psrp 0.0.4 → 0.0.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/psrp.rb +6 -6
- data/lib/version.rb +1 -1
- data/test_psrp.rb +42 -22
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 10c50574d60b67f4817124fd17bc6d8799385537
|
|
4
|
+
data.tar.gz: 26b4c34422bb878ae50116d48f1f78c7649ed90f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c77083273218b0488271f705a4ae8fdeb7cc87b819f1cd2824a04627acaad35dc87865340359147a315c95093b2f1706b14decf4c15af187aff358e8299181a0
|
|
7
|
+
data.tar.gz: db7d16e1a61b480daade59dbf37dedc505e985dbe566ec18b044376219eb7e20798c700f0e8a4e8006ab7e3b6eab418a99868969bf755e28fb913fef16203ec4
|
data/lib/psrp.rb
CHANGED
|
@@ -44,7 +44,7 @@ module PSRP
|
|
|
44
44
|
DEFAULT_MAX_ENV_SIZE = 153600
|
|
45
45
|
DEFAULT_LOCALE = 'en-US'
|
|
46
46
|
|
|
47
|
-
attr_accessor :xfer
|
|
47
|
+
attr_accessor :xfer, :session_opts
|
|
48
48
|
|
|
49
49
|
def initialize(endpoint, opts = {})
|
|
50
50
|
@session_opts = {
|
|
@@ -72,11 +72,10 @@ module PSRP
|
|
|
72
72
|
msg = PSRP::WSMV::InitRunspacePool.new(@session_opts)
|
|
73
73
|
|
|
74
74
|
resp_doc = @xfer.send_request(msg.build)
|
|
75
|
-
|
|
76
|
-
@generated_shell_id = msg.shell_id
|
|
77
75
|
|
|
76
|
+
@generated_shell_id = msg.shell_id
|
|
78
77
|
@shell_id = REXML::XPath.first(resp_doc, "//*[@Name='ShellId']").text
|
|
79
|
-
|
|
78
|
+
|
|
80
79
|
|
|
81
80
|
out_processor = PSRP::WSMV::CommandOutputProcessor.new(@session_opts, @xfer)
|
|
82
81
|
|
|
@@ -103,6 +102,7 @@ module PSRP
|
|
|
103
102
|
|
|
104
103
|
if runspace_open
|
|
105
104
|
@opened = true
|
|
105
|
+
@logger.debug("[WinRM] remote runspace #{@shell_id} is open on #{@session_opts[:endpoint]}")
|
|
106
106
|
return true
|
|
107
107
|
end
|
|
108
108
|
end
|
|
@@ -122,7 +122,7 @@ module PSRP
|
|
|
122
122
|
|
|
123
123
|
out_processor = PSRP::WSMV::CommandOutputProcessor.new(@session_opts, @xfer)
|
|
124
124
|
|
|
125
|
-
@logger.debug('
|
|
125
|
+
@logger.debug('Runspace is open - sending command')
|
|
126
126
|
|
|
127
127
|
command_id = SecureRandom.uuid.to_s.upcase
|
|
128
128
|
pipeline = PSRP::MessageEncoder.new(@generated_shell_id, command_id, :CREATE_PIPELINE, {command: CGI.escapeHTML(command)})
|
|
@@ -186,7 +186,7 @@ module PSRP
|
|
|
186
186
|
|
|
187
187
|
def close
|
|
188
188
|
if not @opened
|
|
189
|
-
return
|
|
189
|
+
return
|
|
190
190
|
end
|
|
191
191
|
@opened = false
|
|
192
192
|
@logger.debug("Closing shell")
|
data/lib/version.rb
CHANGED
data/test_psrp.rb
CHANGED
|
@@ -1,44 +1,64 @@
|
|
|
1
1
|
require_relative 'lib/psrp'
|
|
2
2
|
require 'zlib'
|
|
3
3
|
|
|
4
|
-
endpoint = 'http://192.168.142.
