psrp 0.0.4 → 0.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/psrp.rb +6 -6
- data/lib/version.rb +1 -1
- data/test_psrp.rb +42 -22
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 10c50574d60b67f4817124fd17bc6d8799385537
|
|
4
|
+
data.tar.gz: 26b4c34422bb878ae50116d48f1f78c7649ed90f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c77083273218b0488271f705a4ae8fdeb7cc87b819f1cd2824a04627acaad35dc87865340359147a315c95093b2f1706b14decf4c15af187aff358e8299181a0
|
|
7
|
+
data.tar.gz: db7d16e1a61b480daade59dbf37dedc505e985dbe566ec18b044376219eb7e20798c700f0e8a4e8006ab7e3b6eab418a99868969bf755e28fb913fef16203ec4
|
data/lib/psrp.rb
CHANGED
|
@@ -44,7 +44,7 @@ module PSRP
|
|
|
44
44
|
DEFAULT_MAX_ENV_SIZE = 153600
|
|
45
45
|
DEFAULT_LOCALE = 'en-US'
|
|
46
46
|
|
|
47
|
-
attr_accessor :xfer
|
|
47
|
+
attr_accessor :xfer, :session_opts
|
|
48
48
|
|
|
49
49
|
def initialize(endpoint, opts = {})
|
|
50
50
|
@session_opts = {
|
|
@@ -72,11 +72,10 @@ module PSRP
|
|
|
72
72
|
msg = PSRP::WSMV::InitRunspacePool.new(@session_opts)
|
|
73
73
|
|
|
74
74
|
resp_doc = @xfer.send_request(msg.build)
|
|
75
|
-
|
|
76
|
-
@generated_shell_id = msg.shell_id
|
|
77
75
|
|
|
76
|
+
@generated_shell_id = msg.shell_id
|
|
78
77
|
@shell_id = REXML::XPath.first(resp_doc, "//*[@Name='ShellId']").text
|
|
79
|
-
|
|
78
|
+
|
|
80
79
|
|
|
81
80
|
out_processor = PSRP::WSMV::CommandOutputProcessor.new(@session_opts, @xfer)
|
|
82
81
|
|
|
@@ -103,6 +102,7 @@ module PSRP
|
|
|
103
102
|
|
|
104
103
|
if runspace_open
|
|
105
104
|
@opened = true
|
|
105
|
+
@logger.debug("[WinRM] remote runspace #{@shell_id} is open on #{@session_opts[:endpoint]}")
|
|
106
106
|
return true
|
|
107
107
|
end
|
|
108
108
|
end
|
|
@@ -122,7 +122,7 @@ module PSRP
|
|
|
122
122
|
|
|
123
123
|
out_processor = PSRP::WSMV::CommandOutputProcessor.new(@session_opts, @xfer)
|
|
124
124
|
|
|
125
|
-
@logger.debug('
|
|
125
|
+
@logger.debug('Runspace is open - sending command')
|
|
126
126
|
|
|
127
127
|
command_id = SecureRandom.uuid.to_s.upcase
|
|
128
128
|
pipeline = PSRP::MessageEncoder.new(@generated_shell_id, command_id, :CREATE_PIPELINE, {command: CGI.escapeHTML(command)})
|
|
@@ -186,7 +186,7 @@ module PSRP
|
|
|
186
186
|
|
|
187
187
|
def close
|
|
188
188
|
if not @opened
|
|
189
|
-
return
|
|
189
|
+
return
|
|
190
190
|
end
|
|
191
191
|
@opened = false
|
|
192
192
|
@logger.debug("Closing shell")
|
data/lib/version.rb
CHANGED
data/test_psrp.rb
CHANGED
|
@@ -1,44 +1,64 @@
|
|
|
1
1
|
require_relative 'lib/psrp'
|
|
2
2
|
require 'zlib'
|
|
3
3
|
|
|
4
|
-
endpoint = 'http://192.168.142.
