may not be the best specs ever written but at least they exercise most code paths
Features
Options
cmd_psh_payload options:
Update Modules
Current modules that need to be fixed up regarding these changes:
Potential PR conflicts:
#2551
#2307#2468#2402Verification: Auto Arch Targeting using psh_web_delivery