|
|
5
|
-
psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => '
|
|
4
|
+
endpoint = 'http://192.168.142.237:5985/wsman'
|
|
5
|
+
psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => 'SomethingLonger12345!', :log_level => :debug)
|
|
6
6
|
|
|
7
7
|
psrp.open
|
|
8
8
|
|
|
9
|
-
puts psrp.run_ps('echo "<xml><body>THIS IS NOT THE XML YOU ARE LOOKING FOR</body></xml>" > C:\hello; cat C:\hello')
|
|
10
|
-
puts psrp.run_ps('systeminfo')
|
|
11
|
-
puts psrp.run_ps('cat C:\hello')
|
|
12
|
-
puts psrp.run_ps('ipconfig')
|
|
13
|
-
|
|
14
|
-
puts psrp.run_ps('echo "' + "A" * (32725 + 1) * 30 + '" > C:\hello_A')
|
|
15
|
-
|
|
16
|
-
puts psrp.run_ps('notepad')
|
|
17
|
-
|
|
18
|
-
b64_code = Base64.strict_encode64(IO.binread('DemoDLL_RemoteProcess-x64.dll'))
|
|
19
9
|
data_io = StringIO.new()
|
|
20
10
|
gz = Zlib::GzipWriter.new(data_io)
|
|
21
|
-
gz.write(
|
|
11
|
+
gz.write(Base64.strict_encode64(IO.binread('runas2.exe')))
|
|
22
12
|
gz.close()
|
|
23
13
|
data = Base64.strict_encode64(data_io.string())
|
|
24
|
-
ps_script = "$
|
|
25
|
-
ps_script += "$data = [System.Convert]::FromBase64String('" + data + "')\n"
|
|
14
|
+
ps_script = "$data = [System.Convert]::FromBase64String('" + data + "')\n"
|
|
26
15
|
ps_script += "$ms = New-Object System.IO.MemoryStream\n"
|
|
27
16
|
ps_script += "$ms.Write($data, 0, $data.Length)\n"
|
|
28
17
|
ps_script += "$ms.Seek(0,0) | Out-Null\n"
|
|
29
18
|
ps_script += "$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))\n"
|
|
30
|
-
ps_script += "$
|
|
19
|
+
ps_script += "$bytes = [System.Convert]::FromBase64String($sr.ReadToEnd())\n"
|
|
20
|
+
ps_script += "[IO.File]::WriteAllBytes('C:\\runas2.exe', $bytes)\n"
|
|
21
|
+
|
|
22
|
+
|
|
23
|
+
puts psrp.run_ps(ps_script)
|
|
24
|
+
|
|
25
|
+
exit()
|
|
26
|
+
|
|
27
|
+
puts psrp.run_ps('echo "<xml><body>THIS IS NOT THE XML YOU ARE LOOKING FOR</body></xml>" > C:\hello; cat C:\hello')
|
|
28
|
+
puts psrp.run_ps('systeminfo')
|
|
29
|
+
puts psrp.run_ps('cat C:\hello')
|
|
30
|
+
puts psrp.run_ps('ipconfig')
|
|
31
|
+
|
|
32
|
+
#puts psrp.run_ps('echo "' + "A" * (32725 + 1) * 30 + '" > C:\hello_A')
|
|
33
|
+
|
|
34
|
+
puts psrp.run_ps('notepad')
|
|
35
|
+
|
|
36
|
+
|
|
37
|
+
|
|
38
|
+
#b64_code = Base64.strict_encode64(IO.binread('DemoDLL_RemoteProcess-x64.dll'))
|
|
39
|
+
#data_io = StringIO.new()
|
|
40
|
+
#gz = Zlib::GzipWriter.new(data_io)
|
|
41
|
+
#gz.write(b64_code)
|
|
42
|
+
#gz.close()
|
|
43
|
+
#data = Base64.strict_encode64(data_io.string())
|
|
44
|
+
#ps_script = "$ProcName = lsass\n"
|
|
45
|
+
#ps_script += "$data = [System.Convert]::FromBase64String('" + data + "')\n"
|
|
46
|
+
#ps_script += "$ms = New-Object System.IO.MemoryStream\n"
|
|
47
|
+
#ps_script += "$ms.Write($data, 0, $data.Length)\n"
|
|
48
|
+
#ps_script += "$ms.Seek(0,0) | Out-Null\n"
|
|
49
|
+
#ps_script += "$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))\n"
|
|
50
|
+
#ps_script += "$PEBytes = [System.Convert]::FromBase64String($sr.ReadToEnd())\n"
|
|
31
51
|
|
|
32
|
-
ps_script += File.read('Invoke-ReflectivePEInjection.ps1')
|
|
33
|
-
ps_script += "\nInvoke-ReflectivePEInjection -PEBytes $PEBytes\n"
|
|
34
|
-
ps_script += "echo 'Command Reflected'\n"
|
|
35
|
-
IO.binwrite('script.ps1', ps_script)
|
|
36
|
-
puts psrp.run_ps(File.read('script.ps1'))
|
|
52
|
+
#ps_script += File.read('Invoke-ReflectivePEInjection.ps1')
|
|
53
|
+
#ps_script += "\nInvoke-ReflectivePEInjection -PEBytes $PEBytes\n"
|
|
54
|
+
#ps_script += "echo 'Command Reflected'\n"
|
|
55
|
+
#IO.binwrite('script.ps1', ps_script)
|
|
56
|
+
#puts psrp.run_ps(File.read('script.ps1'))
|
|
37
57
|
|
|
38
58
|
psrp.close
|
|
39
59
|
|
|
40
60
|
endpoint = 'http://192.168.142.232:5985/wsman'
|
|
41
|
-
psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => '
|
|
61
|
+
psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => 'SomethingLonger12345!', :log_level => :debug)
|
|
42
62
|
|
|
43
63
|
begin
|
|
44
64
|
psrp.run_ps('ipconfig')
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: psrp
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Oluwalana
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-04-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: httpclient
|