|
|
5
|
-
psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => '
|
|
4
|
+
endpoint = 'http://192.168.142.237:5985/wsman'
|
|
5
|
+
psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => 'SomethingLonger12345!', :log_level => :debug)
|
|
6
6
|
|
|
7
7
|
psrp.open
|
|
8
8
|
|
|
9
|
-
puts psrp.run_ps('echo "<xml><body>THIS IS NOT THE XML YOU ARE LOOKING FOR</body></xml>" > C:\hello; cat C:\hello')
|
|
10
|
-
puts psrp.run_ps('systeminfo')
|
|
11
|
-
puts psrp.run_ps('cat C:\hello')
|
|
12
|
-
puts psrp.run_ps('ipconfig')
|
|
13
|
-
|
|
14
|
-
puts psrp.run_ps('echo "' + "A" * (32725 + 1) * 30 + '" > C:\hello_A')
|
|
15
|
-
|
|
16
|
-
puts psrp.run_ps('notepad')
|
|
17
|
-
|
|
18
|
-
b64_code = Base64.strict_encode64(IO.binread('DemoDLL_RemoteProcess-x64.dll'))
|
|
19
9
|
data_io = StringIO.new()
|
|
20
10
|
gz = Zlib::GzipWriter.new(data_io)
|
|
21
|
-
gz.write(
|
|
11
|
+
gz.write(Base64.strict_encode64(IO.binread('runas2.exe')))
|
|
22
12
|
gz.close()
|
|
23
13
|
data = Base64.strict_encode64(data_io.string())
|
|
24
|
-
ps_script = "$
|
|
25
|
-
ps_script += "$data = [System.Convert]::FromBase64String('" + data + "')\n"
|
|
14
|
+
ps_script = "$data = [System.Convert]::FromBase64String('" + data + "')\n"
|
|
26
15
|
ps_script += "$ms = New-Object System.IO.MemoryStream\n"
|
|
27
16
|
ps_script += "$ms.Write($data, 0, $data.Length)\n"
|
|
28
17
|
ps_script += "$ms.Seek(0,0) | Out-Null\n"
|
|
29
18
|
ps_script += "$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))\n"
|
|
30
|
-
ps_script += "$
|
|
19
|
+
ps_script += "$bytes = [System.Convert]::FromBase64String($sr.ReadToEnd())\n"
|
|
20
|
+
ps_script += "[IO.File]::WriteAllBytes('C:\\runas2.exe', $bytes)\n"
|
|
21
|
+
|
|
22
|
+
|
|
23
|
+
puts psrp.run_ps(ps_script)
|
|
24
|
+
|
|
25
|
+
exit()
|
|
26
|
+
|
|
27
|
+
puts psrp.run_ps('echo "<xml><body>THIS IS NOT THE XML YOU ARE LOOKING FOR</body></xml>" > C:\hello; cat C:\hello')
|
|
28
|
+
puts psrp.run_ps('systeminfo')
|
|
29
|
+
puts psrp.run_ps('cat C:\hello')
|
|
30
|
+
puts psrp.run_ps('ipconfig')
|
|
31
|
+
|
|
32
|
+
#puts psrp.run_ps('echo "' + "A" * (32725 + 1) * 30 + '" > C:\hello_A')
|
|
33
|
+
|
|
34
|
+
puts psrp.run_ps('notepad')
|
|
35
|
+
|
|
36
|
+
|
|
37
|
+
|
|
38
|
+
#b64_code = Base64.strict_encode64(IO.binread('DemoDLL_RemoteProcess-x64.dll'))
|
|
39
|
+
#data_io = StringIO.new()
|
|
40
|
+
#gz = Zlib::GzipWriter.new(data_io)
|
|
41
|
+
#gz.write(b64_code)
|
|
42
|
+
#gz.close()
|
|
43
|
+
#data = Base64.strict_encode64(data_io.string())
|
|
44
|
+
#ps_script = "$ProcName = lsass\n"
|
|
45
|
+
#ps_script += "$data = [System.Convert]::FromBase64String('" + data + "')\n"
|
|
46
|
+
#ps_script += "$ms = New-Object System.IO.MemoryStream\n"
|
|
47
|
+
#ps_script += "$ms.Write($data, 0, $data.Length)\n"
|
|
48
|
+
#ps_script += "$ms.Seek(0,0) | Out-Null\n"
|
|
49
|
+
#ps_script += "$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))\n"
|
|
50
|
+
#ps_script += "$PEBytes = [System.Convert]::FromBase64String($sr.ReadToEnd())\n"
|
|
31
51
|
|
|
32
|
-
ps_script += File.read('Invoke-ReflectivePEInjection.ps1')
|
|
33
|
-
ps_script += "\nInvoke-ReflectivePEInjection -PEBytes $PEBytes\n"
|
|
34
|
-
ps_script += "echo 'Command Reflected'\n"
|
|
35
|
-
IO.binwrite('script.ps1', ps_script)
|
|
36
|
-
puts psrp.run_ps(File.read('script.ps1'))
|
|
52
|
+
#ps_script += File.read('Invoke-ReflectivePEInjection.ps1')
|
|
53
|
+
#ps_script += "\nInvoke-ReflectivePEInjection -PEBytes $PEBytes\n"
|
|
54
|
+
#ps_script += "echo 'Command Reflected'\n"
|
|
55
|
+
#IO.binwrite('script.ps1', ps_script)
|
|
56
|
+
#puts psrp.run_ps(File.read('script.ps1'))
|
|
37
57
|
|
|
38
58
|
psrp.close
|
|
39
59
|
|
|
40
60
|
endpoint = 'http://192.168.142.232:5985/wsman'
|
|
41
|
-
psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => '
|
|
61
|
+
psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => 'SomethingLonger12345!', :log_level => :debug)
|
|
42
62
|
|
|
43
63
|
begin
|
|
44
64
|
psrp.run_ps('ipconfig')
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: psrp
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Oluwalana
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-04-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: httpclient
|